Adel ALLAM @apges01


Network Mapper is a free and open source utility for network discovery and security auditing.


# fast tcp scan
$ nmap -vv -sC -sV -oN fast_tcp_scan.nmap

# full tcp scan
$ nmap -vv -sC -sV -p- -oN full_tcp_scan.nmap

# fast udp scan
$ nmap -vv -sU -sV -oN fast_udp_scan.nmap

$ nmap -vv -sU -sV -p- -oN full_udp_scan.nmap



# classic
$ nmap,

# from file
$ nmap -iL targets.txt

# exclude hosts
$ nmap --exclude,

# scan 10 random targets on internet
$ nmap -iR 10

# find random NFS shares online
$ nmap -p2049 --open -iR 0 

# collect signature of web servers
$ nmap -p80,443 -Pn -T4 --open --script http-headers,http-title,ssl-cert --script-args http.useragent="A web crawler :)",http-headers.useget -oX random-webservers.xml -iR 0
# -Pn : without ping
# -T4 : aggressive timing template


# select ports
$ nmap -p1-100,80,443

# ports by protocol (T:tcp, U:udp)
$ nmap -pT:25,U:53

# exclude ports
$ nmap -p1-100 --exclude-ports 22,53

# all ports
$ nmap -p-

# select interface
$ nmap -e eth1

port states

  • open: a service is listening for connections
  • closed: port is accessible (it receives and responds to nmap packets), but there is no application listening on it.
  • filtered: no signs that the packets were received and the state could not be established, packets are being dropped by some kind of filtering

unprivileged users : by default use TCP Connect Scan, uses the high-level connect() system call (slower)

privilaged user : by default launches a SYN Stealth Scan, use raw packets to send specially crafted TCP packets, technique known as half open.

service/OS fingerprinting

# service detection
$ nmap -sV

# OS detection
$ nmap -O

# -sV + -O + -sC (script scanning) + --traceroute
$ nmap -A 

host discovery

# TCP SYN scan
$ nmap -sn -PS80,21
# -sn: ping scan - disable port scan
# send a TCP SYN
# receive an RST -> close
# receive an SYN/ACK -> open
# --packet-trace: show all data sent and received
# TCP ACK scan
$ nmap -sn -PA
# send a TCP ACK
# receive nothing -> close
# receive an TCP RST -> open
# UDP scan
$ nmap -sn -PU
# send an empty UDP packet to port 40125
# receive ICMP port unreachable -> online
# receive various ICMP error messages -> offline
# (important to choose closed ports)
# ICMP ping scan
$ nmap -sn -PE # ICMP echo request
$ nmap -sn -PP # ICMP timestamp reply
$ nmap -sn -PM # ICMP address mark reply
# can bypass misconfigured firewalls
# IP protocol scan
$ nmap -sn -PO
# -PO: by default use different protocols IGMP, IP-in-IP and ICMP
$ nmap -sn -PO1,2,17 # choose protocol with their numbers

# TCP: 6, UDP: 17, ICMP: 1, IGMP: 2, IP-in-IP: 4, SCTP: 132

# all packets send are empty, it is a good think to send data inside them
$ nmap -sn -PO --data-length 100
# ARP scan
$ nmap -sn -PR
# send ARP requests to all
# if ARP reply -> online
# else -> offline

# used by default by nmap in LAN, -PS to disable
$ nmap -sn -PS --packet-trace --send-ip

# MAC address spoofing
$ nmap -sn -PR --spoof-mac <mac address>
# with -PR we can use IPv6 and it will use ICMPv6 (replace ARP in v4)

scan techniques

# TCP SYN (not logged)
$ nmap -sS

# full handshake with connect() (logged)
$ nmap -sT

$ nmap -sA

timing template

# aggressive timing
$ nmap -T4
# -T0: paranoid (5 min)
# -T1: sneaky
# -T2: polite
# -T3: default
# -T4: aggressive
# -T5: insane

scan report

$ nmap -oX scanme.xml
# -oX: XML
# -oN: nmap output
# -oG: greppable text
# -oA: for all

NSE scripts

nmap can be used with Nmap Scripting Engine (NSE), it provides an interface for users to script additional tasks.

