<Nmap>-sV: Probe open ports to determine service/version info-oA <basename>: Output in the three major formats at once-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename-p <port ranges>: Set destination port(s).-sn: Ping Scan - disable port scan-sS: TCP SYN-sA: ACK Scan-sT: Connect() Scan (TCP)-sU: UDP Scan-sN/sF/sX: TCP Null, FIN, and Xmas scans-O: Enable OS detection-A: Enable OS detection, version detection, script scanning, and traceroute-Pn: Treat all hosts as online -- skip host discovery-n: Do not resolve hostnames via DNS-v: Increment verbosity level by one.-p1-65535/-p-: Scan for full ports 1-65535--top-ports <number>: Scan <number> most common ports--exclude <host1[,host2][,host3],...>: Exclude hosts/networks--reason: Display the reason a port is in a particular state--open: Only show open (or possibly open) ports-F: Fast mode - Scan fewer ports than the default scan-iL <inputfilename>: Input from list of hosts/networks<NSE Script>-sC: equivalent to --script=default--script=<Lua scripts>: <Lua scripts> is a comma separated list ofdirectories, script-files or script-categories--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts<DB_nmap># db_nmap MSF wrappermsf > db_nmap -sS -Pn -A 10.11.1.217# search the Metasploit database for machines with specific open portsmsf > services -p 443
Open: This indicates that an application is listening for connections on this port.
Closed: This indicates that the probes were received but there is no application listening on this port.
Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
Unfiltered: This indicates that the probes were received but a state could not be established.
Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.
Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.
The main timing option is set through the -T parameter if you may want more control over the timing in order get the scan over and done with quicker. However, Nmap adjusts its timings automatically depending on network speed and response times of the victim. Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0–5) or their name as shown below:
# Scan ip with default scripts and service version detection.nmap -sC -sV -oA bastard 10.10.10.9# Scan full ports with time option -T5 "insane"nmap -p- -T5 -oA allports 10.10.10.51# Scan full ports and show only open portsnmap -p1-65535 192.168.1.127 --open# Scan specific Both TCP and UDP at the same timenmap -p U:53,137, T:21-25,80,443 188.8.131.52# Ping Sweepnmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt# Banner Grabbing/Service Enumerationnmap -sV -sT 10.0.0.19# OS Fingerprintingnmap -O 10.0.0.19# Scan for top 20 TCP portsnmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt# Scan for open SNMP portsnmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt# Perform aggressive scan and reduce scanning timingnmap –T4 192.168.1.127# perform fast specific ip range excluding 192.168.1.114nmap -F 192.168.1.110-255 --exclude 192.168.1.114# Scan ip in a text filenmap -iL /root/Desktop/scan.txt
# Path to nse scriptsls /usr/share/nmap/scripts/# List nse scripts in "vuln" category.locate -r '\.nse$' | xargs grep categories | grep vuln# List nse scripts related to "smb" with categories.locate -r '\.nse$'| xargs grep categories | grep smb
# Scan ip with scripts in "vuln" category.nmap --script vuln -oA vulnscan 10.10.10.79# Scan specific ports with scripts in "vuln" category.nmap -p 110,119,22,25,4555,80 -sC -sV -oA vulnscan --script vuln 10.10.10.51# Scan ip with scripts in "vuln" and "safe" categories.nmap --script "vuln and safe" -Pn -n -p 445 <target ip># What does a script do?nmap --script-help ftp-anon# Scan FTP (21) with a script "ftp-anon.nse"nmap -v -p 21 --script=ftp-anon.nse 10.11.1.1-254# Scan with SMB-related scripts to find vulnerabilitesnmap --script smb-vuln* -p 139,445 <target ip># Scan with SMB-related scriptsnmap --script smb* -p 139,445 <target ip># scan SMB (139,445) with a script "smb-os-discovery"nmap -v -p 139, 445 --script=smb-os-discovery 10.11.1.227# Scan SMB (139,445) with a script "smb-vuln-ms08-067"nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.11.1.201# Scan SMB (139,445) with a script "smb-vuln-ms08-067"nmap -v -p 139, 445 --script=smb-security-mode 10.11.1.236# Scan HTTP (80) with a script "http-shellshock"nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56# Scan HTTP (80) with a script "http-vuln-cve2010-2861"nmap -v -p 80 --script=http-vuln-cve2010-2861 10.11.1.210# Scan DNS (53) with a script "dns-zone-transfer"nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com