Nmap - Nikola's Digital Garden

# Nmap (Network Mapper) ![[Network Enumeration with Nmap - Introduction to Nmap#^scjgyl]] ## Bookmarks NSE output to xml: ![[Network Enumeration with Nmap - Saving the Results#^kwqi4e]] [NSE Scripts](https://nmap.org/nsedoc/scripts/). ## Contents Nmap can be used to perform the following: - [[#Host Discovery]] - [[#Port Scanning]] - [[#Service Enumeration]] which includes discovering the versions of running services - [[#OS Detection]] - Running custom LUA scripts using the [[#Nmap Scripting Engine]] (NSE) General info that applies to all of the above: - [[#Nmap Performance]] - [[#Saving Results]] ## Default Arguments When Nmap is called without arguments, the applied Nmap techniques depend on whether or not Nmap was called with or without the ability to send raw packets (basically with or without `sudo`). With raw packets support, calling `nmap` without arguments amounts to the following call: ```sh sudo nmap -PE -PP -PS443 -PA80 -sS --top-ports 1000 -T3 <host> ``` Without raw packets support, calling `nmap` without arguments amounts to the following call: ```sh nmap -PE -PP -PS443 -PS80 -sT --top-ports 1000 -T3 <host> ``` | Argument | Description | Privileged | Unprivileged | Aggressive Mode (`-A`) | | :------------: | ------------------------------------------------------ | :--------: | :-----------------: | :--------------------------: | | `-PE` | ICMP echo ping | ✓ | ✓ | | | `-PP` | ICMP timestamp query ping | IPv4 only | IPv4 only | | | `-PS` | TCP SYN ping (uses connect for unprivileged users) | 443 | 443,80 (connect) | | | `-PA` | TCP ACK ping | 80 | | | | `-sS` | TCP SYN scan | ✓ | | | | `-sT` | TCP connect scan | | ✓ | | | `-T3` | Normal timing | ✓ | ✓ | | | `-O` | OS Detection | | | ✓ | | `-sV` | Service enumeration (version and service detection) | | | ✓ | | `-sC` | NSE with default scripts | | | ✓ | | `--traceroute` | Trace route to each host | | | ✓ | ## Host Discovery ![[Nmap Host Discovery#^aoqmeq]] ![[Network Enumeration with Nmap - Host Discovery#^s2g5hj]] Host discovery techniques can be categorized based on the protocols they use. As the internet and transport layers of the TCP/IP stack are usually slower than link layer protocols, Nmap uses ARP (or ND for IPv6 networks) for host discovery whenever the target hosts belong to the same network. ARP scanning can be disabled using `--disable-arp-ping`. Host discovery can be completely disabled with `-Pn` and `--disable-arp-ping`. If disabled, port scan can still be performed using the `-sL` option, which allows us to explicitly specify a list of hosts to run the port scan agains. | Argument | Protocol | Description | | :------------------: | :------: | -------------------------------------------------------------------------------------------- | | *Default* | ARP/ND | By default, hosts on the same network are considered online if they respond to ARP/ND pings. | | `--disable-arp-ping` | ARP/ND | Disables the use of ARP and ND for host discovery of hosts on the local network | | `-Pn` | | Host discovery is disabled | | `-PS` | TCP | TCP SYN ping (uses connect for unprivileged users) | | `-PA` | TCP | TCP ACK ping (not possible for unprivileged users) | | `-PU` | UDP | | | `-PE` | ICMP | ICMP echo ping | | `-PP` | ICMP | ICMP timestamp query ping | | `-PM` | ICMP | ICMP address mask query ping | ### Host Discovery using Link Layer Protocols (ARP and ND) ![[Nmap Host Discovery#^pl4u0b]] Disabling these techniques is needed whenever a host responds to ARP queries indiscriminately, regardless of requested IP (e.g. routers with proxy ARP). ![[Network Enumeration with Nmap - Host Discovery#^sjp1ql]] ![[Nmap Host Discovery#^maumfk]] ### Host Discovery using TCP ![[Nmap Host Discovery#^30bxaj]] ![[Network Enumeration with Nmap - Introduction to Nmap#^o1n0qx]] ![[Network Enumeration with Nmap - Introduction to Nmap#^56bm5j]] ![[Nmap Host Discovery#^k7drjt]] ### Host Discovery using UDP ![[Nmap Host Discovery#^ilctvy]] ### Host Discovery