Differences

This shows you the differences between two versions of the page.

--- tools_syntax_nmap [2022/09/24 20:44] – [Port Selection] gman
+++ tools_syntax_nmap [2022/09/25 14:37] (current) – removed gman
@@ Line 1: / Line 1: @@
-====== Nmap: Scan Target IPs ======
-**Usage:**
-<code>
-nmap [Scan Type(s)] [Options] {target specification}
-# need to run as root
-</code>
-**Standard Go-To Examples:**
-<code>
-#TCP Ports:
-nmap -sS -T4 -p- -A [IP Address]
-#UDP Ports:
-nmap -sU -T4 -A [IP Address]
-</code>
-The following is a list and description of the 30 most common basic commands in nmap (for beginners).
-  * **Source:** [[https://www.yeahhub.com/top-30-basic-nmap-commands-beginners/ | Top 30 Basic NMAP Commands for Beginners]]
-----
-===== Target Selection =====
-^  **#**  ^ Title ^ Syntax ^
-| 01 | Scan a single IP | ''nmap 192.168.20.128'' |
-| 02 | Scan a host | ''nmap %%www.example.com%%'' |
-| 03 | Scan a range of IPs | ''nmap 192.168.20.120-128'' |
-| 04 | Scan a subnet | ''nmap 192.168.20.2/24'' |
-| 05 | Scan targets from Text file | ''nmap -iL ips.txt'' |
-----
-===== Port Selection =====
-^  **#** ^ Title ^ Syntax ^
-| 06 | Scan a single port| ''nmap -p 22 192.168.20.128'' |
-| 07 | Scan a range of ports| ''nmap -p 1-100 192.168.20.128'' |
-| 08 | Scan 100 common ports| ''nmap -F 192.168.20.128'' |
-| 09 | Scan all ports| ''nmap -p- 192.168.20.128'' |
-| 10 | Specify UDP or TCP scan| ''nmap -p U:137,T:139 192.168.20.128'' |
-----
-===== Scan Types =====
-^ **#** ^ Title ^ Syntax ^
-| 11 | Scan using TCP connect| ''nmap -sT 192.168.20.128'' |
-| 12 | Scan using TCP SYN scan| ''nmap -sS 192.168.20.128'' |
-| 13 | Scan UDP ports| ''nmap -sU -p 123,161,162 192.168.20.128'' |
-| 14 | Scan Selected ports (Ignore Discovery)| ''nmap -Pn -F 192.168.20.128'' |
-----
-===== Service and OS Detection =====
-^ **#** ^ Title ^ Syntax ^
-| 15 | Detect OS and Services| ''nmap -A 192.168.20.128'' |
-| 16 | Standard service detection| ''nmap -sV 192.168.20.128'' |
-| 17 | Aggressive service detection| ''nmap -sV –version-intensity 5 192.168.20.128'' |
-----
-===== Output Formats =====
-^ **#** ^ Title ^ Syntax ^
-| 18 | Save default output to file| ''nmap -oN result.txt 192.168.20.128'' |
-| 19 | Save results as XML| ''nmap -oX resultxml.xml 192.168.20.128'' |
-| 20 | Save formatted results (Grep)| ''nmap -oG formattable.txt 192.168.20.128'' |
-| 21 | Save in all formats| ''nmap -oA allformats 192.168.20.128'' |
-----
-===== Scripting Engine =====
-^ **#** ^ Title ^ Syntax ^
-| 22 | Scan using default safe scripts| ''nmap -sV -sC 192.168.20.128'' |
-| 23 | Get help for a script| ''nmap –script-help=ssl-heartbleed'' |
-| 24 | Scan using a specific script| ''nmap -sV -p 443 -script=ssl-heartbleed 192.168.20.133'' |
-| 25 | Update script database| ''nmap –script-updatedb'' |
-----
-===== Some Useful NSE Scripts =====
-^ **#** ^ Title ^ Syntax ^
-| 26 | Scan for UDP DDOS reflectors| ''nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.20.2/24'' |
-| 27 | Gather page titles from HTTP Servers| ''nmap –script=http-title 192.168.20.128'' |
-| 28 | Get HTTP headers of web services| ''nmap –script=http-headers 192.168.20.128'' |
-| 29 | Find web apps from known paths| ''nmap –script=http-enum 192.168.20.128'' |
-| 30 | Find exposed Netbios servers| ''nmap -sU –script nbtstat.nse -p 137 192.168.20.128
-----
-===== Target Specification =====
-For the ''{target specification}'':
-  * Can pass hostnames, IP addresses, networks, etc.
