Nmap (Network Mapper) is a free and open source cli application used for network discovery and security auditing. Nmap uses IP Packets in ways to figure out what hosts are available on a network and what services and operating systems it runs. Ping scan ```shell nmap -sn 192.168.4.1/24 ``` Using the -sn flag disables port scanning and only allows the discovery phase of the scan. The default discovery consists of a TCP SYN on port 443, TCP ACK on port 80, and if using a privileged user an ICMP request is done by default. When scanning a local network ethernet network, ARP requests are used unless the --send-ip flag is specified. Traceroute ```shell nmap -sn --traceroute google.com ``` ## NMAP Commands ### **Basic Scanning** - Scan a single target: ```shell nmap [target] ``` - Scan multiple targets: ```shell nmap [target1 target2] ``` - Scan a range of IPs: ```shell nmap 192.168.1.1-10 ``` - Scan an entire subnet: ```shell nmap 192.168.1.0/24 ``` ### **Discovery Options** - Ping scan only: ```shell nmap -sP [target] ``` - Skip ping: ```shell nmap -Pn [target] ``` - ARP discovery (local network): ```shell nmap -sn -PR [target] ``` ### **Port Scanning** - Scan specific port(s): ```shell nmap -p 80,443 ``` - Scan all ports: ```shell nmap -p 1-65535 [target] ``` - TCP SYN scan: ```shell nmap -sS [target] ``` - UDP scan: ```shell nmap -sU [target] ``` ### **Service and OS Detection** - Detect service versions: ```shell nmap -sV [target] ``` - OS detection: ```shell nmap -O [target] ``` - Aggressive scan (OS, services, scripts): ```shell nmap -A [target] ``` ### **Output Options** - Normal output to file: ```shell nmap -oN output.txt [target] ``` - XML output: ```shell nmap -oX output.xml [target] ``` - Greppable output: ```shell nmap -oG output.grep [target] ``` - All formats at once: ```shell nmap -oA output [target] ``` ### **NSE Scripts** - Run default scripts: ```shell nmap -sC [target] ``` - Run specific script(s): ```shell nmap --script=[script-name(s)] [target] ``` Example for SMB enumeration: ```shell nmap --script smb-enum-shares,smb-os-discovery -p 445 [target] ``` - List available scripts: ```shell ls /usr/share/nmap/scripts/` ``` ### **Firewall/IDS Evasion** - Spoof source IP: ```shell nmap -S [spoofed-IP] [target] ``` - Randomize scan order: ```shell nmap --randomize-hosts [targets] ``` - Fragment packets: ```shell nmap -f [target] ``` ### **Traceroute and Debugging** - Enable traceroute: ```shell nmap --traceroute [target] ``` - Increase verbosity: ```shell nmap -v or nmap -vv ``` - Debugging mode: ```shell nmap -d or nmap -dd ```