Complete Guide to NMAP
To start off, yes, I wrote this by myself. No copying/pasting
from any other forum/website. The ones I didn't know I did
research on the NMAP site but I changed the explanation to
simpler terms and in my own words. I hope you all enjoy
and use this thread. It's absolutely pertinent to any
penetration test. I also go over (N)IDS bypassing and
firewall evasion :)
1. Basic scanning - IP, subnet, range, list, exclusions, CIDR
Single IP:
nmap [Link]
This will get the basic ports and services of a singular IP
Subnet:
nmap [Link]
This will get the info of IPs in the entire [Link] subnet
Range:
nmap [Link]-100
Machines [Link] - [Link] will be scanned
Exclusions:
nmap [Link]-100 --exclude [Link]
CIDR:
For this you'll need to know some basic networking knowledge of how IPs are
allocated.
an IP(v4) address is 4 groups of 8 bits of data which are converted to binary and sent
to the router. Depending on what the first 8 bits of data are, the class (unsubnetted) is
decided.
0 - 126 = Class A
�127 = reserverd. Localhost. Commonly [Link] but the whole subnet is reserved.
128 - 191 = Class B
192 - 223 = Class C
Note: there are other classes and theoretical classes but these are what we'll be
working with!
What does this mean?
In each class, a certain portion is representative of network, and the rest represent the
host.
Class A: 8 bits network, 24 bits host (CIDR /8)
Class B: 12 bits network, 16 bits host (CIDR /16)
Class C: 24 bits network, 8 bits host (CIDR /24)
See the pattern?
/8 essentially means scan:
X.255.255.255
/16
X.X.255.255
/24
X.X.X.255
So even if you have a 192.168 (class C) you can use any CIDR especially if it's
subnetted.
So if there are [Link] and 192.168.2.5you should use a /16 CIDR.
Commands:
nmap [Link]/16
nmap [Link]/8
nmap [Link]/24
2. More Basic/Essential Scanning Parameters
Form here on out I'll be using a SINGLE IP even though it can be replaced with
anything from part 1.
�- - - Part I - OS/Version Detection:
nmap -A [Link]
-A = aggressive scan
-O = OS detection
nmap -sV [Link]
-sV = Version Detection
nmap -A -O -sV [Link]
combine!
- - - Part II - Pinging:
Send a simple ICMP packet to see if the host is up
nmap -sP [Link]
- - - Part III - Firewall Checking / Scanning:
nmap -sA [Link]
Detects possible firewalls
nmap -PN [Link]
Attempts to circumvent the firewall.. Does not ping the IP beforehand.
- - - Part IV - Custom Ports:
single:
nmap -p 80 [Link]
range:
nmap -p 80-443 [Link]
list:
nmap -p 80,21,22,223,443 [Link]
protocols:
nmap -p U:51,100,123,T:21,22,80 [Link]
U: UDP use with -sU
T: TCP use with -sT
Again, combine all these commands for the desired output!!
�nmap -sV -A -O -p 80-443 [Link]/24 --exclude [Link]
Think what it would do by reading above, then click the spoiler
Spoiler (Click to View)
- - - Part V - Verbosity and Writing to Files:
-v 0-5 = verbose. 0-5 = level of verbosity.
nmap -w -O [Link]
-iL [path] = write output to text
nmap -A -O -iL /root/Desktop/[Link] [Link]
3. Different Scanning Types
-sO = IP scan.... VERY IMPORTANT. This uses IP (internet protocol) to scan. Keep
in mind, this does NOT scan ports!!!! DO NOT USE -p! This will tell you what
protocols can be used to scan so you can tailor your scan accordingly (TCP, UDP,
ICMP, IGMP, SCTP, etc)
nmap -sO [Link]
-sS = TCP SYN scan. Most common and often useful. Very fast and can usually
bypass most firewalls.
nmap -sS [Link]
-sT = TCP connect scan. A great alternative if -sS is not an option (blocked)
nmap -sT [Link]
-sU = UDP scan. VERY underused even though many services (DNS, DHCP, SNMP
to name a few) may have possible exploits on common UDP ports (53, 67, 161)
nmap -sU [Link]
-sY = SCTP scan. SCTP (Stream Control Transmission Protocol) is a fairly new
�alternative to TCP and UDP. Liky a TCP SYN scan, it is pretty undetectable and
overall has great stability.
