Skip to content

Instantly share code, notes, and snippets.

@namishelex01
Last active October 17, 2022 21:11
Show Gist options
  • Save namishelex01/111677a84128accf13c4219e5dc998bf to your computer and use it in GitHub Desktop.
Save namishelex01/111677a84128accf13c4219e5dc998bf to your computer and use it in GitHub Desktop.
NMap Tips
~~~~~Port Scanning~~~~~
| Discovery scans |
-sP - Ping | -sW - Window Scan |
-sL - List/DNS Scan | -sA - ACK Scan |
-sO - Protocol Scan | -sR - RPC Scan |
-sV - Verify*** | -sI - Idle Scan |
-sU - UDP Scan*** | -sV - Version Scan |
| Scan switches and behavior |
Option Description Win OPEN Win CLOSED Linux OPEN Linux CLOSED
-sT Full connect SA RA SA RA
-sS Stealth/half open SA RA SA RA
-sN Null RA RA -- RA
-sX XMAS RA RA -- RA
-sF FIN RA RA -- RA
| Common attack options |
-PO - IP Protocol ping |- Default Send 3 Packets {ICMP, IGMP, IP-in-IP}
-PE - ICMP echo |- PING DETECTION
-PP - ICMP timestamp |- PING DETECTION
-PM - ICMP netmask |- PING DETECTION
-PS - SYN Ping |- {BEST AGAINST STATEFUL FIREWALLS}
-PI - ICMP Ping |
-PA - ACK Ping |- {BEST AGAINST STATELESS FIREWALLS}
-PB - TCP+ICMP Ping -|
-p - Ports
-O - OS scan
-n - Skip DNS resolving
-sn - Disable port scan
-Pn - Skip host discovery
-sC - Default script scan
--traceroute - Traceroute a path
-A - Aggressive scan, includes version, OS and traceroute
-T[0-5] - Timing scan, 5 is fastest**
-v - Verbose output
--top-ports 3674- {TCP} Almost 100% results
--top-ports 1017- {UDP} Almost 100% results
--min-rate - Minimum packets per second
--max-rate - Maximum packets per second
| Output Format |
-oN/-oX/-oS/-oG - Normal, XML, Script Kiddie and grepable format
-oA - Output in all major scans
| NMAP Script Categories |
auth: This category is for scripts related to user authentication.
Nmap --script auth <IP>
broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information.
brute: This category is for scripts that help conduct brute-force password auditing.
default: This category is for scripts that are executed when a script scan is executed (-sC).
Nmap --script default <IP>
discovery: This category is for scripts related to host and service discovery. This category of scripts is ideal when we need to have as much information as possible for a specific target.
Nmap --script discovery <IP>
dos: This category is for scripts related to denial of service attacks.
exploit: This category is for scripts that exploit security vulnerabilities.
external: This category is for scripts that depend on a third-party service. performs an automatic Web Whois to the target and discovers additional information like the geographical location,the name of the organization and the net range.
Nmap --script external scanme.nmap.org
fuzzer: This category is for NSE scripts that are focused on fuzzing.
intrusive: This category is for scripts that might crash something or generate a lot of network noise. Scripts that system administrators may consider intrusive belong to this category.
malware: This category is for scripts related to malware detection.
safe: This category is for scripts that are considered safe in all situations.
Nmap --script safe <IP>
version: This category is for scripts that are used for advanced versioning.
vuln: This category is for scripts related to security vulnerabilities
| NMAP IDS/IPS Evasion |
Packet Fragmentation: Evade pattern matching detection technique
When Fragmentation reassembly functionality is disabled
$nmap -f <TargetIP>
Append Random Data: Spoof the data length of packet
$nmap --data-length <number-of-bytes> <IP>
Decoy Scan: Add random hosts either from attacker's subnet or from victim's subnet
In logs, multiple hosts IP makes it difficult to trace the attacker
But first do an Idle scan of available zombie hosts
$nmap -D <IP1, IP2, IP3,...> <TargetIP>
$nmap -sI <ZombieIP> <TargetIP>
$nmap -D RND:25 <TargetIP> <--Random IP generation-->
Spoof source IP: Spoof the source IP (from the victim's subnet) so IDS/firewall will pass thinking as a legitimate user
$nmap -S <SpoofedIP> <TargetIP>
Spoof source port: Bypass rules that allow requests from few ports (ex. Port 53).
$nmap --source-port <PortNumber> <IP>
Send Bad Checksum: Check for configuration of system
$nmap --badsum <IP>
Spoof MAC Address: Bypass MAC filtering rule
$nmap --spoof-mac <DELLorAPPLEorELSE / 0 / SPECIFIC> <IP>
| | |
choose vendor random specific
Scanning Timing: Can be used to evade some of the rules in the firewalls or IDS.
Adding random order increases effectiveness of scan
T0 = Paranoid (Waits 5 minutes between sending each probes, not detected by IDS/IPS)
T1 = Sneaky (waits 15 seconds)
T2 = Polite (waits 0.4 seconds)
T3 = Normal
T4 = Aggressive (parallel scan & 300 seconds timeout)
T5 = Insane (parallel scan & 75 seconds timeout)
$nmap --randomize-hosts -T<0-5> <TargetIP>
Common TCP Ports to look for :-
21/ftp | 22/ssh | 23/telnet | 25/smtp | 53/dns | 80/http |
113/auth | 443/https | 554/rstp | 3389/ms-term-server
Common UDP Ports to look for :-
Closed Ports | 53/DNS {EXCEPTION}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment