NMAP (Network Mapper) is a utility for identifying all hosts on a network and what ports are open on those devices. Historical, it can also tell what the OS is of the identified hosts and what services are running on the open ports. I have not found the OS or the service identifiers to be very accurate.

Below are some common use cases for nmap.

NMAP Command

nmap <scan type> <options> <targets>

What are the common switches

-sS = TCP SYN Scan. (Is the port listening?, does not complete the handshake). Default Scan.
-sT = TCP connect scan. Use this, if -sS is not available.
-sU = UDP scan
-sV = probe open ports and determine what service are running.
-p = only scan specified port or range. [53, 443, ssh, 22-23, 80-44, 1-17000].
-p- = scan all 65,000 ports
-v = verbose.
-T5 = set timing to highest level. Higher is fastest. (-T3 is default).
-f = scan 100 most common port (fast scan)
-O or -A = Detect OS
-n = do not do DNS resolution.
–open = only display open ports.

State of the ports

  • open An application is actively accepting TCP connections or UDP datagrams.
  • closed – A port is accessible, but nothing is listening.
  • filtered – Can not determine if the port is open (typically blocked by firewall).
  • unfiltered – Port is accessible, but unable to determine if open or closed.
  • open/filtered– Unable to determine if port is open or filtered.
  • closed/filtered – Unable to determine if port is closed or filtered.

Run a TCP Scan

nmap -sS -v -p 443 -sV -O -T4 10.32.123.10

-sS = TCP/SYN connect
-v = verbose
-p = scan port 443
-sV= get the running service
-O = Determine the OS
-T4 = Set timing to aggressive.

Run a UDP scan

nmap -sU --open www.someURL.com

-sU = conduct a UDP scan
–open = display only open ports.

Run a TCP scan and display only the open ports

nmap -sV -T4 -p- -n 66.161.240.21 --open

-sV = determine the running services.
-T4 = use number 4 timing template, Aggressive: fast scan, -T3 = default
-p- = Scan all 65535 ports.
-n = do not due DNS resolution.
–open = only show open ports.

Scan multiple IP addresses using TCP & send results to a text file

nmap -sV -T4 -p- -n -iL /opt/targets --open -oX /opt/colo_20221108

-sV = get the running service.
-T4 = conduct an aggressive scan.
-p- = scan all 65000 ports.
-n = do not convert to a DNS name.
–open = list only the open ports.
-oX = /path/filename.txt = output scan in XML format
iL= input from a file /path/filename.txt.

Ping a specific port

nmap -p 443 facebook.com

Check a cipher suite

nmap -sV --script ssl-enum-ciphers -p 443

Reference: https://nmap.org

Related Posts

Software

Run an Ad-Hoc Command using Ansible

mark_user
Software

Export a KeePass Master Key File

mark_user