Nmap Notes ========== Public Domain ******************************************************************************** ### nmap : Network Mapper (http://nmap.org) Zenmap : Nmap GUI Scanning : host discovery (network mapping) operating system detection active ports services & version detection ******************************************************************************** ### Common options Help : nmap -h Normal scan : nmap 127.0.0.1 Verbose : nmap -v 127.0.0.1 No DNS resolve : nmap -v -n 127.0.0.1 Do DNS resolve : nmap -v -R 127.0.0.1 Version Scan : nmap -v -n -sV 127.0.0.1 Port numbers : nmap -v -n -sV -p1-65535 127.0.0.1 Skip ping (P0) : nmap -v -n -sV -p1-65535 -PN 127.0.0.1 Ping scan : nmap -v -n -sP 192.168.1.0/24 Normal output file : nmap -v -n -sP -oN up-hosts 192.168.1.0/24 Grepable output file : nmap -v -n -sP -oG up-hosts 192.168.1.0/24 List IPs : echo $(grep "Host:" up-hosts | awk '{print$2}') > IPs Scan IP List : nmap -v -n -iL IPs > net-scan-info ******************************************************************************** ### OS detection, Version detection, Script scanning, Traceroute nmap -v -n -A -iL IPs > OS-Svc-info ******************************************************************************** ### Version detection (/usr/share/nmap/nmap-service-probes) nmap -sV 172.16.20.2 --allports --version-intensity 0-9 / default 7 --version-all intensity 9 --version-light quick - intensity 2 --version-trace debug info ******************************************************************************** ### OS detection only nmap -O 127.0.0.1 --osscan-limit at least one open port and one closed port --osscan-guess aggressively guess --max-os-tries 1 [5 or 2] ******************************************************************************** ### Optimization -T0 Paranoid 5 min -T1 Sneaky 15 Sec -T2 Polite 0.4 -T3 Normal parallel -T4 Aggresive 10 ms -T5 insane 5 ms Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). --min-hostgroup/max-hostgroup : Parallel host scan group sizes --max-retries : Caps number of port scan probe retransmissions. --host-timeout