Network Mapping and Security Auditing Tool

Overview

Nmap (Network Mapper) is an essential open-source tool for network analysis and security auditing. It's primarily used for discovering hosts and services on networks, conducting security audits, and network inventory.

Key Components

1. Host Discovery

Used to identify active systems on a network.
Utilizes ICMP echo requests, ARP and other protocols.
Results should always be stored for documentation.

2. Port Scanning

Six possible port states:

open : Connection established.
closed : Port responds with RST flag.
filtered : No response/blocked by firewall.
unfiltered : Accessible but state unclear.
open|filtered : No response received.
closed|filtered : Unclear if closed or filtered.

3. Service Enumeration

Identifies applications and versions running on pots.
Essential for vulnerability assessment.
Can use banner grabbing for additional information.

4. NSE (Nmap Scripting Engine)

Categories include:

auth : Authentication testing.
brute : Credential brute forcing.
vuln : Vulnerability detection.
discovery : Service evaluation.
safe : Non-intrusive scripts.

5. Performance Optimization

Various timing templates (-T0 to -T5).
Packet rate control.
Parallelism options.
Timeout settings.

6. Firewall/IDS Evasion

Packet fragmentation.
Decoy scanning.
TCP ACK scanning.
Various stealth techniques.

Essential Command Reference

Basic Scanning

# Quick scan of top 1000 ports
nmap <target>

# Full port scan with service version detection
nmap -p- -sV <target>

# Aggressive scan (OS detection, version detection, script scanning, and traceroute)
nmap -A <target>

# Quick scan of top 100 ports
nmap -F <target>

Host Discovery

# Scan network range
nmap -sn 192.168.1.0/24

# Scan from file
nmap -sn -iL hosts.txt

# No ping scan
nmap -Pn <target>

Port Scanning

# SYN scan (requires root)
sudo nmap -sS <target>

# TCP connect scan
nmap -sT <target>

# UDP scan
sudo nmap -sU <target>

# Specific ports
nmap -p 22,80,443 <target>

# All ports
nmap -p- <target>

Service and Version Detection

# Version detection
nmap -sV <target>

# Version detection with intensity level
nmap -sV --version-intensity 5 <target>

# OS detection
sudo nmap -O <target>

Output Options

# Save in all formats
nmap -oA filename <target>

# Save in normal format
nmap -oN filename.txt <target>

# Save in XML format
nmap -oX filename.xml <target>

# Grep-friendly output
nmap -oG filename.txt <target>

NSE Scripts

# Default scripts
nmap -sC <target>

# Specific script
nmap --script=<script-name> <target>

# Vulnerability scan
nmap --script vuln <target>

# Multiple scripts
nmap --script=http-title,http-headers <target>

Performance and Timing

# Fastest timing template
nmap -T5 <target>

# Set minimum rate
nmap --min-rate 300 <target>

# Parallel host scan
nmap --min-parallelism 100 <target>

# Aggressive timing + version detection
nmap -T4 -sV <target>

Firewall/IDS Evasion

# Decoy scan
nmap -D RND:5 <target>

# Fragment packets
nmap -f <target>

# Specify specific source port
nmap --source-port 53 <target>

# MAC address spoofing
nmap --spoof-mac MAC <target>

Advanced Usage

# Comprehensive scan with timing template
sudo nmap -sS -sV -T4 -A -O -p- <target>

# Quiet scan with version detection
nmap -sV -T2 --version-intensity 0 <target>

# Advanced vulnerability scan
nmap -sV --script vuln -p- -T4 <target>

# Complete network enumeration
nmap -sn -T4 -PE -PM -PS80,443 -PA3389 -PU40125 -PY <target>/24

Best Practices

Start with host discovery in large networks.
Use appropriate timing for the environment.
Save scan results for documentation.
Verify findings manually when possible.
Consider network load and target stability.
Use steatlh options when necessary.
Combine different scan types for comprehensive results.

PreviousWelcome to NoirChapeau Gitbook NextFootprinting - Enumeration and Information Gathering Notes