Network Scanning Tool: Nmap

Nmap stands for “Network Mapper”.

It is a free and open source tool used for network scanning and security auditing. It was written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). It supports different techniques like host discovery, port scanning, service discovery, OS detection, version detection and many more. It can be used to scan any type of network, even with many devices.

Nmap uses raw IP packets in different ways to determine the available hosts on the network, the services those hosts are offering, operating system (versions) they are running, the types of packet filters or firewalls in use, etc.

Syntax of nmap command:

nmap [Scan Type(s)] [Options] {target specifications}

Specifying Target Hosts and Networks (Target Specification)

nmap [ip address / hostname / network] 

To scan a single target (if IP address is known),

nmap [target ip]

e.g. nmap 192.169.0.101

This is the simplest way to perform a nmap scan. The target IP address can be an IPv4 address or an IPv6 address. This command will perform a default nmap scan on the target IP. Nmap will first perform the reverse DNS lookup and then try to ping the target to check whether the host is up or not. If the host is up, then the nmap will scan the first 1000 most commonly used ports to check for open ports.  It will also perform an ARP resolution to find the MAC address of the target.

To scan a single target (if hostname is known),

nmap [hostname]

e.g. nmap scanme.nmap.org

This command will perform a default nmap scan on the target IP. Nmap will first perform the forward DNS lookup and then try to ping the target to check whether the host is up or not. If the host is up, then the nmap will scan the first 1000 most commonly used ports to check for open ports.  It will also perform an ARP resolution to find the MAC address of the target.

To scan multiple targets,

nmap [target1 ip] [target2 ip] [target3 ip] [….]

e.g. nmap 192.168.0.101 192.168.0.102

If we want to perform a nmap scan of multiple targets or a range of targets, then we can use to above command.

We can specify the list of multiple targets as shown below:

·         To specify a list of IP addresses:

e.g. nmap 192.168.0.101 192.168.0.102 192.168.0.176 192.168.1.234

This command will run the nmap scan on all the specified targets i.e. the following IP’s will be scanned:
192.168.0.101
192.168.0.102
192.168.0.176
192.168.1.234

·         To specify a range of IP addresses:

e.g. nmap 192.168.0.101-110

This command will run the nmap scan on all the targets within the specified range i.e. the following IP’s will be scanned:
192.168.0.101
192.168.0.102
192.168.0.103
192.168.0.104
192.168.0.105
192.168.0.106
192.168.0.107
192.168.0.108
192.168.0.109
192.168.0.110

·         To specify a range of IP addresses in CIDR notation:

e.g. nmap 192.168.0.0/29

This command will run the nmap scan on all the targets within the specified range i.e. the following IP’s will be scanned based on the passed CIDR notation:
192.168.0.0
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.5
192.168.0.6
192.168.0.7

List Scan (Passing Multiple Targets in a File),

When there is a need to scan multiple target hosts to perform more than one scanning then list scan is used. When using list scan, the target IPs are loaded from an external file. The user only needs to add all target IPs in a text file and save it at any location.

nmap -iL <input file name>

e.g. nmap -iL /data/iplist

The above command will scan all the targets that are listed in the ‘iplist’ file.

This command is very useful when we have to scan a large number of IP address that cannot be expressed in the above forms. Suppose a scenario where we have to scan 1000 IP address then List Scan can be used very easily and efficiently. This will prevent us from the trouble of passing all the IP’s one by one from the terminal. This scan is also useful in automating the scan process in a large infrastructure environment.

To exclude targets from a scan,

If we don’t want to scan a few IP address from out of all the listed IP address, then we can use the −−exclude argument to exclude them.

nmap [target IP] −−exclude [IP to be excluded]

e.g. nmap 192.168.1.1/24 −−exclude 192.168.1.100 

This command will run a nmap scan on all the IP’s in the specified range, but it will not run a scan on the IP address 192.168.1.100 as it excluded from the scan.

e.g. nmap 192.168.0.100-140 −−exclude 192.168.0.129-131

This command will run a nmap scan on all the IP’s from 192.168.0.100 to 192.168.0.140 but it will not run a nmap scan on the IP addresses 192.168.0.129, 192.168.0.130 and 192.168.0.131 as they have been excluded from the scan.

