rss logo

Nmap: The Ultimate Network Scanning Tool

Nmap Logo

Main Options

  • sT: TCP connect scan, better use SYN which is quicker and stealthy.
  • sS: TCP SYN scan, also known as half-open scanning, quite unobtrusive and stealthy, since it never completes TCP connections.
  • sU: UDP scan
  • sP: PING scanning for host discovery, a ICMP echo request is sent.
  • PR: ARP scan.
  • F: Fast scan, only scan ports included inside nmap-services file.
  • p1-65535: port interval, here we scan all ports.
  • PN: force a scan even if there is no ping response from addresses.
  • P0: Same as -PN.
  • O Try to determine OS target.
  • oG: save results into a file.
  • n: disable DNS resolution.
  • R: enable DNS resolution.
  • iR: scan random targets.

Examples

  • TCP connect, scan ports from 1 to 65535, force scan, try to guess OS, target is 192.168.1.1. Save results inside /tmp/001 file.
root@host:~# nmap -sT -p1-65535 -P0 -O -oG /tmp/001 192.168.1.1
  • Scan 192.168.1.0/24 hosts family addresses:
root@host:~# nmap 192.168.1.0-255
  • Scan SYN, random hosts, web service:
root@host:~# nmap -sS -iR 0 -p 80
  • Spoof source address (10.0.0.0). Scan 10.0.0.1 host, set source port to 80:
root@host:~# nmap -S 10.0.0.0 -g 80 10.0.0.1
  • Host Discovery scan for 10.0.0.0/24 network. Result will show IP and MAC addresses:
root@host:~# nmap -sP 10.0.0.0/24
  • Complete scan of the scanme.nmap.org host. TCP SYN scan on every ports -p-, we consider the host as active -PN, agressive scan (-A include services version detection -sV, Script Engine -sC, OS detection -O and --traceroute).
root@host:~# nmap -sS -PN -p- -A -T4 scanme.nmap.org

SSH Algorithm Scan

  • Show algorithms that the target SSH2 server offers, this is useful when encountering the following message: "Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss":
root@host:~# nmap -p 22 --script ssh2-enum-algos 192.168.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-08 19:26 CET
Nmap scan report for 192.168.1.1
Host is up (0.0056s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos: 
|   kex_algorithms: (3)
|       diffie-hellman-group16-sha512
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (2)
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (4)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       chacha20-poly1305@openssh.com
|   mac_algorithms: (3)
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (1)
|_      none

Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
  • Based on the reported information, we can deduce the SSH algorithms to configure:
root@host:~# ssh -o KexAlgorithms=+diffie-hellman-group16-sha512 -o HostKeyAlgorithms=+ssh-rsa 192.168.1.1

SMB version Scan

The SMBv1 protocol is now obsolete and can be used by attackers, so it's a good idea to identify which servers are still using it in order to disable it. To do this, we can use the smb-protocols script, which is capable of listing the SMB protocol versions used on a host.

  • To display the SMB versions in use, use the following command (example here to scan the ip: 192.168.1.1):
root@host:~# nmap -p 139,445 --script smb-protocols 192.168.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-08 10:28 CET
Nmap scan report for share.std.rocks (192.168.1.1)
Host is up (0.00052s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-protocols: 
|   dialects: 
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     202
|     210
|     300
|     302
|_    311

Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds

sources : tux-planet, nmap.org