Basic Scan on a Single IP:
nmap -sn <target IP address>
-sn: Ping Scan - disable port scanBasic Scan on an Entire Subnet:
nmap -sn 198.165.222.0/24ornmap -sn 198.165.222.0-255
Scan Using an Input File:
nmap -sn -iL <inputfilename>-iL <inputfilename>: Input from list of hosts/networks
Reason Scan:
NMAP provides a reason for every port reported as open.
nmap --reason <target IP address>--reason: Display the reason a port is in a particular state
Supported Protocols:
what IP protocols are supported by the target.
nmap -sO <target IP address>-sO: IP protocol scan
Firewall Probe:
offers a way to probe whether its scans are getting filtered by any intermediate device like a firewall.
nmap -sA <target IP address>Quick TCP Scan:
nmap -T4 -F <target IP address>-T<0-5>: Set timing template (higher is faster)
-F: Fast mode - Scan fewer ports than the default scan
Service Enumeration:
nmap -sV <target IP address>UDP Port Scan:
nmap -sU -p 1-1024 <target IP address>The -sU parameter will tell the NMAP engine to specifically scan UDP ports, while the -p 1-1024 parameter will limit the NMAP to scan only ports in the range 1 to 1024.
OS Detection:
nmap -O <target IP address>Intense Scan:
you have used NMAP for performing individual tasks such as port scanning, service enumeration, and OS detection. However, it is possible to perform all these tasks with a single command.
nmap -T4 -A -v <target IP address>HTTP Enumeration:
nmap --script http-enum <target IP address>// It shows various interesting directories hosted on the web server.
HTTP supports the use of various methods such as GET, POST, DELETE, and so on. Sometimes these methods are left open on the webserver unnecessarily. you can use the NMAP script http-methods to enumerate HTTP methods allowed on the target system.
nmap –-script http-methods <target IP address>Additional NMAP scripts for HTTP enumeration: http-title http-trace http-fetch http-method-tamperhttp-wordpress-enum http-devframework http NSE Library
SMB Enumeration:
Server Message Block (SMB) is a protocol extensively used for network file sharing. So, if you find a target with port 445 open, you further enumerate it using NMAP scripts.
nmap -p 445 –script smb-os-discovery <target IP address>Use the below command to get all the SMB shares on the target system
nmap -p 445 –script smb-enum-shares <target IP address>The following are some additional NMAP scripts for SMB enumeration:smb-vuln-ms17–010 smb-protocols smb-mbenum smb-enum-users smb-enum-processes smb-enum-services
DNS Enumeration:
It runs on port 53 by default.
nmap -p 53 -A -v <target IP address>The following are some additional NMAP scripts for DNS enumeration:dns-cache-snoop dns-service-discovery dns-recursion dns-brute dns-zone-transfer dns-nsid dns-nsec-enum dns-fuzz dns-srv-enum
FTP Enumeration:
It runs on port 21 by default.
ftp-syst ftp-anon
shows the FTP server version details and reveals that the server is accepting anonymous connections.
Since the target is running the vsftpd server, you can try another NMAP script, which will check whether the FTP server is vulnerable. The script ftp-vsftpd-backdoor can be used
The following are some additional NMAP scripts for FTP enumeration:ftp-brute ftp NSE ftp-bounce ftp-vuln-cve2010–4221 ftp-libopie
MySQL Enumeration:
nmap –-script mysql-info <target IP address>The following are some additional NMAP scripts for MySQL enumeration:mysql-databases mysql-enum mysql-brute mysql-query mysql-empty-password mysql-vuln-cve2012–2122 mysql-users mysql-variables
SSH Enumeration:
It runs on port 22 by default.
nmap --script ssh2-enum-algos <target IP address>The following are some additional NMAP scripts for SSH enumeration:ssh-brute ssh-auth-methods ssh-run ssh-hostkey sshv1 ssh-publickey-acceptance
SMTP Enumeration:
It runs on port 25 by default.NMAP scripts could reveal several weaknesses in the SMTP server such as open relays, acceptance of arbitrary commands, and so on. smtp-commands script allows you to see all the commands available for smtp enumeration.
nmap --script smtp-commands <target IP address>//It lists various commands that the target SMTP server is accepting.
NMAP has a script called smtp-open-relay that checks whether the target SMTP server allows for open relays
nmap --script smtp-open-relay <target IP address>The following are some additional NMAP scripts for SMTP enumeration:smtp-enum-users smtp-commands smtp-brute smtp-ntlm-info smtp-strangeport smtp-vuln-cve2011–1764
VNC(Virtual Network Computing) Enumeration:
the protocol is commonly used for remote graphical desktop sharing. It runs on port 5900 by default. vnc-info script allows you to see version details along with the authentication type.
nmap --script vnc-info <target IP address>The following are some additional NMAP scripts for VNC enumeration:vnc-brute realvnc-auth-bypass vnc-title
Service Banner Grabbing:
Any service running on a system usually has a banner associated with it. A banner normally contains server version information and may even contain organization-specific information such as disclaimers, warnings, or some corporate e-mail addresses.
nmap --script banner <target IP address>Detecting Vulnerabilities:
A vulnerability scanner, you first need to download and install some additional scripts if you do have not these scripts in your script Nmap folder.
https://github.com/vulnersCom/nmap-vulners.git https://github.com/scipag/vulscan.git
nmap -sV --script nmap-vulners <target IP address>