To scan random number of hosts/targets,

If we want to scan a chosen random number of hosts, then we can use the -iR argument and specify the number of targets that will be randomly chosen over the internet i.e random targets over the internet will be scanned.

nmap −iR [number of hosts]

e.g. nmap -iR 100

This command will run a nmap scan for 100 random targets chosen over the internet i.e. nmap will generate a list of 100 external IP address and scan them.

Host Discovery

List targets, no scan,

·       nmap –sL [ip range]

ping scan with -sn (disables port scanning, host discovery only),

·       nmap –sn [target]

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default.

ping scan with -sP (disables port scanning, host discovery only),

·       nmap –sP [target]

TCP ping scan on TCP port 80,

·       nmap –pT:80

ping scan if the host is really up, but blocking ping probes (Treat all hosts as live and skips host discovery, port scan only),

·       nmap –Pn

This scan is performed by sending ICMP ECHO REQUEST packets to the target machine. If an ICMP ECHO REPLY is received, then the target machine is up. If there is no response to the ICMP ping, the attacker can try a “TCP Ping Scan”, to determine whether ICMP is blocked, or the target is really not active. A TCP Ping Scan sends TCP packet with a SYN or an ACK flag set to any port (on port 80 by default). If RST or an SYN/ACK packet is received in return, then the target system is up. If any response is not received from the target then the target may be offline, or the port is filtered and thus not responding to it.

When nmap uses ping scan, it broadcasts ARP request packet to identify the IP address allocated to the particular target machine. The active target machine unicasts ARP packet by sending its MAC Address as a reply which gives the message “Host is up”.

TCP SYN discovery on specified port (Port 80 by default),

·       nmap –PS [port(s)] [target]

-PS option sends an empty TCP packet with the SYN flag set. If the target port is closed, a RST is received else a SYN/ACK is received to which RST is responded. The RST packet is sent by the kernel of the machine running Nmap in response to the unexpected SYN/ACK, not by Nmap itself.

TCP ACK discovery on specified port (Port 80 by default),

·       nmap –PA [port(s)] [target]

UDP discovery on specified port (Port 40125 by default),

·       nmap –PU [port(s)] [target]

-PU option sends a UDP packet to the target. If the target port is closed, then ICMP port unreachable is received as response.

SCTP discovery on specified port (Port 80 by default),

·       nmap –PY [port(s)] [target]

-PY option sends a SCTP packet containing a minimal INIT chunk. If the destination port is closed, then a ABORT chunk is received but if the port is open then a INIT-ACK chunk will be received as part of the SCTP four-way handshake to which an ABORT chunk is responded instead of the COOKIE-ECHO chunk. The ABORT packet is sent by the kernel of the machine running Nmap in response to the unexpected INIT-ACK, not by Nmap itself.

Enable ICMP Echo Request Discovery Probes (ICMP type 0) [ICMP Echo Ping],

·       nmap –PE [target]

Enable Timestamp Reply Discovery Probes (ICMP code 14),

·       nmap –PP [target]

Enable Address Mask / Netmask Reply Discovery Probe (ICMP code 18),

·       nmap –PM [target]

ARP Ping,

·       nmap -PR [ip address]

IP Protocol Scan,

·       nmap –PO [protocol list]

The IP Protocol Scan sends IP packets with the specified protocol number set in the IP header. If no protocols are specified then, then it sends multiple IP packets for ICMP (protocol 1), IGMP (protocol 2) and IP-in-IP (protocol 4). It is important to note that for the ICMP, IGMP, TCP (protocol 6), UDP (protocol 17) and SCTP (protocol 132), the packets are sent with the proper protocol headers while other protocols are sent with no additional data beyond the IP header (unless any of --data, --data-string, or --data-length options are specified). This host discovery method looks for either responses using the same protocol as a probe, or ICMP protocol unreachable messages which signify that the given protocol isn’t supported on the destination host. Either type of response signifies that the target host is alive.

No DNS Resolution,

·       nmap –n [ip address]

-n option specifies that nmap will never do reverse DNS resolution of the target’s IP address.

