2 minutes
Starting out with NMAP - Part II
Part I
In part I I spoke about the basic commands for running nmap. In this part I will talk about more advanced techniques.
Port Scanning Options
Perform a Fast Scan
nmap -F [target]
Scan Specific Ports
nmap -p [port(s)] [target]
Scan Ports by Name
nmap -p [port name(s)] [target]
Scan Ports by Protocol
nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan All Ports
nmap -p 1-65535 [target]
Scan Top Ports
nmap --top-ports [number] [target]
Perform a Sequential Port Scan
nmap -r [target]
Attempt to Guess an Unknown OS
nmap -O --osscan-guess [target]
Service Version Detection
nmap -sV [target]
Troubleshoot Version Scan
nmap -sV --version-trace [target]
Perform a RPC Scan
nmap -sR [target]
Discovery Options
Host Discovery The -p switch determines the type of ping to perform.
| Nmap Switch | Description |
|---|---|
| -PI | ICMP ping |
| -Po | No ping |
| -PS | SYN ping |
| -PT | TCP ping |
Perform a Ping Only Scan
nmap -sn [target]
Do Not Ping
nmap -Pn [target]
TCP SYN Ping
nmap -PS [target]
TCP ACK Ping
nmap -PA [target]
UDP Ping
nmap -PU [target]
SCTP INIT Ping
nmap -PY [target]
ICMP Echo Ping
nmap -PE [target]
ICMP Timestamp Ping
nmap -PP [target]
ICMP Address Mask Ping
nmap -PM [target]
IP Protocol Ping
nmap -PO [target]
ARP ping
nmap -PR [target]
Traceroute
map --traceroute [target]
Force Reverse DNS Resolution
nmap -R [target]
Disable Reverse DNS Resolution
nmap -n [target]
Alternative DNS Lookup
nmap --system-dns [target]
Manually Specify DNS Server
Can specify a single server or multiple.
nmap --dns-servers [servers] [target]
Create a Host List
nmap -sL [targets]
Wrap up
In this post mostly advanced commands are discussed, in the next post I will discuss commands to use when trying to evade for example firewalls detection or IDS systems.