Nmap Commands Flashcards
Basic Scans, Service and Version Detection, Stealth and Evasion Scans, Timing and Performance, Output Options, Advanced Scanning, Vulnerability and Script Scanning, Firewall Detection and Bypass
Ping Scan
Check which hosts are online.
nmap -sP 192.168.1.0/24
This sends ICMP echo requests to determine if hosts are online within the 192.168.1.0/24 subnet.
Scan a Range of IPs
nmap 192.168.1.1-20
This scans the IP range from 192.168.1.1 to 192.168.1.20.
Scan an Entire Subnet
nmap 192.168.1.0/24
Scans all hosts in the subnet.
Scan Multiple IP Addresses or Hostnames
nmap 192.168.1.1 192.168.1.2 google.com
Scan Specific Ports
nmap -p 22 192.168.1.1
This scans only port 22 (SSH) on the target.
Scan a Range of Ports
nmap -p 1-100 192.168.1.1
This scans ports 1 through 100 on the target.
Scan All Ports
nmap -p- 192.168.1.1
Scans all 65535 ports on the target host.
Detect Service Versions
nmap -sV 192.168.1.1
This attempts to determine the version of services running on open ports.
Aggressive Scan (Includes Service Detection, OS Detection, and More)
nmap -A 192.168.1.1
This performs an aggressive scan that includes service version detection, OS detection, and traceroute.
Operating System Detection
nmap -O 192.168.1.1
This attempts to identify the operating system running on the target machine.
Script Scan (Using NSE Scripts
nmap -sC 192.168.1.1
This uses default NSE (Nmap Scripting Engine) scripts to scan for vulnerabilities or gather additional information.
TCP SYN Scan (Stealth Scan)
nmap -sS 192.168.1.1
This performs a TCP SYN scan, often referred to as a “half-open” scan, which can avoid detection by some firewalls or IDS systems.
TCP Connect Scan
nmap -sT 192.168.1.1
This scan completes the full TCP connection and is less stealthy than the SYN scan.
UDP Scan
nmap -sU 192.168.1.1
This scans UDP ports, which is useful for discovering services like DNS (port 53) and SNMP (port 161).
Fragmented Packets Scan
nmap -f 192.168.1.1
Sends fragmented packets, which might help evade firewalls or intrusion detection systems.
Spoofed IP Address Scan
nmap -S 192.168.1.100 192.168.1.1
Spoofs the source IP address (use with caution, as it may cause network issues).
Scan Through a Proxy
nmap -sT -p 80 –proxy http://proxy.server.com:8080 192.168.1.1
Set Timing Templates (0-5)
Control the speed and stealthiness of scans.
nmap -T4 192.168.1.1
T0 is the slowest (for stealth), and T5 is the fastest (less stealthy, but quicker results).
Set Maximum Parallel Scans
nmap –min-parallelism 10 192.168.1.1
This controls the number of parallel scans Nmap can run.
Set Scan Delay Between Probes
nmap –scan-delay 1s 192.168.1.1
This inserts a 1-second delay between scan probes, making it slower but possibly stealthier.
Normal Output
nmap 192.168.1.1 -oN output.txt
Saves the normal output of the scan to output.txt.
Scan Specific IP Protocols
map -sO 192.168.1.1
This scans for IP protocols (like ICMP, TCP, and UDP
Scan Hosts with Decoy IPs
nmap -D RND:10 192.168.1.1
Launches a decoy scan with 10 random IP addresses, hiding the real source of the scan.
Scan Using TCP ACK Scan
nmap -sA 192.168.1.1
This helps determine if a firewall is present by sending TCP ACK packets.
Scan Using FIN, Xmas, or Null Scan
nmap -sF 192.168.1.1 (FIN scan)
nmap -sX 192.168.1.1 (Xmas scan)
nmap -sN 192.168.1.1 (Null scan)
These are stealthy scans that send unusual combinations of flags or no flags, helping bypass some firewalls and detect open ports.
Run All Vulnerability Scripts
nmap –script vuln 192.168.1.1
Runs all vulnerability detection scripts.
Run Specific NSE Scripts
nmap –script http-default-accounts 192.168.1.1
Runs a specific NSE script for checking default accounts on HTTP services.
Run a Script to Find Known Exploits
nmap –script exploit 192.168.1.1
Runs a script to find known exploits on the target.
Check for Heartbleed Vulnerability
nmap –script ssl-heartbleed 192.168.1.1
Check for SMB Vulnerabilities
nmap –script smb-vuln* 192.168.1.1
Firewall Detection
nmap -sA 192.168.1.1
Sends ACK packets to determine whether a firewall is present on the network.
Scan with Source Port Spoofing
nmap -g 53 192.168.1.1
Spoof the source port to trick firewalls (common for DNS queries, which often come from port 53).
Scan with Decoy Addresses
nmap -D 192.168.1.10,192.168.1.20 192.168.1.1
Scan with decoy addresses to hide the real source of the scan.
Polymorphism
Polymorphic attacks modify their signature on each attempt to avoid matching known attack patterns.
Example: Malware can change its binary structure with each execution, making it difficult for IDS that rely on static signature matching to detect.
Fragmentation
Fragmentation involves breaking the payload of network packets into smaller segments, making it harder for an IDS to reassemble and inspect the full content.
Obfuscation with Encryption
Attackers can encrypt traffic, making it impossible for an IDS to inspect the payload. For example, if communication happens over SSL/TLS, IDS can’t analyze encrypted traffic unless it performs SSL decryption, which is rare due to performance and privacy concerns.
Example of encrypted traffic: Using SSL/TLS with tools like ncat:
bash
Copy code
ncat –ssl victim.com 443
Countermeasure: Intrusion Prevention Systems (IPS) or Deep Packet Inspection (DPI) techniques that can decrypt and analyze SSL traffic may be needed to detect such activities.
Using Spoofed IP Addresse
Spoofing the source IP address in your traffic can make it harder for the IDS to track the actual source of the attack.
How to use in nmap:
bash
Copy code
nmap -S 192.168.1.100 192.168.1.1
This command spoofs the source IP address as 192.168.1.100.
Note: Spoofing can confuse IDS systems, but it also limits the attacker’s ability to receive responses, as the responses will go to the spoofed IP.
Decoys
Sending traffic from decoy IP addresses can obscure the true source of the scan or attack, making it harder for an IDS to pinpoint the attacker.
Packet Crafting
Crafting custom packets allows attackers to manipulate packet flags, headers, or payloads in ways that can evade detection by some IDS solutions.
Tools like hping3 and Scapy allow crafting custom packets. For example, you can set various TCP flags (e.g., SYN, ACK, FIN) to avoid detection:
bash
Copy code
hping3 -S 192.168.1.1 -p 80
Explanation: By using non-standard combinations of flags or malformed packets, attackers can bypass signature-based IDS systems that expect normal packet patterns.