Always Resolve DNS,

·       nmap –R [ip address]

-R option specifies will always do DNS resolution of the target’s IP address.

Scan each resolved address,

·       nmap – –resolve–all [hostname]

–resolve-all option specifies that if a hostname resolves to more than one address then scan all the addresses.

No ARP or Neighbour Discovery,

·       nmap – –disable-arp-ping [ip address]

Nmap normally does ARP or IPv6 Neighbour Discovery (ND) discovery of locally connected ethernet hosts, even if other host discovery options such as -Pn or -PE are used. To disable this implicit behaviour, use the –disable-arp-ping option.

Trace path to host,

 ·       nmap –traceroute [target]

This option works with all types of nmap scans except TCP Connect Scan (-sT) and Idle Scan (-SI).

Use Operating System’s DNS Resolver for scans,

·       nmap –system-dns [hostname]

By default, Nmap reverse-resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses. Specify this option to use your system resolver instead (one IP at a time via the getnameinfo call). The system resolver is always used for forward lookups (getting an IP address from a hostname).

Specify Custom DNS Servers,

·       nmap – –dns-servers <server1>,<server2>

By default, Nmap determines your DNS servers (for reverse DNS resolution) from the resolv.conf file (in Unix Systems) or the Registry (in Win32 Systems). Alternatively, we can use –dns-servers option to specify alternate servers.

Nmap Scanning Techniques

TCP Connect Scan (Full Open Scan)

nmap -sT [target]

This scan is known as TCP Connect because the UNIX system and socket programming uses a system call named connect() to begin a TCP connection. If the port is listening, then connect() will succeed, otherwise the port isn’t reachable. This is one of the most basic and reliable type of nmap scan. It tries to connect to every port on the target machine, opens a connection and lists the open ports along with the services that are running on those respective ports. The TCP Connect Scan completes 3-way handshake with every open port on the target machine so, the source of the scan can be easily detected as the target machine may log the connection. The TCP Connect Scan scans 0-65535 ports by default. After completing the 3-way handshake, the scanner sends an RST/ACK packet to reset the connection state.

SYN Scan / Stealth Scan (Half Open Scan)

nmap -sS [target]

This scan is known as half open scan because in this scan the 3-way handshake is not completed and hence a connection is not established. It initiates the connection by sending the SYN packet, and if it gets the SYN/ACK packet in response then it knows that the port is open and target is ready to make the connection. The scanner then sends the RST packet instead of ACK packet to terminate the connection before it can be established fully. The scan is not logged in the target system because the connection was not completed. The SYN Scan scans 0-1000 ports by default.

UDP Scan

nmap -sU [target]

UDP scan is used to determine the open UDP ports on the target host. In this scan, a 0 byte packet is sent to all the specified ports on the target host. If ICMP unreachable is received, then the post is assumed to be closed or else the port is considered to be open.

For some common UDP ports like 53 and 161, a protocol-specific payload is sent to the target host to increase response rate i.e. a service that runs on UDP will respond with a UDP packet, proving that the port is open. If the port is closed, then an ICMP Port Unreachable message will be received for each closed port from the target host. If no response is received then, the port is said to be open|filtered. This means that the port could be open, or perhaps network filters are blocking the communication.

ACK Scan

nmap -sA [target]

In an ACK scan, an ACK packet is sent to the specified ports of the target host. If the target host replies with an RST packet, then it means that the firewall is unfiltered (stateless), and if it doesn’t reply then it means that the firewall is filtered (stateful). An ACK Scan never shows open ports of the target host because even if no reply is received, there could be open ports not shown because of the firewalls. Therefore, ACK scan should be used with some other scan parameters.

Note:
Stateless Firewall → it just blocks incoming SYN packets
Stateful Firewall → it tracks connections and also blocks unsolicited ACK packets

FIN Scan

nmap -sF [target]

The FIN scan sends a TCP packet with only the FIN Flag set. If the port is open, then the packet is dropped and an RST packet is received if the port is closed.

NULL Scan

nmap -sN [target]

The NULL scan sends a TCP packet with no flags set.

