Target Specification
192. 168. 100. 1-50 IP Range
192. 168. 100. 1/24 CIDR Spec.
-iL Filename IP Addr File
-iR Random Targets
--exclude Exclude IP
--exclude-file Exclude List
Scan Techniques
-sS TCP SYN Scan
-sT TCP Connect Scan
-sF FIN Scan
-sA ACK Scan
-sW Window Scan
-sM Mailman Scan
-sL List Targets
-sn Host up/down(No Scan)
-Pn Scan (No ping)
-PS <port list> TCP SYN Ping
-PA <port list> TCP ACK Ping
-PU <port list> UDP Ping
-PY <port list> SCTP INIT Ping
-PE; -PP; -PM ICMP Ping
-PO <protocol list> Protocol Ping
-PR ARP Ping
--disable-arp-ping No ARP Ping
--traceroute Trace path
Port Scanning
-p- Scan All Ports
-sU Scan UDP Ports
-r Don’t Randomise Ports
-sF FIN Scan
-sX X-Mas Scan
-sN NULL Scan
-sZ SCTP Cookie Echo Scan
-b <ftp Host> FTP Bounce
--top-ports 'value' Scans Top Ports
--top-ports 'value' Scans Top Ports
Protocol Scan
-sO IP Protocol Scan
OS/service/version Detection
-O Detect OS
-sv Version
--osscan-guess Guess OS
--max-os-tries Max Tries
--version-intensity 0 To 9
--version-light Intensity 2
--version-all Try Every Single Probe
--version-trace Detailed Version Scan
Timing/performance
-T(0-5) 5 Is The Fastest
-F Fast Scan, Fewer Ports
--max-retries "num" Retransmissions
--host-timeout "time" Give Up After "time"
--scan-delay "Time" Delay Probes
Firewall/IDS/IPS Evasion And Spoofing
-sI <zombie Host> <port> Idle Scan
-D IP Decoy Hosts
-f Fragment Packets
-S <IP_address> Spoof Source Address
-e <interface> use Specified Interface
-g Port_number Spoof Source Port
-g Port_number Spoof Source Port
--source-port <port> spoof Source Port
--data <hex String> Add Custom Binary To Packets
--data-string <string> Add Custom String To Packets
--data-length <number> Add Random Data To Packets
--ttl <value> Set IP Time-to-live Field
--randomize-hosts Randomize Target Host Order
--spoof-mac <MAC/Prefix> Spoof Mac Address
--proxies <Proxy list> Connect Via Proxies
--badsum Packets With Bogus Checksums
Output
-v verbose (-vv)
-oN Normal Output
-oG Grepable Output
-oX XML Output
--reason Filterd/Closed/Open Reason
--open Only Show Open Ports
--packet-trace Show All Packets Sent/Received
--iflist Print Interfaces And Routes
--log-errors Log Errors/warnings To Output
--append-output Append To Output File
--resume Resume An Aborted Scan
--stylesheet Transform XML to HTML
--webxml Portable XML
Misc Nmap Options
-6 Enable IPV6 Scanning
-A OS, Version, Script, Traceroute
-V Show Nmap Version Number
-h Help
--privileged Assume That The User Is Fully Privileged
--unprivileged Assume The User Lacks Raw Socket Privileges
--send-eth/IP Send Using Raw Ethernet Frames Or IP Packets
Custom Scan
--scanflags (custom Tcp Scan)
Script Scan
-sC Same As --script
--script <Script Name> <IP> smb-check-vulns-nse 192.168.1.1
--script-args --script-args=unsafe=1
-script-args-file <filename> Add args From A File
--script-trace Show All Data Sent And Received
--script-updatedb update Script Database
--script-help="Script" show Help About Scripts
Examples:
Nmap -sv -v -p 139,445 10. 0. 1. 0/24
Nmap -su --script Nbstat.Nse -p 137 10. 0. 1. 12
Nmap --script-args=unsafe=1 --script Smb-check-vulns.Nse -p 445 10. 0. 0. 1
Scaning Techniques
-sP(Ping Scan)
- Used To Find Out Whether The Host Is Up or Down.
-sS (TCP SYN Scan)(Half-Open)
- It Is Fast & Stealthy
- Never Completes TCP Handshake.
- Differentiates Between The Open, Closed & Filtered Ports.
- Target Computer Won't be able to Create Any Log Of The Interaction Because No Session Was Initiated.
-sT (TCP Connect Scan)(Handshake)
- Completes TCP Handshake.
- Target Machines Are More Likely To Log The Connection.
- Ids Will Catch, Some Unix System Will Add It To Syslog.
-sU (UDP Scan)(Slow)
- We Send The Target A UDP Probe And It Fires Back An ICMP Unreachable Packet Means Port Is Closed.
- If Nothing Comes Back Means It Has Either Received The Packet Or Quietly Dropped It Which Means The Port Is Either Open Or Filtered Respectively.
- Positive response is received when the corresponding port is open.
-sF (FIN Scan) (End of Connection)
- Packet Is Sent To Each TCP Port With The –FIN Bit Set To On.
- The Fin Bit Indicates The Ending Of A TCP Session.
- RST Response Indicates The Port Being Closed.
- No Response Indicates That The Port Is Listening.
- Keep In Mind, However, That Windows PCs Do Not Comply With RFC 793; Therefore, They Do Not Provide Accurate Results With This Type Of Scan.
-sX (Xmas Scan)(Mixed)
- URG— Indicates That The Data Is Urgent And Should Be Processed Immediately.
- PSH— Forces Data To A Buffer.
- FIN— Used When Finishing A TCP Session.
- TCP Connection Should Not Be Made With All Three Of These Flags Set.
- If The Port Is Open Then The Packets Will Be Ignored.
- RST Response Indicates The Port Being Closed.
-sN (Null Scan)
- Used To Identify Listening TCP Ports.
- It Is A Series Of TCP Packets That Contain A Sequence Number Of 0 And No Set Flags.
- Target Responds With An RST Packet If The Port Is Closed.
- If The Port Is Open, The Host Ignores The Packet, And No Response Arrives.
- Because The Null Scan Does Not Contain Any Set Flags, It Can Sometimes Penetrate Firewalls And Edge Routers That Filter Incoming Packets With Particular Flags.
Source Nmap.org
No comments:
Post a Comment