Are divided in categoies:

  • auth: scripts related to user authentication
  • broadcast: scripts that use broadcast petitions to gather information
  • brute: scripts that help conduct brute-force password auditing
  • default: scripts that are executed when a script scan is executed (-sC)
  • discovery: scripts related to host/service discovery.
  • dos: scripts related to denial of service attacks
  • exploit: scripts that exploit security vulnerabilities
  • external: scripts that depend on a third-party service
  • fuzzer: scripts that are focused on fuzzing
  • intrusive: scripts that might crash something or generate a lot of network noise
  • malware: scripts related to malware detection
  • safe: scripts that are considered safe in all situations
  • version: scripts that are used for advanced versioning
  • vuln: scripts related to security vulnerabilities
# execute all scripts
$ nmap -sC

# script arguments
$ nmap --script http-title --script-args http.useragent="Mozilla 999"

# script selection
$ nmap --script dns-brute
$ nmap --script http-headers,http-title

# run all scripts in the vuln category
$ nmap -sV --script vuln

# run all http scripts except 2 of them
$ nmap -sV --script "(http-*) and not (http-slowloris or http-brute)"

Interesting scripts:

broadcast ping scans

$ nmap --script broadcast-ping
# send ICMP echo request
# receive ICMP echo reply -> open
# else -> close

Scan IPv6 adresses

$ nmap -6

# Multicast Listener Discovery (MLD) request to LAN
$ nmap -6 --script targets-ipv6-multicast-mld --script-args interface=en0

# ICMPv6 RA with SLAAC
$ nmap -6 --script targets-ipv6-multicast-slaac --script-args interface=en0 -sn

# ICMPv6 echo request to all nodes link-local multicast address (ff02::1)
$ nmap -6 --script targets-ipv6-multicast-echo --script-args'newtargets,interface=eth0' -sL

# ICMPv6 requets with invalid extension header to (ff02::1)
$ nmap -6 --script=targets-ipv6-multicast-invalid-dst.nse --script-args'newtargets,interface=eth0' -sn

Gathering network information with broadcast scripts

NSE broadcast scripts perform tasks to detect Dropbox listeners, sniffing hosts, and discovering DHCP, MS SQL or NCP server.

There are 44 differents scripts :

# use all script in broadcast categorie
$ nmap --script broadcast -e eth0

$ nmap --script "broadcast and not targets-*"

scanning through proxies

# TOR, mask origin address
$ nmap -sV -Pn -n --proxies socks4://

### Spoofing the origin IP of a scan
# find hosts with an incremental IP ID: zombie
# IP ID : used for fragmentation
$ nmap -p80 --script ipidseq <your ip>/24
$ nmap -p80 --script ipidseq -iR 1000
# -> |_ipidseq: Incremental!

# launch idle scan
$ nmap -Pn -sI <zombie host>

optimizing scans

phases of scan

  • 1 - Target enumeration: parses the target list.
  • 2 - Host discovery: establishes if the targets are online and in the network with ICMP echo request and some additional probes (-Pn to skip).
  • 3 - Reverse DNS resolution: (-n to skip).
  • 4 - Port scanning: determines the state of the ports with SYN/TCP Connect (depending on the user privileges)(-sn to skip).

skipping phases

$ nmap -T4 -n -Pn -p-
# scan with aggressive timing template
# without DNS resolution (-n)
# without ping (-Pn)


### Perform IP address geolocation
### Getting information from WHOIS records
### Traceroute geolocation information
### Querying Shodan to obtain target information
# use API ley

$ nmap -sn -Pn -n --script shodan-api --script-args shodan-api.apikey=<ShodanAPI KEY>


# save in CSV files
$ nmap -sn -Pn -n --script shodan-api --script-args shodan-api.apikey='<ShodanAPI KEY>',shodan-api.outfile=results.csv

# single target
$ nmap -sn -Pn -n --script shodan-api --script-args shodan-api.apikey='<ShodanAPI KEY>',<IP>
# -n: DNS resolution disable


Discover systems with weak password, high-speed network authentication cracking tool. Supports popular network protocols (FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, VNC, SIP, Redis, PostgreSQL, and MySQL).

$ ncrack <service-name>://<port-number>

# basic dictionary attack agoinst a SSH server
$ ncrack ssh://<port>

# give username and password files
$ ncrack -U <user-list> -P <passwords-list> <service-name>://<port-number>

# give username
$ ncrack --user <username> <service-name>://<port-number>

# give password
$ ncrack --pass <service-name>://<port-number>

# pausing
$ ncrack --resume cracking-session <[service-name]>://<[port-number]>

$ ncrack --save cracking-session <[service-name]>://<[port-number]>