-  * Examples: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-^ Switch ^ Description ^
-| -iL <inputfilename> | Input from list of hosts/networks |
-----
-===== Host Discovery =====
-^ Switch ^ Description ^
-| -sn | Ping Scan - disable port scan |
-| -Pn | Treat all hosts as online -- skip host discovery |
-----
-===== Scan Techniques =====
-^ Switch ^ Description ^
-| -sS | TCP SYN Port Scan (aka: Half-Open or Stealth Scan)
-| -sT | TCP Connect Port Scan
-| -sA | TCP ACK Port Scan
-| -sW | TCP SYN/Connect()/ACK/Window/Maimon scans
-| -sM | TCP SYN/Connect()/ACK/Window/Maimon scans
--sU: UDP Scan
--sN/sF/sX: TCP Null, FIN, and Xmas scans
---scanflags <flags>: Customize TCP scan flags
--sI <zombie host[:probeport]>: Idle scan
--sY/sZ: SCTP INIT/COOKIE-ECHO scans
--sO: IP protocol scan
--b <FTP relay host>: FTP bounce scan
-----
-===== Port Specification =====
-^ Switch ^ Description ^
--p <port ranges>: Only scan specified ports
-Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
---exclude-ports <port ranges>: Exclude the specified ports from scanning
--F: Fast mode - Scan fewer ports than the default scan
--r: Scan ports consecutively - don't randomize
---top-ports <number>: Scan <number> most common ports
---port-ratio <ratio>: Scan ports more common than <ratio>
-----
-===== Service/Version Detection =====
-^ Switch ^ Description ^
--sV: Probe open ports to determine service/version info
---version-intensity <level>: Set from 0 (light) to 9 (try all probes)
---version-light: Limit to most likely probes (intensity 2)
---version-all: Try every single probe (intensity 9)
---version-trace: Show detailed version scan activity (for debugging)
-----
-===== Script Scan =====
-[[method_3_scanning#nmap_scripts | Examples]].
-^ Switch ^ Description ^
--sC: equivalent to --script=default
---script=<Lua scripts>: <Lua scripts> is a comma separated list of
-    directories, script-files or script-categories
---script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
---script-args-file=filename: provide NSE script args in a file
---script-trace: Show all data sent and received
---script-updatedb: Update the script database.
---script-help=<Lua scripts>: Show help about scripts.
-    <Lua scripts> is a comma-separated list of script-files or
-    script-categories.
-----
-===== OS Detections =====
-^ Switch ^ Description ^
--O: Enable OS detection
---osscan-limit: Limit OS detection to promising targets
---osscan-guess: Guess OS more aggressively
-----
-===== Timing & Performance =====
-^ Switch ^ Description ^
-Options which take <time> are in seconds, or append 'ms' (milliseconds),
-'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
--T<0-5>: Set timing template (higher is faster)
---min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
---min-parallelism/max-parallelism <numprobes>: Probe parallelization
---min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
-probe round trip time.
---max-retries <tries>: Caps number of port scan probe retransmissions.
---host-timeout <time>: Give up on target after this long
---scan-delay/--max-scan-delay <time>: Adjust delay between probes
---min-rate <number>: Send packets no slower than <number> per second
---max-rate <number>: Send packets no faster than <number> per second
-----
-===== Output =====
-^ Switch ^ Description ^
--oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
-and Grepable format, respectively, to the given filename.
--oA <basename>: Output in the three major formats at once
--v: Increase verbosity level (use -vv or more for greater effect)
--d: Increase debugging level (use -dd or more for greater effect)
---reason: Display the reason a port is in a particular state
---open: Only show open (or possibly open) ports
---packet-trace: Show all packets sent and received
---iflist: Print host interfaces and routes (for debugging)
---append-output: Append to rather than clobber specified output files
---resume <filename>: Resume an aborted scan
---noninteractive: Disable runtime interactions via keyboard
---stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
---webxml: Reference stylesheet from Nmap.Org for more portable XML
---no-stylesheet: Prevent associating of XSL stylesheet w/XML output
-----
-===== Miscellaneous =====
-^ Switch ^ Description ^
-| -6 | Enable IPv6 scanning |
-| -A | Enable [1] OS detection, [2] version detection, [3] script scanning, and [4] traceroute
-----