Nmap#
The network mapper. Host discovery, port scanning, service and version detection, OS fingerprinting, and a scripting engine (NSE) for everything from banner grabs to vuln checks.
Setup#
Install on Debian-family, confirm the version, refresh the script
database, and grant the raw-socket capability so the binary can
run privileged scans without sudo.
Command |
Action |
|---|---|
|
install on Debian / Ubuntu |
|
confirm version and feature flags |
|
refresh the NSE script index |
|
grant raw-socket capability for non-root SYN scans |
Host Discovery#
Find hosts on the network. -sn is the ping-sweep mode (no
port scan); -Pn skips discovery and treats every target as
up. Combine ICMP, ARP, and TCP probes for tighter answers on
filtered networks.
Command |
Action |
|---|---|
|
ping sweep across a /24 |
|
force IP-layer probes on local subnet (skip ARP) |
|
skip discovery, treat as up |
|
ICMP-echo + TCP SYN + ACK probes |
|
ARP-only discovery on local segment |
|
disable reverse DNS / set a resolver |
|
read targets from a file |
|
exclude specific hosts |
Port Scanning#
Pick a scan technique and a port range. -sS is the SYN /
half-open default; -sT is the unprivileged full-connect; -sU
is UDP (slow). -T<n> sets the timing template; -T4 is the
typical baseline, -T2 for stealth.
Command |
Action |
|---|---|
|
default scan (top 1000 TCP ports) |
|
all 65535 TCP ports |
|
specific ports and ranges |
|
the 1000 most common ports |
|
SYN scan, aggressive timing |
|
full TCP-connect (no raw sockets needed) |
|
top-50 UDP ports |
|
NULL scan (no flags) |
|
FIN scan |
|
Xmas scan (FIN, PSH, URG) |
|
ACK scan (firewall ruleset mapping) |
|
explain why a port is open / closed / filtered |
Service and OS#
Banner-grab to identify services and versions, then fingerprint
the operating system from response timing and TCP/IP quirks.
-A bundles -sV -O --traceroute --script=default for a
one-shot “tell me everything” pass.
Command |
Action |
|---|---|
|
service / version detection |
|
exhaustive version probes |
|
faster, fewer probes |
|
OS fingerprint |
|
guess OS even on weak match |
|
traceroute to target |
|
aggregate: |
NSE Scripts#
The Nmap Scripting Engine. default runs the safe-by-default
set; vuln runs vulnerability checks; * globs match by
service family. Scripts live under /usr/share/nmap/scripts/;
--script-help describes their args.
Command |
Action |
|---|---|
|
run the default-category scripts |
|
run vulnerability scripts |
|
run only scripts marked safe |
|
all HTTP-prefixed scripts |
|
specific SMB scripts |
|
script with arguments |
|
read help for matching scripts |
|
trace script execution for debugging |
|
list installed scripts on disk |
Stealth and Evasion#
Slow the scan, fragment packets, spoof source addresses, and pick trusted source ports. Note that aggressive evasion still leaves fingerprints in modern IDS and EDR; use this only with authorization (engagement scope, CTF, lab).
Command |
Action |
|---|---|
|
polite timing |
|
sneaky timing (very slow) |
|
fragment packets (small MTU) |
|
custom MTU for fragmentation |
|
delay between probes, fewer retries |
|
5 random decoy source IPs |
|
explicit decoys plus the real source |
|
spoof source IP (requires interface) |
|
fixed source port (DNS, NTP) |
|
append random payload bytes |
|
send invalid TCP / UDP checksums |
Output#
Five output flavours. -oA writes all three primary formats
(normal, XML, grepable). XML is the format other tools (Metasploit,
ndiff, automation pipelines) actually want.
Command |
Action |
|---|---|
|
normal (human-readable) output |
|
XML output (machine-readable) |
|
grepable output (one host per line) |
|
write normal + XML + grepable |
|
normal output to stdout |
|
append rather than overwrite |
|
render XML to HTML |
|
diff two XML scans |