nmap -sY [Link]
-sN = CP null scan. Sets the entire TCP headers (FIN/PSH/URG) to null...
nmap -sN [Link]
-sF = FIN scan. Only sets the FIN flag in the TCP header
nmap -sF [Link]
-sX = The infamous Christmas (Xmas) scan. Sets all of the headers. It gets its name
because the packet is 'lit up like a xmas tree'.
nmap -sX [Link]
-sA = TCP ACK scan. Not a conventional scan and n00bs should stay away from it. If
usually used for attempting to determine firewall rulesets. It sends a ACK packet to
the ports and if a reset (RST) packet is received then it is labeled 'unfiltered' by the
firewall. If it receives an ICMP error it is labeled 'filtered'. This does NOT determine
if they are opened/closed ports.
nmap -sA [Link]
-sW = Window Scan. Keep in mind this is not perfect. Basically, it's simmilar to a
ACK scan ut it ATTAMPTS to read the signatures of the RST packet returned to
differentiate between open and closed. Not all systems work the same so the margin
of error is vast...
nmap -sW [Link]
-sZ = SCTP Cookie scan. Basically, open ports should drop packets with cookie echo
packets, and closed ports will send an ABORT packet. If it is does not get a response,
it's 'open', if it get's an abort packet, it's 'closed'.
nmap -sZ [Link]
�-sI <IP of zombie>= Zombie scan... this is GREAT for IDS bypassing as I'll show you
next section. Basically, it uses the zombie as a middleman during the scan. It is sent
to/from the zombie and the target. It is not always available, but is awesome when it
is!
nmap -sI [Link] [Link]
4. IDS/IPS/NIDS Bypassing + Firewall Evasion
This is what type of scanning you should use in a network that is protected by hostbased IDSes or NIDSes...
-f = Fragment. This will fragment the headers over multiple packets so the IDS will
not notice any suspicious headers in one packet alone. Great for signature based
IDSes.
-T(0-5) = Time? The lower the number, the slower it will be to avoid volumetricly
activated IDSes. We will use -T0 if you want to be REALLY fucking sneaky or -T5 if
you're not worried about getting in trouble when you get caught.
--data-length # = adds bytes to the end of the packets. Let's do 14 because it's not as
common a number for this and it's a multiple of 7.
-D <decoy(s)> = Decoy. Can take a couple parameters (using -sS as an example):
nmap -sS -D [Link] [Link] [uses specific decoy]
nmap -sS -D RND [Link] [Uses one random decoy]
nmap -sS -D RND:7 [Link] [uses 7 random decoys]
nmap -sS -D [Link]-6 [Link] [uses [Link]-6 as decoys]
nmap -sS -D [Link],[Link] [Link] [uses those 2 as decoys]
nmap -sS -D ME [Link] [Uses yourself as a decoy... not recommended]
You can also mix-n-match
nmap -sS -D RND:5,[Link]-6 [Link]
--randomize-hosts = When you scan, by default, it scnas each host in sequential order.
�This can be detected by many NIDSes
and can possibly be circumvented by randomizing the order in which they are
scanned.
--spoof-mac 0/VenderID/[MAC Addr Here] = simply spoofs the MAC that's
scanning... 0 = random. VenderID = all vendors have their own MAC prefixes.
Custom = 6 groups of hex values separated by colons (Example: [Link]
or [Link])
Final NMAP command for bypassing network based IDSes, signature based IDSes,
and decent firewalls:
Keep in mind, any scanning technique will work here. -sS is the most common s that's
what I'm using.
Also note that randomizing hosts when scanning one will not do anything. Theres ony
one host
Also note that when using -D RND it does NOT gnerate a in-network IP. Its a random
IP (ex: [Link] not [Link]) so it's best to use that when scanning an
external IP. Otherwise, specify the IPS manually
nmap -sS -T0 -f -D [Link], [Link], [Link], [Link] -randomize-hosts --data-length 14 --spoof-mac [Link] [Link]/24
[Link]/book/[Link]
This scan may take up to SEVERAL hours to complete if there are lotsof hosts on the
network.
Tutorial written by Goodies from Hack Forums.
If you have ANY question sor corrections please post them in
the thread :)
