MOCs
- Overview
- Useful Commands
- Installation
- Basic Scanning Techniques
- Advanced Scanning Techniques
- Scanning Ports and Services
- OS and Version Detection
- Script Scanning
- Nmap Scripting Engine (NSE)
- Tips and Tricks
- Output Formats
- Nmap Cheat Sheet
Overview
Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. It is designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Useful Commands
sudo nmap -p- --min-rate 10000 -oA scans/tcp_allports IP
sudo nmap -p PORT1,PORT2,... -sC -sV -oA scans/tcp_scripts IP
Installation
Nmap can be installed on Windows, Linux, and macOS. Installation methods vary by operating system:
- Linux: Often available in official repositories. Use package managers like
apt,yum, orzypper. - Windows: Download the executable installer from nmap.org.
- macOS: Install via Homebrew with
brew install nmapor download from nmap.org
Basic Scanning Techniques
- Ping Scan (
-sn): This command is used to determine if the target host is online.
nmap -sn 192.168.1.0/24- Port Scan (
-p): Scans for open ports on the target host(s). You can specify individual ports or ranges (-p 22,80,443or-p 1-65535).
nmap -p 22,80,443 192.168.1.1
nmap -p 1-65535 192.168.1.1Advanced Scanning Techniques
- Stealth Scan (
-sS): This scan type is often used to evade firewalls and packet filtering.
nmap -sS 192.168.1.1- Version Detection (
-sV): Attempts to determine the version of the services running on open ports.
nmap -sV 192.168.1.1- OS Detection (
-O): Attempts to determine the operating system of the target host.
nmap -O 192.168.1.1Scanning Ports and Services
- Fast Scan (
-F): Scans only the top 100 most common ports.
nmap -F 192.168.1.1- All Ports (
-p-): Scans all 65535 ports.
nmap -p- 192.168.1.1- Specific Ports (
-p): Allows scanning of specified ports and ranges.
nmap -p 22,80,443 192.168.1.1
nmap -p 1-65535 192.168.1.1OS and Version Detection
- Operating System Detection (
-O): Enables OS detection. - Version Detection (
-sV): Probes open ports to determine service/version info.
Script Scanning
- Default Script Scan (
-sC): Executes a script scan using the default set of scripts.
nmap -sC 192.168.1.1- Script Categories (
--script=<category>): Allows specifying categories of scripts to execute (e.g.,vuln,discovery,auth).
nmap --script=vuln 192.168.1.1Nmap Scripting Engine (NSE)
- Introduction: The NSE is one of Nmap’s most powerful and flexible features. It allows users to write (and share) scripts to automate a wide variety of networking tasks.
- Usage Examples: Detect vulnerabilities, automate specific scanning tasks, or discover more about the network.
Tips and Tricks
- Combining Scans: You can combine scan types to refine and customize your scanning tactics.
- Timing and Performance (
-T<0-5>): Adjusts the timing for speed or stealth.
nmap -T4 192.168.1.1- Evading Firewalls/Packet Filtering: Techniques such as fragmenting packets (
-f) or using decoys (-D) can help evade detection.
nmap -f 192.168.1.1
nmap -D RND:10 192.168.1.1Output Formats
- Normal (
-oN <outputfile>): Outputs scan results in a readable form.
nmap -oN scan_results.txt 192.168.1.1- XML (
-oX <outputfile>): Outputs scan results in XML format.
nmap -oX scan_results.xml 192.168.1.1- Grepable (
-oG <outputfile>): Outputs scan results in a format easy to grep.
nmap -oG scan_results.txt 192.168.1.1Nmap Cheat Sheet
- Quick Scan:
nmap -T4 -F <target> - Detailed Scan:
nmap -T4 -A -p- <target> - Detect OS and Services:
nmap -O -sV <target> - Scan Using Specific Scripts:
nmap --script=<script-name> <target>
nmap --script=http-vuln-cve2014-3704 192.168.1.1