mirror of
https://github.com/mubix/kaliwiki.git
synced 2025-10-29 16:59:26 +00:00
10 KiB
10 KiB
Nmap
Notes
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a "map" of the network. It is the most popular and widely docuemnted network scanner.
Help Text
Nmap 6.45 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
Example Usage
nmap -O -v scanme.nmap.org
Starting Nmap ( http://nmap.org )
Nmap scan report for scanme.nmap.org (74.207.244.221)
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
646/tcp filtered ldp
1720/tcp filtered H.323/Q.931
9929/tcp open nping-echo
31337/tcp open Elite
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.39
OS details: Linux 2.6.39
Uptime guess: 1.674 days (since Fri Sep 9 12:03:04 2011)
Network Distance: 10 hops
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds
Raw packets sent: 1063 (47.432KB) | Rcvd: 1031 (41.664KB)
nmap -A -T4 -p- -oX XMLoutput.xml scanme.nmap.org
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-21 22:16 HST
Warning: 74.207.244.221 giving up on port because retransmission cap hit (6).
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.027s latency).
Not shown: 63194 closed ports, 2338 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_ 2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-title: Go ahead and ScanMe!
9929/tcp open nping-echo Nping echo
Device type: general purpose
Running (JUST GUESSING): Linux 2.6.X|3.X (91%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
Aggressive OS guesses: Linux 2.6.39 (91%), Linux 2.6.32 - 2.6.39 (89%), Linux 2.6.32 - 3.6 (88%), Linux 3.0 - 3.9 (86%), Linux 2.6.22 - 2.6.36 (85%), Linux 2.6.37 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 22.47 ms 192.168.1.254
2 22.38 ms scanme.nmap.org (74.207.244.221)
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1274.85 seconds
nmap -PR -sn -n 192.168.1.0/24
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-21 22:17 HST
Nmap scan report for 192.168.1.55
Host is up (0.00020s latency).
MAC Address: 12:EE:F2:93:42:9E (Unknown)
Nmap scan report for 192.168.1.64
Host is up (0.065s latency).
MAC Address: A4:A2:4A:20:89:FE (Cisco Spvtg)
Nmap scan report for 192.168.1.65
Host is up (0.064s latency).
MAC Address: 60:2A:D0:5F:E3:AE (Cisco Spvtg)
Nmap scan report for 192.168.1.66
Host is up (0.064s latency).
MAC Address: 60:2A:D0:5F:E0:F9 (Cisco Spvtg)
Nmap scan report for 192.168.1.67
Host is up (0.13s latency).
MAC Address: AC:81:12:35:B4:AE (Gemtek Technology Co.)
Nmap scan report for 192.168.1.73
Host is up (0.13s latency).
MAC Address: 00:16:EB:0E:1E:84 (Intel Corporate)
Nmap scan report for 192.168.1.77
Host is up (0.20s latency).
MAC Address: 88:32:9B:34:F4:F9 (Samsung Electro Mechanics co.)
Nmap scan report for 192.168.1.110
Host is up (0.0023s latency).
MAC Address: 12:EE:F2:93:42:9E (Unknown)
Nmap scan report for 192.168.1.254
Host is up (0.0045s latency).
MAC Address: 28:16:2E:73:78:C1 (2Wire)
Nmap scan report for 192.168.1.75
Host is up.
Nmap done: 256 IP addresses (10 hosts up) scanned in 3.56 seconds
nmap -p 80 --script http-title -Pn -n google.com
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-21 22:19 HST
Nmap scan report for google.com (72.234.39.57)
Host is up (0.014s latency).
Other addresses for google.com (not scanned): 72.234.39.45 72.234.39.59 72.234.39.38 72.234.39.49 72.234.39.30 72.234.39.34 72.234.39.23 72.234.39.27 72.234.39.44 72.234.39.29 72.234.39.19 72.234.39.42 72.234.39.15 72.234.39.53
PORT STATE SERVICE
80/tcp open http
| http-title: Google
|_Requested resource was http://www.google.com/
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds