Differences

This shows you the differences between two versions of the page.

--- tools_syntax_nmap [2022/09/24 20:38] – [Target Selection] gman
+++ tools_syntax_nmap [2022/09/25 14:37] (current) – removed gman
@@ Line 1: / Line 1: @@
-====== Nmap: Scan Target IPs ======
-**Usage:**
-<code>
-nmap [Scan Type(s)] [Options] {target specification}
-# need to run as root
-</code>
-**Standard Go-To Examples:**
-<code>
-#TCP Ports:
-nmap -sS -T4 -p- -A [IP Address]
-#UDP Ports:
-nmap -sU -T4 -A [IP Address]
-</code>
-The following is a list and description of the 30 most common basic commands in nmap (for beginners).
-  * **Source:** [[https://www.yeahhub.com/top-30-basic-nmap-commands-beginners/ | Top 30 Basic NMAP Commands for Beginners]]
-----
-===== Target Selection =====
-^ **#** ^ Title ^ Syntax ^
-| 01 | Scan a single IP | ''nmap 192.168.20.128'' |
-| 02 | Scan a host | nmap %%www.example.com%% |
-| 03 | Scan a range of IPs | nmap 192.168.20.120-128 |
-| 04 | Scan a subnet | nmap 192.168.20.2/24 |
-| 05 | Scan targets from Text file | nmap -iL ips.txt |
-===== Target Specification =====
-For the ''{target specification}'':
-  * Can pass hostnames, IP addresses, networks, etc.
-  * Examples: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-^ Switch ^ Description ^
-| -iL <inputfilename> | Input from list of hosts/networks |
-----
-===== Host Discovery =====
-^ Switch ^ Description ^
-| -sn | Ping Scan - disable port scan |
-| -Pn | Treat all hosts as online -- skip host discovery |
-----
-===== Scan Techniques =====
-^ Switch ^ Description ^
-| -sS | TCP SYN Port Scan (aka: Half-Open or Stealth Scan)
-| -sT | TCP Connect Port Scan
-| -sA | TCP ACK Port Scan
-| -sW | TCP SYN/Connect()/ACK/Window/Maimon scans
-| -sM | TCP SYN/Connect()/ACK/Window/Maimon scans
--sU: UDP Scan
--sN/sF/sX: TCP Null, FIN, and Xmas scans
---scanflags <flags>: Customize TCP scan flags
--sI <zombie host[:probeport]>: Idle scan
--sY/sZ: SCTP INIT/COOKIE-ECHO scans
--sO: IP protocol scan
--b <FTP relay host>: FTP bounce scan
-----
-===== Port Specification =====
-^ Switch ^ Description ^
--p <port ranges>: Only scan specified ports
-Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
---exclude-ports <port ranges>: Exclude the specified ports from scanning
--F: Fast mode - Scan fewer ports than the default scan
--r: Scan ports consecutively - don't randomize
---top-ports <number>: Scan <number> most common ports
---port-ratio <ratio>: Scan ports more common than <ratio>
-----
-===== Service/Version Detection =====
-^ Switch ^ Description ^
--sV: Probe open ports to determine service/version info
---version-intensity <level>: Set from 0 (light) to 9 (try all probes)
---version-light: Limit to most likely probes (intensity 2)
---version-all: Try every single probe (intensity 9)
---version-trace: Show detailed version scan activity (for debugging)
-----
-===== Script Scan =====
-[[method_3_scanning#nmap_scripts | Examples]].
-^ Switch ^ Description ^
--sC: equivalent to --script=default
---script=<Lua scripts>: <Lua scripts> is a comma separated list of
-    directories, script-files or script-categories
---script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
---script-args-file=filename: provide NSE script args in a file
---script-trace: Show all data sent and received
---script-updatedb: Update the script database.
---script-help=<Lua scripts>: Show help about scripts.
-    <Lua scripts> is a comma-separated list of script-files or
-    script-categories.
-----
-===== OS Detections =====
-^ Switch ^ Description ^
--O: Enable OS detection
---osscan-limit: Limit OS detection to promising targets
---osscan-guess: Guess OS more aggressively
-----
-===== Timing & Performance =====
-^ Switch ^ Description ^
-Options which take <time> are in seconds, or append 'ms' (milliseconds),
-'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
--T<0-5>: Set timing template (higher is faster)
---min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
---min-parallelism/max-parallelism <numprobes>: Probe parallelization
---min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
-probe round trip time.
---max-retries <tries>: Caps number of port scan probe retransmissions.
---host-timeout <time>: Give up on target after this long
---scan-delay/--max-scan-delay <time>: Adjust delay between probes
---min-rate <number>: Send packets no slower than <number> per second
---max-rate <number>: Send packets no faster than <number> per second
-----
-===== Output =====
-^ Switch ^ Description ^
--oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
-and Grepable format, respectively, to the given filename.
--oA <basename>: Output in the three major formats at once
--v: Increase verbosity level (use -vv or more for greater effect)
--d: Increase debugging level (use -dd or more for greater effect)
---reason: Display the reason a port is in a particular state
---open: Only show open (or possibly open) ports
---packet-trace: Show all packets sent and received
---iflist: Print host interfaces and routes (for debugging)
---append-output: Append to rather than clobber specified output files
---resume <filename>: Resume an aborted scan
---noninteractive: Disable runtime interactions via keyboard
---stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
---webxml: Reference stylesheet from Nmap.Org for more portable XML
---no-stylesheet: Prevent associating of XSL stylesheet w/XML output
-----
-===== Miscellaneous =====
-^ Switch ^ Description ^
-| -6 | Enable IPv6 scanning |
-| -A | Enable [1] OS detection, [2] version detection, [3] script scanning, and [4] traceroute
-----