Nmap scan techniques

Nmap is very popular tool among security specialists world wide. You can use this tool for many kind of scans, it helps QSAs during their audit procedures and of course it helps pentesters find vulnerabilities for bug bounties and while working on commercial projects.

List of scans which covers nmap:

  • Host discovery
  • Port discovery and enumeration
  • Services discovery
  • Services version detection
  • Operating system version detection
  • Hardware MAC address detection
  • Possibility to scan for vulnerabilities and exploits with help of Nmap scripting engine (NSE)

Below we will provide you with some scanning examples for nmap:

Command Description
nmap -sP 10.0.0.0/24  Just simple ping scan which scans the network, listing machines that responds to ping.
nmap -p 1-65535 -sV -sS -T4 10.0.0.12  Executes full TCP port scan with service version detection.
nmap -v -sS -A -T4 10.0.0.12  Runs stealth SYN scan with OS and service version detection making verbose output.
nmap -v -sV -O -sS -T5 10.0.0.12 Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.
nmap -v -sS -A -T5 10.0.0.12 Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.
nmap -v -p 1-65535 -sV -O -sS -T4 10.0.0.12 Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.

 

You can also do multiple addresses scans with nmap simply inputing following command:

nmap 10.0.0.12,13,15

or

nmap 10.0.0.12-14

The -iL option allows you to read the list of target systems using a simple text file. This is useful when you want to scan a large number of hosts or networks. Create a text file like in example:

cat > /tmp/test_list.txt

Input in it some random hosts (preferably local hosts):

10.0.0.12
10.0.0.13
10.0.0.0/24

And than run nmap with following command:

nmap -iL /tmp/test_list.txt

In case if you don’t want to touch some hosts/networks during scanning, you may use command “–exclude” so nmap will ignore such hosts:

nmap 10.0.0.0/24 --exclude 10.0.0.15

The same way you can use the list we have created previously in “–exclude” option:

nmap 10.0.0.0/24 --excludefile /tmp/test_list.txt

Fir example if you know that host is protected with firewall, than you can use nmap with following keys:

nmap -PN 10.0.0.12

The quickest way to detect all devices in the network for open ports:

nmap -T5 10.0.0.0/24

 

Typically nmap can be used for:

  • Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
  • Identifying open ports on a target host in preparation for auditing.
  • Network inventory, network mapping, maintenance and asset management.
  • Auditing the security of a network by identifying new servers.
  • Generating traffic to hosts on a network, response analysis and response time measurement.
  • Finding and exploiting vulnerabilities in a network.

Find more information about Nmap in our scanners list.