using ICMP ![[Nmap Host Discovery#^k1j9py]] ### Disabling Host Scanning ![[Nmap Host Discovery#^5ez2j4]] ## Port Scanning Unless port scanning is disabled using `-sN`, Nmap automatically runs a TCP SYN scan (`-sS`) when running with root privileges, and a TCP connect scan when running without root privileges. Port scanning is performed on all hosts that are considered up after host discovery, unless `-sL` option is given, which allows us to explicitly configure hosts that will be scanned. Here's a breakdown of port scanning options: | Argument | Description | | -------- | ----------------------------------------------------------------------------------------------- | | `-sn` | Port scanning disabled | | `-sL` | Instead of host discovery, hosts against which port scanning is performed is explicitly defined | | `-sS` | [[#TCP SYN Scan (`-sS`)\|TCP SYN scan]] | | `-sT` | [[#TCP Connect Scan (`-sT`)\|TCP connect scan]] (for unprivileged users) | | `-sA` | [[#TCP ACK Scan (`-sA`)\|TCP ACK scan]] | | `-sU` | [[#UDP Scan (`-sU`)\|UDP scan]] | ![[Nmap Host Discovery#^574h8b]] ![[Nmap Host Discovery#^2lnfc0]] ### Port States Nmap classifies ports into the following six categories. Not all categories are used for each scan type. ![[Nmap Port Scanning Basics#^lpec4m]] ### TCP SYN Scan (`-sS`) ![[Nmap Port Scanning Techniques#^rrwdee]] ![[Network Enumeration with Nmap - Host and Port Scanning#^2bjq98]] ### TCP Connect Scan (`-sT`) ![[Nmap Port Scanning Techniques#^lkdkl6]] ![[Network Enumeration with Nmap - Host and Port Scanning#^3bciqz]] ### TCP ACK Scan (`-sA`) ![[Nmap Port Scanning Techniques#^ph1o58]] ![[Network Enumeration with Nmap - Firewall and IDS IPS Evasion#^1fkcjb]] ### UDP Scan (`-sU`) ![[Nmap Port Scanning Techniques#^rolw1i]] ## Service Enumeration ![[Nmap Service and Version Detection#^fi938z]] Service enumeration is enabled using `-sV`. ![[Network Enumeration with Nmap - Service Enumeration#^007kxj]] Sometimes it is useful to inspect the TCP handshake itself, when automatic service enumeration and version detection fails. ![[Network Enumeration with Nmap - Service Enumeration#^9hunmb]] ![[Network Enumeration with Nmap - Service Enumeration#^5j7os0]] ![[Network Enumeration with Nmap - Service Enumeration#^qkihr8]] ![[Network Enumeration with Nmap - Service Enumeration#^hlkbsr]] ## OS Detection ![[Nmap OS Detection#^okhjyb]] OS detection is enabled using `-O`. ## Nmap Scripting Engine ![[Network Enumeration with Nmap - Nmap Scripting Engine#^6rw6xu]] ![[Network Enumeration with Nmap - Nmap Scripting Engine#^al4fe0]] For more information about specific categories see here: [NSE Script Categories](https://nmap.org/nsedoc/categories/). For all scripts see: [All NSE Scripts](https://nmap.org/nsedoc/scripts/). - [[Broadcast NSE Scripts]] - [[Discovery NSE Scripts]] Use the following commands to run NSE: Default scripts: ![[Network Enumeration with Nmap - Nmap Scripting Engine#^7s27cb]] Equivalent to `--script default`. Scripts that belong to a specific category: ![[Network Enumeration with Nmap - Nmap Scripting Engine#^hi1ywi]] Specific scripts: ![[Network Enumeration with Nmap - Nmap Scripting Engine#^r7r9lz]] Help for individual scripts can be retrieved from NSE documentation site, or by calling `--script-help`. ![[Nmap Scripting Engine#^39gw08]] ## Nmap Performance ![[Network Enumeration with Nmap - Performance#^9yk5q1]] ![[Network Enumeration with Nmap - Performance#^f52t3v]] ![[Network Enumeration with Nmap - Performance#^6ot7jv]] ![[Network Enumeration with Nmap - Performance#^bqkwtx]] ![[Network Enumeration with Nmap - Performance#^kd0f8a]] More information about various custom performance parameters can be found here: [[Nmap Timing and Performance]]. ## Saving Results ![[Network Enumeration with Nmap - Saving the Results#^rpdgtl]] ![[Network Enumeration with Nmap - Saving the Results#^owi2cz]] ![[Network Enumeration with Nmap - Saving the Results#^vq6xux]] ![[Network Enumeration with Nmap - Saving the Results#^kwqi4e]]