Xmas Scan

nmap -sX [target]

The Xmas Tree Scan sends a TCP packet with FIN, URG and PSH flags set. This scan can be easily detected by Intrusion Detection System and Advanced Firewalls.

Note: When using the FIN Scan, NULL Scan and Xmas Tree Scan, the closed port should respond with an RST upon receiving the packet, whereas an open port should just drop the packet. This way, the connection is never made and hence it is also not logged into the target machine. This happens due to the nature of TCP.

Window Scan

nmap -sW [target]

It works in the same way as an ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always giving out “unfiltered” as port state when an RST is returned. We can assume the port state with this scan on the basis of the following:

  • RST response with non-zero window field                           → open
  • RST response with zero window field                                   → closed
  • No response received (even after re-transmission)            → filtered
  • ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)  → filtered

Maimon Scan

nmap -sM [target]

It works in the same way as the NULL, FIN and Xmas Scan except that it sends a FIN/ACK packet. We can assume the port state with this scan on the basis of the following:

  • No response received (even after retransmissions)   → open | filtered
  • TCP RST packet                                                                   → closed
  • ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) → filtered

Custom TCP Flag Scan

nmap –scanflags <flags> [target]

We can set one or more flags from the 6 available TCP flags (ACK, FIN, SYN, PSH, URG & RST). A TCP packet will be sent to the target machine with that TCP flag set.

Idle Scan / Zombie Scan

nmap -sI <zombie host[:probeport]> [target]

Idle scan is also known as blind attack. It is a highly stealth technique. In this type of scan, the packet is not sent from the attacker’s machine but some other machine which is known as zombie. In the first step of this scan, a SYN/ACK packet is sent to zombie machine by the attacker. The zombie responds to this packet by sending an RST packet, as it was not expecting any SYN/ACK packet. Thus, the IPID (IP Fragmentation ID) of the zombie machine is disclosed.

In the second step, the attacker sends a spoofed SYN packet to the target machine. To the target machine, it appears that the packet is coming from the zombie machine and the target machine:

  • sends back a SYN/ACK packet to the zombie machine if the port is open and the zombie not expecting it (SYN/ACK packet), sends back an RST and thus its IPID is incremented,
  • sends an RST packet if the port is closed and the zombie machine ignores the unsolicited RST leaving its IPID unchanged, and
  • sends no response (i.e. SYN/ACK packet is discarded by the target) if the port is filtered.

In the third and last step of the scan, the attacker sends a SYN/ACK packet to the zombie machine. The zombie machine responds to the attacker by sending an RST packet. If the zombie’s IPID has incremented by 2, then the port is open and if the IPID has increased by 1, then the port is either open or filtered. The attacker cannot distinguish between a closed and a filtered port as in both the cases the IPID is incremented by 1.

Protocol Scan

nmap -sO [target]

IP Protocol Scan is used for determining the communication protocols that are being used by a target host. For the TCP, ICMP, UDP, IGMP and SCTP IP protocols, Nmap sets a valid header value but for rest all other protocols an empty IP packet will be used.

To know the port state, Nmap categorizes the responses received as follows:

  • when nmap receives an ICMP unreachable error type=3 or code=2, then the port is assumed to be “closed”.
  • when nmap receives an ICMP unreachable error type=3 or code=1,3,9,10 or 13; then the port is assumed to be “filtered”.
  • when nmap receives no response, then the port is assumed to be “filtered|open”.
  • when nmap receives any other response, then the port is assumed to be “open”.

OS Fingerprinting / OS Detection Scan

nmap -O [target]

This scan is used to identify the operating system running on the target machine. This is done by comparing the OS fingerprint generated by the Nmap output with the fingerprint database that is already stored. When verbose mode is enabled with OS Detection Scan, IPID sequence generation is reported along with the OS detection.

Nmap offers some additional options that can be used to speed up or refine your search.

