Introduction to Nmap Scanning Techniques and Commands
Nmap, or Network Mapper, is one of the most powerful tools in a cybersecurity professional’s toolkit. Designed for network discovery and security auditing, Nmap’s versatility allows users to scan ports, detect OS types, find service versions, and even evade firewalls.
.jpg "Nmap Scanning Techniques and Commands") |
| Nmap Scanning Techniques and Commands |
In this guide, we’ll explore essential Nmap scanning techniques, from basic ping and port scans to advanced service detection, OS fingerprinting, and firewall evasion methods. Whether you’re a beginner or an experienced security analyst, these commands will help you assess and strengthen network security with precision and effectiveness.
Nmap Scanning Techniques and Commands Guide
1. Basic Nmap Scan Syntax
nmap [options] targettarget: IP address or domain of the host or network to scan. You can specify a range using CIDR notation (e.g., 192.168.1.0/24) or specify multiple targets in a text file.
2. Commonly Used Nmap Options and Scans
Host Discovery (Ping Scan)
-sn: Ping scan (doesn't scan ports).
nmap -sn 192.168.1.0/24Useful to see which hosts are online within a network.
Port Scanning
-sS: SYN scan (Stealth scan).
Sends SYN packets; often undetected by firewalls.nmap -sS 192.168.1.10-sT: TCP connect scan.
Opens a full TCP connection; more detectable but reliable.nmap -sT 192.168.1.10-sU: UDP scan.
Scans UDP ports; useful for services like DNS, SNMP.nmap -sU 192.168.1.10-sV: Version detection.
Attempts to determine the version of services running on open ports.nmap -sV 192.168.1.10
Aggressive Scanning
-A: Aggressive scan.
nmap -A 192.168.1.10Combines OS detection, version detection, script scanning, and traceroute.
Operating System Detection
-O: OS detection.
nmap -O 192.168.1.10Tries to determine the operating system and version of the target.
Service Version Detection
-sV: Service version detection.
nmap -sV 192.168.1.10Identifies versions of services running on open ports.
3. Script Scanning
Default Script Scan
-sC: Runs default scripts.
nmap -sC 192.168.1.10Uses default NSE scripts to identify common vulnerabilities and information.
Specific Script Scan
--script <script>: Runs a specific script.
nmap --script http-title 192.168.1.10Runs the http-title script to identify web titles on HTTP services.
Script Categories
- auth: Checks for weak passwords and authentication vulnerabilities.
- vuln: Finds vulnerabilities.
- exploit: Executes exploits against targets.
- discovery: Reveals information about targets.
- safe: Low-risk information-gathering scripts.
4. Timing and Performance
-T<0-5>: Timing templates.
nmap -T4 192.168.1.10Sets timing (0 = slowest, 5 = fastest). T4 is often a good balance between speed and stealth.
Additional Options for Speed
--max-retries <num>: Limits retries on ports that don’t respond.--max-scan-delay <time>: Limits time delay between scans.
5. Output Options
-oN <file>: Normal output to a file.nmap -oN output.txt 192.168.1.10-oX <file>: XML output.nmap -oX output.xml 192.168.1.10-oG <file>: Greppable output.nmap -oG output.grep 192.168.1.10
6. Advanced Options
-p <port-range>: Specifies ports.
Scans specific ports instead of the default range.nmap -p 22,80,443 192.168.1.10--open: Only shows open ports.nmap --open 192.168.1.10--top-ports <num>: Scans top N commonly used ports.nmap --top-ports 20 192.168.1.10
7. Firewall Evasion Techniques
-D <decoy1,decoy2,...>: Decoy scan.
Uses decoy addresses to hide the real scanner.nmap -D RND:10 192.168.1.10-f: Fragment packets.
Sends fragmented packets, useful for bypassing simple firewalls.nmap -f 192.168.1.10--data-length <num>: Appends random data to packets.
Modifies packet size to evade filters.nmap --data-length 25 192.168.1.10
8. Other Useful Nmap Commands
- Traceroute:
--traceroute.
Traces the path packets take to reach the target.nmap --traceroute 192.168.1.10 - IPv6 Scanning:
-6.
For scanning IPv6 addresses.nmap -6 <IPv6 address>
 |
| Nmap Commands |
