# NMAP {% hint style="success" %} After you discover your ports with NMAP. Ether check the [Services](/initial-access/services.md) section for manual exploits or try some automated [NSE](/reconnaissance/active-scanning/nmap/nse.md) scripts. {% endhint %} ## Simple Scans: **My Favorite CTF Scan:** (Balance of info to speed for small IP sets) -A runs aggressive NSE scripts and can be taken off to speed up the scan.\ `nmap -sCVT -vv -A -p- 10.10.10.29`\ \ **NSE Vuln Scripts:**\ `nmap --script vuln 10.11.1.10`\ **Quick TCP Scan**\ `nmap -sC -sV -vv -oA quick 10.10.10.10`\ **Quick UDP Scan**\ `nmap -sU -sV -vv -oA quick_udp 10.10.10.10`\ `nmap -sU -sS -vv 10.10.10.10` {% hint style="warning" %} UDP scans, send empty UDP packets and if an ICMP packet comes back it means its closed. But no ICMP packet means that the port is open. However firewalls/routers/Win10 might drop ICMP packets as a security mech and the scan will return as all UDP ports "open". {% endhint %} **Top 20 port scan:** Ports can be edited in [/usr/share/nmap/nmap-services](file://\usr\share\nmap\nmap-services) to fit your needs. `#``nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt` **Nmap Live Host Sweep:**\ `#`` ``nmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt`\ `#`` ``grep Up ping-sweep.txt | cut -d " " -``f 2`\ \ **DNS Host sweep:**\ `#`` ``nmap -sT -p53 172.16.5.1,5,6,10`\ \ **Sweeping specified ports:**\ `#`` ``nmap -p 80 10.11.1.1-254 -oG web-sweep.txt`\ `#`` ``grep open web-sweep.txt |cut -d" " -f2`\ or\ `#``nmap -A -p80 --open 10.11.1.0/24 -oG nmap-scan_10.11.1.1-254`\ `#``cat nmap-scan_10.11.1.1-254 | grep 80 | grep -v "Nmap" | awk '{print`\ `$2}'` #### Large CIDR Scans `#``nmap -sn 172.16.64.0-255 -oG discovery.nmap` `#``cat discovery.nmap | grep Host | awk '{print $2}' > IPs.txt` `#``nmap -sCVT -Pn -A -iL IPs.txt -oN portmaps.nmap` `#``nmap -sV -T4 -Pn --open -p- -iL IPs.txt -oN allports.nmap` **Port knock ex: (knocks on 7k, 8k, 9k)**\ `for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.10.10.10; done` {% hint style="info" %} Port knocking is rare in corporations and fuzzing **cannot** be done quietly. In your network traffic dumps, just include an offlined automated check for port knocking as it is a waist of time to manually hunt for it. {% endhint %} ### Flags: -O OS fingerprinting (uses ttl and tcp windows sizes) -sV banner grabbing/version detection. Check the help screen if you want to more aggressively banner grab with additional -sV arguments -sT Connect scan -sS syn scan (DEFAULT IF NOTHING IS SPECIFIED) -sU UDP scan -sA ack scan. scans firewall behavior (statefullness, filtering). Host responding with RST to our ACKs are considered unfiltered and those that don't are filtered. When we see the unfiltered response it means there are likely no fw rules in place for that port. -sO IP proto scan. This is not a port scan. Rather than enumerating the port field in the packets it enumerates the 8bit protocol field. This scans to see what protocols are enabled for a host. this will look for ICMP protocol unreachable messages rather than the port unreachable messages of a icmp port scan. -sI idle scan(zombie scan) //utilizes a zombie on the network and we look at the packet fragmentation id number to do scans. read below -A aggressive NSE service scripts, takes a long time, and triggers alerts --open for sweeps to only return info on open ports -sn live host identification scan -n no host lookup, faster and quieter for internals -b ftp bounce scan. This stealth scan is a way to hide the true scanning source. lets us do port scans from vulnerable ftp servers on the network utilizing the ftp PORT command. -f turns on fragmentation (see "staying quiet") //for a syn scan the mtu here is 42 bytes --mtu like fragmentation but we can also specify the mtu size. (must be multiple of 8) --source-port or -g is a port spoof --max-retries if we get a time out how many times do we send the same packet -oG save scan results in grep format -oN normal output to file -oG grepable output to file ### RFC compliant scans: This depends on networks that follow this compliance as there are certain rules as to what to do with odd packets seen on the network. We then can make assumptions about the hosts we are scanning based on what they do with the packets. This is **NOT a stealth technique** and will likely trigger rules because of how odd the packets are. But it is a good last resort to look for live hosts/services. Also OS for windows/cisco/ibm may have different results for these scans along with various firewall rules that can affect results. -sN tcp null scan. No flag bits are set in the header.(all 0) -sF FIN scan. Only sets the fin bit -sX xmass tree scan. Sets the fin, psh, urg flags. \\ --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.hackbook.io/reconnaissance/active-scanning/nmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.