  • –oscan-limit → Limits the OS detection to promising targets i.e. targets with atleast an open and closed port
  • –fuzzy → it can be when Nmap can’t make a clear guess as it displays confidence score
  • –max-os-tries → The default is 5, set to a lower number to speed up the scan.
  • –osscan-guess → Guess OS more aggressively

SCTP INIT Scan

nmap -sY [target]

SCTP INIT Scan is equivalent to TCP SYN scan. It can be performed quickly, scanning thousands of ports per second on a fast network without being hampered by restrictive firewall. It doesn’t complete SCTP four-way handshake. It also allows clear, reliable differentiation between the open, closed, and filtered states. This technique is often referred to as half-open scanning, because it doesn’t open a full SCTP association. We send an INIT chunk, an INIT-ACK chunk in response clearly indicates the port is listening (open), while an ABORT chunk is indicative of a closed port (non-listener). If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received.

SCTP COOKIE ECHO Scan

nmap -sZ [target]

This scan takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. One main advantage of this scanning type is that non-stateful firewall rulesets may be configured to block INIT chunk but not COOKIE ECHO chunks. The downside is that SCTP COOKIE ECHO scans cannot differentiate between open and filtered ports, leaving you with the state open|filtered in both cases.

FTP Bounce Scan

nmap -b <FTP Relay Host>

This scan Simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not.

Port Scan (Port Specifications Option)

nmap -p[port number(s)] [target]

Nmap uses the argument -p for defining the port range to be scanned. This option can be combined with any scanning technique.

to specify list of ports,

nmap -p[port1],[port2],[…]

to specify port range,

nmap -p[port-range]

to scan all ports (it will take some time to enumerate all ports),

nmap -p / nmap -p-

to scan all ports (it will take less time than above)

nmap -p 1-65535 –open

to scan specific ports by protocol,

nmap -pT:25,U:53

to scan port(s) by service name,

nmap -p [service]

to exclude specific ports from being scanned,

nmap –exclude-ports [ports/port range]

Nmap scans ports in a randomised order. But to scan the ports in sequential order from lowest to highest, use the -r option.

nmap -r [target]

To scan the highest-ratio ports found in nmap-services file, use the –top-ports option.

nmap –top-ports <number> [target]

To scan all the ports in nmap-services file with ratio greater than the one specified, use the –port-ratio option,

nmap –port-ratio <ratio><decimal number between 0 and 1> [target]

Note 1: nmap -p-65535 [target] → will scan all ports from 1 to 65535

Note 2: nmap -p0- [target] → will scan all ports from 1 to 65354

Fast Scan

nmap -F [target]

When using fast scan, nmap only scans those ports that are listed in the nmap_services file or the protocol file if the scan parameter is -sO. This scan gives faster results as compared to scanning all 65535 ports using -p option.

Service/Version Detection Scan

nmap -sV [target]

This scan collects information about the specific services including their product name and version number that are running on open ports. Banner grabbing is also used by this scan to collect information.

Nmap has additional options to refine the scanning process.

  • –version-intensity <level>: Set from 0 (light) to 9 (try all probes)
    higher value increases possibility of correctness
  • –version-light: Limit to most likely probes (intensity 2)
    faster but lower possibility of correctness
  • –version-all: Try every single probe (intensity 9)
    slower but higher possibility of correctness
  • –version-trace: Show detailed version scan activity (for debugging)

Aggressive Scan

nmap -A [target]

This scan includes OS detection scan(-O), version scan (-sV), script scanning (-sC) and traceroute (–traceroute). This scan is used for identifying the target OS, the services running and their versions. It also does traceroute for the target and applies NSE scripts to detect additional information.

Nmap Timing and Performance Options

Timing Template Scan T[option] / Timing Option

nmap -T<option> [target]

Nmap provides the timing option to reduce the scan time and also maintain the scan performance.

