# Commands ## Ping scans / Host discovery scans ### ARP scan ```bash nmap -PR [targets] ``` ### TCP SYN scan ```bash nmap -PS [targets] ``` ### ICMP scan ```bash nmap -PE [targets] ``` ### UPD scan ```bash nmap -PU [targets] ``` ### TCP ACK scan ```bash nmap -PA [targets] ``` ## Some scanning techniques ### Basic scan It uses basic TCP SYN (-sS) scan by default. ```bash nmap [target] ``` ```bash nmap cloudflare.com ``` ### Scan for only listing hosts ```bash nmap -sn [target] ``` ### Ports scan #### Specify port ranges ```bash nmap -p x1-x2 [target] ``` ```bash nmap -p 80-25000 8.8.8.8 ``` #### Specify the particular ports ```bash nmap -p x1,x2,... [target] ``` ```bash nmap -p 80,443 8.8.8.8 ``` #### Specify entire ports ```bash nmap -p- [target] ``` #### Specify the most popular ports ```bash nmap --top-ports x [target] ``` ```bash nmap --top-ports 20 8.8.8.8 ``` ### Scan for detections #### OS detection ```bash nmap -O [target] ``` #### Service and daemon versions detections ```bash nmap -sV [target] ``` #### All scan (Performs overall OS detection, service detection, version detection, script scanning and traceroute) ```bash nmap -A [target] ``` ### Scans with timing templates It determines how aggressively or stealthily the scan should be performed. #### -T0 (Paranoid) This template is the slowest and is designed to avoid triggering intrusion detection systems. #### -T1 (Sneaky) This template is slower than the default and is also intended to avoid detection, but not as cautious -`T0`. #### -T2 (Polite) This timing template is more reliable in certain situations where network conditions are unstable. #### -T3 (Normal) This is the default timing template which is generally considered a good balance between speed and reliability. #### -T4 (Aggressive) This template speeds up the scan significantly compared to `-T3`, often scanning more aggressively and with fewer delays. #### -T5 (Insane) This is the fastest timing template and is designed for networks where you have permission to scan aggressively and quickly. It can overwhelm some networks and is less stealthy than slower templates. *Example usage*: ```bash nmap -T4 [target] ``` ### Scanning from file ```bash nmap -iL file.txt ``` The file.txt consists a list of targets as: ``` cloudflare.com google.com 192.168.1.106 microsoft.com ``` ## Other scanning techniques ### Spoofing the scan Spoofing can be done to to make the scan appear as if coming from the other source IP address instead of your own IP address. ```bash nmap -S [spoofed_ip] [target_ip] ``` {% hint style="info" %} Command to explicity disable the ping scan in spoofing: $ nmap -e \[net\_interface] -Pn -S \[spoofed\_ip] \[target\_ip] {% endhint %} {% hint style="info" %} In brief, scanning with a spoofed IP address works in three steps: 1. Attacker sends a packet with a spoofed source IP address to the target machine. 2. Target machine replies to the spoofed IP address as the destination. 3. Attacker captures the replies to figure out open ports. {% endhint %} ### Using decoys for scan Decoys can be used to make the scan appear as if coming from multiple source IP addresses in addition to your IP address. ```sh nmap -D [fake-ip1],[fake_ip2],...,ME [target_ip] ``` ***Example:*** ```bash nmap -D 10.10.0.1,10.10.0.2,ME 10.10.220.5 ``` ```bash nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME 10.10.220.5 ``` We can use RND to generate a random IP address. {% hint style="info" %} The main idea for using decoys is to make the scan appear to be coming from many IP addresses so that the attacker’s IP address would be lost among them. {% endhint %} ### Scanning with fragmented packets The Nmap packets for scanning can be fragmented to bypass the detection by Firewall and IDS using `-f` option. The `-f` option fragments the IP packets into multiple of 8 bytes. The `-ff` or `-f -f` option will fragment the Ip packets into multiple of 16 bytes. Eg. If the size of IP packet is 24 bytes, then using `-f` will divide the packet into 3 packets of 8 bytes each. Similarly, using `-ff` will divide that packet into 2 packets of size 16 bytes and 8 bytes, where second packet's size is the remaining size. Further, if you prefer to increase the size of your packets to make them look innocuous, you can use the option `--data-length NUM`, where num specifies the number of bytes with random data you want to append to your packets. The random data does not affect the functionality of the scan but modifies the packet’s structure. `--mtu` option can also be used in Nmap to manually specify the **Maximum Transmission Unit (MTU)** for packets, which is the largest unfragmented size of a packet that can be transmitted over a network. ***Example:*** ```bash nmap -sS -p80 -f 10.10.15.152 ``` ### Idle/Zombie scan To overcome the limitations of spoofing that works only in specific newtork setups, idle or zombie scan can be used, where zombie is the idle system connected to the network that you can communicate with. ***Eg.*** ```bash nmap -sI [zombie_ip] [target_ip] ``` {% hint style="info" %} The idle (zombie) scan requires the following three steps to discover whether a port is open: 1. Trigger the idle host to respond so that you can record the current IP ID on the idle host. 2. Send a SYN packet to a TCP port on the target. The packet should be spoofed to appear as if it was coming from the idle host (zombie) IP address. 3. Trigger the idle machine again to respond so that you can compare the new IP ID with the one received earlier. {% endhint %} ## Saving nmap outputs ### In normal format Save your scan in normal format by using `-oN FILENAME` where N stands for normal. ***Example:*** ```bash nmap -sS -sV -O -oN MACHINE_IP_scan 10.10.194.222 ``` The output file will be in the format MACHINE\_IP\_scan.nmap ### In grepable format Save your scan in normal format by using `-oG FILENAME` where N stands for normal. The normal output is 21 lines, where grepable output is only 4 lines. ***Example:*** ```bash nmap -sS -sV -O -oG MACHINE_IP_scan 10.10.194.222 ``` The output file will be in the format MACHINE\_IP\_scan.gnmap ### In XML fomat Save your scan in normal format by using `-oX FILENAME` where N stands for normal. The XML format would be most convenient to process the output in other programs. ***Example:*** ```bash nmap -sS -sV -O -oX MACHINE_IP_scan 10.10.194.222 ``` The output file will be in the format MACHINE\_IP\_scan.xml --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacktools.aprasanna.com.np/nmap/nmap-cmds.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.