Nmap
Table of Contents
Utilities
nmap – Network exploration tool and security / port scanner
| -T paranoid|sneaky|polite|normal|aggressive|insane | You can specify timing templates with the -T option and their number (0–5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5) |
| -A | Enable OS detection, version detection, script scanning, and traceroute |
| -sn (No port scan) | This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. |
| -F (Fast (limited port) scan) | Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100. |
https://man7.org/linux/man-pages/man1/nmap.1.html
Tasks
Host Discovery
No real ping
-sL (List Scan)
Ping scans (-P* options)
| -PE | echo request (RFC 1122) |
| -PP |
nmap -PE 192.168.99.82/24
nmap -PE 192.168.99.100-179
Zenmap profiles
| Intense scan | nmap -T4 -A -v |
| Intense scan plus UDP | nmap -sS -sU -T4 -A -v |
| Intense scan, all TCP ports | nmap -p 1-65535 -T4 -A -v |
| Intense scan, no ping | nmap -T4 -A -v -Pn |
| Ping scan | nmap -sn |
| Quick scan | nmap -T4 -F |
| Quick scan plus | nmap -sV -T4 -O -F –version-light |
| Quick traceroute | nmap -sn –traceroute |
| Regular scan | nmap |
| Slow comprehensive scan | nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” |