Aggregate Timing Options:

-T0 : paranoid → slowest scan, used for IDS and firewall evasion
-T1 : sneaky → quite slow scan, also used for IDS and firewall evasion
-T2 : polite → executes scan almost 10 times slower than normal scan and consumes less bandwidth
-T3 : normal→ default mode, timing depends on target’s responsiveness
-T4 : aggressive → fast but reliable scan but it could also flood the target
-T5 : insane → very aggressive, it floods the target and may give false positive results

Fine-Grained Timing Option

  • –min-hostgroup / –max-hostgroup <size>→ Parallel host scan group sizes
  • –min-parallelism / –max-parallelism <number of probes> → Adjust probe parallelization
  • –min-rtt-timeout / –max-rtt-timeout / –initial-rtt-timeout <time> → Specifies probe round trip time
  • –max-retries <number of tries> → Specifies the maximum number of port scan probe retransmissions
  • –host-timeout <time> → Give up on target after this long
  • –scan-delay / –max-scan-delay <time> → Adjust delay between probes
  • –min-rate <number> →  Send packets not slower than number per second
  • –max-rate <number> → Send packets not faster than number per second

Note: Options which take <time> are in seconds, or append ‘ms’ (milliseconds), ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 10m).

Firewall / IDS Evasion and Spoofing using Nmap

Scan to detect firewall,

nmap -sA [target]

If firewall is enabled, then the port will be shown as filtered.
If firewall is disabled, then the port will be shown as unfiltered.

Fragments Packets,

nmap -f [target]

Using MTU (Maximum Transmission Unit); used to specify custom number of packets, usually used with fragmentation.

nmap –mtu [value] [target]

Spoof Source Address,

nmap -S <spoofed ip address> [target]

Using specified interface,

nmap -e <iface> [target]

Using specific port number,

nmap -g <portnum> [target]
nmap –source-port <portnum> [target]

Append Random Data to sent packets,

nmap –data-length <num> [target]

Spoof host (attacker’s) MAC Address,

nmap –spoof-mac <mac address / prefix / vendor> [target]
nmap –spoof-mac 0 [target]
à generate a random MAC address

Send packets with a bogus TCP / UDP / SCTP checksum,

nmap –badsum [target]

(this is used to probe the detection of a firewall or IDS. If a response is received, then a firewall/IDS is present).

Set IP time-to-live field,

nmap –ttl <value> [target]

Cloak a scan with specific decoys (manually specify the IP address(es) of the decoy),

nmap -D decoy_ip_address1 decoy_ip_address2 [target]

Decoy Scan with decoys of random IP (generates a random number of decoy),

nmap -D RND:<number> [target]

(Decoy Scan doesn’t works with version detection or TCP Connect Scan)

Append a custom payload to sent packet,

nmap –data <hex string> [target]

Append a custom ASCII string to sent packet,

nmap –data-string <string> [target]

Randomize target host order,

nmap –randomize-hosts [target]

Relay connections through HTTP/SOCKS4 chain of Proxies,

nmap –proxies <protocol://ip:port>, <protocol://ip:port>, <..> [target]

Send packets with specified IP address,

nmap –ip-options <options> [target]

The IP protocol offers several options which may be placed in packet headers.
–ip-options <S|R [route]|L [route]|T|U …>, –ip-options <hex string> (IP Options)

Output Scan (Generating Scan Reports Using Nmap)

Normal output format,

nmap [target] -oN <filename>

XML Output Format,

nmap [target] -oX <filename>

Convert XML format to portable HTML format,

xsltproc filename.xml -o filename.html

Script Kiddie Output Format,

nmap [target] -oS <filename>

Grepable Format,

nmap [target] -oG <filename>

Saving Output in All Formats,

nmap [target] -oA <filename>

The output files are generated with extensions: .nmap, .xml and .gnmap

Grepable output to screen,

nmap [target] -oG –
nmap [target] -oN –
nmap [target] -oX –

Increase verbosity level,

nmap -v –[target]

use -vv or -vvv or more for greater effect

Increase debugging level,

nmap -d [target]

use -dd or -ddd or more for greater effect

Display the reason for a port for being in a particular state,

nmap –reason [target]

Show only open (or possibly open) ports,

nmap –open [target]

Show all packets sent and received,

nmap –packet-trace [target]

Show the host interfaces and routes (mainly used for debugging),

nmap –iflist [target]

Resume an aborted scan,

nmap –resume <filename> [target]

Append in file rather than overwriting the specified output file,

nmap <output type> <filename> –append-output [target]

Nmap Scripting Engine

The Nmap Scripting Engine (NSE) allows users to execute and use available scripts present in NSE by default. It also allows the users to write and execute their own scripts. The scripts are written in Lua programming language. Nmap scripts can help in automating a variety of tasks related to networks. NSE is basically a vulnerability scanner and the scripts are used to exploit the vulnerability.

