-iL <filename>: Pass a list of hosts.
-iR <number of Hosts>: Choose random targets.
Ex: nmap -Pn -sS -p 80 -iR 0 --open
-p <port ranges> : Port scanning, Only scan specified ports…. -p-
-sL (List Scan): Simply lists each host of the network(s) specified.
-sn : No port scan and only ping scan
-Pn : Skip ping scan and treat all host to be live
-PS <portlist> : TCP SYN Ping
-n : No DNS resolution
-R : DNS resolution for all targets
-PE; -PP; -PM : ICMP Ping Types.
-PA <port list> : TCP ACK ping
-PU <port list> : UDP Ping
Nmap Scan Types
• -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to determine system is alive.
• -sS (TCP SYN Scan) – Determines a system/port being alive by sending only SYN and
waiting for SYN-ACK
• -sU (UDP Scan) – Probes UDP detects system/port is alive when there is a UDP response +
ICMP packet Destination unreachable.
• -sT (TCP Connect Scan): Performs connection establishment using system call “connect”
• -sN (Null scan): Does not set any bits (TCP flag header is 0).
• -sF (FIN Scan): Sets just the TCP FIN bit.
• -sX (Xmas scan): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas
• Nmap sends a series of TCP and UDP packets to the remote host and
examines practically every bit in the responses.
• Nmap compares the results to its nmap-os-db database of more than 2,600
known OS fingerprints and prints out the OS details if there is a match.
-O (Enable OS detection)
Nmap – service Version and Enumeration!
• Nmap-services database is constantly updated with services, finger
printing and banners to identify remote ports and operating systems.
• -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and
enumerate the service that has been detected earlier.
• -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify
and enumerate the services and provide vulnerabilities identified.
Optionally can use - -script option.
Nmap service Enumeration!
• The Difference between the two in Action
TCP scan with Version
-sT + -sV = -sTV
Regular TCP scan
Nmap Scripting Engine(NSE) –What and Why?
• Nmap Script Engine, written in Lua.
• Sophisticated Version detection and OS detection.
• Example: smb-os-discovery.nse , http-cisco-anyconnect.nse …
• Vulnerability detection.
• Example: tls-ticketbleed.nse, sslv2-drown.nse,..
• Malware detection.
• Example: http-google-malware.nse..
• Vulnerability Exploitation.
• Example: smb-psexec.nse,..
NSE – what? where?
• -sC and --script uses NSE. There is a default set launched when no
option is given. https://nmap.org/nsedoc/categories/default.html
Nmap Enumeration technique
Notice how the service is not shell
Even though Banner shows Shell
Nmap Enumeration technique
So you need to use –sTV along for
Nmap Output Formatting