Nmap: Difference between revisions
From charlesreid1
No edit summary |
|||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
For my 2025 Nmap Short Course, see [[Nmap/Short Course]] | |||
=How To Use= | =How To Use= | ||
| Line 45: | Line 47: | ||
This is a good way to quickly discover the most common services running on other network nodes. | This is a good way to quickly discover the most common services running on other network nodes. | ||
== | ==Aggressive Network Scan== | ||
To do a more advanced network scan, can do something like: | To do a more advanced/aggressive network scan, can do something like: | ||
<pre> | <pre> | ||
$ nmap -sS -sV -A 10.0.0.27 | $ nmap -sS -sV -A 10.0.0.27 | ||
</pre> | </pre> | ||
where <code>-A</code> is for aggressive, attempts to determine version numbers of running services as well as return information about the operating system. | |||
=UPnP= | =UPnP= | ||
| Line 58: | Line 62: | ||
= | =Flags= | ||
{{KaliFlag}} | {{KaliFlag}} | ||
{{NmapFlag}} | |||
[[Category:Nmap]] | |||
Latest revision as of 20:38, 26 May 2025
For my 2025 Nmap Short Course, see Nmap/Short Course
How To Use
Nmap is a really really complicated tool, so consult the extensive manual to really use it properly.
The Man Page
$ man nmap
The Short Version
You run nmap like this:
Usage: nmap [Scan Type(s)] [Options] {target specification}
If you read through the manual, it is organized this way:
- first, target specification is covered
- then, increasingly intrusive levels of scan type are described in order
- within each chapter on a scan type, the different options are described
Basic Network Scans
DNS Only for Host Discovery
The Host Discovery section (http://nmap.org/book/man-host-discovery.html) starts by covering basic host discovery, with least intrusive first. In this case, a list lookup doesn't even send packets to the specified addresses, it just does a DNS lookup on them.
nmap -sS 10.0.0.0/24
The target specification section (http://nmap.org/book/man-target-specification.html) covers what the ip address range above means, and I'll explain here too. The trailing /24 means, all permutations of the last 24 bits (that is, 0-254, the normal range of IP addresses).
Fast Scan
To do a fast scan, which only scans the lowest 100 ports, use the -F flag:
$ nmap -F 192.168.0.*
This is a good way to quickly discover the most common services running on other network nodes.
Aggressive Network Scan
To do a more advanced/aggressive network scan, can do something like:
$ nmap -sS -sV -A 10.0.0.27
where -A is for aggressive, attempts to determine version numbers of running services as well as return information about the operating system.
UPnP
See Nmap/UPnP
Flags