Nmap scripts are located in the following directories:

/usr/share/nmap/scripts → Unix / Linux
%ProgramFiles%\Nmap\scripts → Windows

Nmap Script Categories:

  • auth → these scripts deal with authentication credentials
  • discovery → these scripts try to actively discover more about the network by querying public registries, SNMP-enabled devices, directory services, and the like
  • exploit → these scripts aim to actively exploit some vulnerability
  • external → scripts in this category may send data to a third-party database or other network resources.
  • safe → scripts which weren’t designed to crash services, use large amounts of network bandwidth or other resources, or exploit security holes are categorized as safe
  • version → the scripts in this special category are an extension to the version detection feature and cannot be selected explicitly.
  • malware → these scripts test whether the target platform is infected by malware or backdoors.
  • vuln → these scripts check for specific known vulnerabilities and generally only report results if they are found.

and more.

Script Scan

performs a script scan using scripts, (equivalent to –script=default)

nmap -sC

Nmap Script Scan options:

  • Using a script as directories, script-files or script-categories (single value or comma separated values),
    –script=<script>
    –script / –script default / -sC (scan using default safe scripts)
    –script=<script_name> (scan using specific NSE script)
    –script=<script_name_1>,<script_name_2> (scan using multiple NSE script)
    –script=<script_class>* (scan with a set of scripts)
  • Providing argument(s) to script
    –script-args=<arguments>
  • Providing NSE script arguments from a file
    –script-args-file=<filename>
  • Show all the data sent and received by a script
    –script-trace
  • Update the script database
    –script-updatedb
  • View help about a script
    –script-help=<script_name>

Digging Deeper with NSE Scripts

A scan to search for DDOS Reflection UDP Services
nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist, dns-recursion, snmp-sysdescr [target]

A scan to gather page titles from HTTP Services
nmap –script=http-title [target]

A scan to get HTTP Header of Web Services
nmap –script=http-headers [target]

A scan to find Web Apps from Known Paths
nmap –script=http-enum [target]

A scan to check for Heartbleed SSL Vulnerability
nmap -sV -p 443 –script=ssl-heartbleed [target]

A scan to find information about IP Address
nmap –script=asn-query,whois,ip-geolocation-maxmind [target]

A scan for http site map generator
nmap -Pn –script=http-sitemap-generator [target]

A scan to search for random web servers over the internet
nmap -n -Pn -p 80 –open -sV -vvvv –script=banner,http-title -iR 1000

A scan to brute force DNS hostnames to guess sub-domains
nmap -Pn –script=dns-brute [target]

A scan to perform Whois query
nmap –script=whois* [target]

A scan to detect cross-site scripting vulnerability

nmap -p 80 –script=http-unsafe-output-escaping [target]

A scan to check for SQL Injection
nmap -p 80 –script=http-sql-injection [target]

Nmap Miscellaneous Options

-6 → enable IPv6 scanning

–datadir <directory_name> → specify custom nmap data file location

–send-eth → send using raw internet frames

–send-ip → send using raw IP packets

–privileged → assume that the user is fully privileged

–unprivileged → assume that the user lacks raw socket privileges

-v → print nmap version

-h → displays nmap help

Nmap Command Examples

nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn → Discovery only specified ports, no port scan

nmap [target CIDR] -PR -sn -vv → Arp discovery only on local network, no port scan

nmap -iR 10 -sn -traceroute → Traceroute to random targets, no port scan

nmap [ip range] -sL –dns-server [dns server ip] → Query the Internal DNS for hosts, list targets only

nmap -p80 -sV -oG – –open [target] | grep open → Scan for web servers and grep to show which IPs are running web servers

nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d ” ” -f5 > live-hosts.txt → Generate a list of the IPs of live hosts

nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txt → Append IP to the list of live hosts

ndiff scanl.xml scan2.xml → Compare output from nmap using the ndif

grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less → Reverse sorted list of how often ports turn up

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” 8.8.8.8 → nmap Slow Comprehensive Scan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: