Latest revision as of 20:38, 26 May 2025

For my 2025 Nmap Short Course, see Nmap/Short Course

How To Use

Nmap is a really really complicated tool, so consult the extensive manual to really use it properly.

The Man Page

$ man nmap

The Short Version

You run nmap like this:

Usage: nmap [Scan Type(s)] [Options] {target specification}

If you read through the manual, it is organized this way:

first, target specification is covered
then, increasingly intrusive levels of scan type are described in order
within each chapter on a scan type, the different options are described

Basic Network Scans

DNS Only for Host Discovery

The Host Discovery section (http://nmap.org/book/man-host-discovery.html) starts by covering basic host discovery, with least intrusive first. In this case, a list lookup doesn't even send packets to the specified addresses, it just does a DNS lookup on them.

nmap -sS 10.0.0.0/24

The target specification section (http://nmap.org/book/man-target-specification.html) covers what the ip address range above means, and I'll explain here too. The trailing /24 means, all permutations of the last 24 bits (that is, 0-254, the normal range of IP addresses).

Fast Scan

To do a fast scan, which only scans the lowest 100 ports, use the -F flag:

$ nmap -F 192.168.0.*

This is a good way to quickly discover the most common services running on other network nodes.

Aggressive Network Scan

To do a more advanced/aggressive network scan, can do something like:

$ nmap -sS -sV -A 10.0.0.27

where -A is for aggressive, attempts to determine version numbers of running services as well as return information about the operating system.

UPnP

See Nmap/UPnP

Flags

Template:NmapFlag

@@ Line 1: / Line 1: @@
+For my 2025 Nmap Short Course, see [[Nmap/Short Course]]
 =How To Use=
 Nmap is a really really complicated tool, so consult the extensive manual to really use it properly.
-==The Brief Summary==
+==The Man Page==
-This is the short version.
 <pre>
@@ Line 25: / Line 25: @@
-=Basic Network Scan=
+=Basic Network Scans=
+==DNS Only for Host Discovery==
-The Host Discovery section (http://nmap.org/book/man-host-discovery.html) starts by covering basic host discovery, with least intrusive first. In this case, a list lookup doesn't even send packets to the specified addresses, it just does a dns lookup on them.
+The Host Discovery section (http://nmap.org/book/man-host-discovery.html) starts by covering basic host discovery, with least intrusive first. In this case, a list lookup doesn't even send packets to the specified addresses, it just does a [[Linux/DNS|DNS]] lookup on them.
 <pre>
-nmap -sL 10.0.0.0/24
+nmap -sS 10.0.0.0/24
 </pre>
 The target specification section (http://nmap.org/book/man-target-specification.html) covers what the ip address range above means, and I'll explain here too. The trailing <code>/24</code> means, all permutations of the last 24 bits (that is, 0-254, the normal range of IP addresses).
+==Fast Scan==
+To do a fast scan, which only scans the lowest 100 ports, use the <code>-F</code> flag:
+<pre>
+$ nmap -F 192.168.0.*
+</pre>
+This is a good way to quickly discover the most common services running on other network nodes.
+==Aggressive Network Scan==
+To do a more advanced/aggressive network scan, can do something like:
+<pre>
+$ nmap -sS -sV -A 10.0.0.27
+</pre>
+where <code>-A</code> is for aggressive, attempts to determine version numbers of running services as well as return information about the operating system.
+=UPnP=
+See [[Nmap/UPnP]]
+=Flags=
+{{KaliFlag}}
+{{NmapFlag}}
+[[Category:Nmap]]

Nmap: Difference between revisions

From charlesreid1