nmap
nmap is a powerful open-source network scanner used for network discovery and security auditing. This page summarizes common commands and options for penetration testing.
Common Commands
- AutoRecon (wrapper for nmap and more):
autorecon 10.10.10.10 - Initial TCP scan:
nmap -sC -sV -O 10.10.10.10 - Full TCP scan:
nmap -sC -sV -O -p- 10.10.10.10 - Full UDP scan:
nmap -sU -O -p- 10.10.10.10
Key Options & Techniques
Scan Techniques
-sT: TCP connect scan-sS: SYN scan (stealth, requires sudo/root)-sU: UDP scan-sN: TCP Null scan-sF: TCP FIN scan-sX: TCP Xmas scan-sn: Ping scan (ICMP), e.g.nmap -sn 172.16.0.0/16
Port Specification
-p <port ranges>: Only scan specified ports (e.g.-p22,-p1-65535,-p U:53,111,137,T:21-25,80,139,8080,S:9)-p-: Scan all ports
Script Scan (NSE)
-sC: Equivalent to--script=default--script=<Lua scripts>: Comma-separated list of scripts, directories, or categories- Nmap Scripting Engine Usage
- Common categories:
safe: Won't affect the targetintrusive: May affect the targetvuln: Vulnerability scansexploit: Attempt to exploit vulnerabilitiesauth: Try to bypass authenticationbrute: Brute-force credentialsdiscovery: Gather more network info
OS Detection
-O: Enable OS detection
Timing & Performance
-T<0-5>: Set timing template (higher is faster, but more likely to be detected)
Service/Version Detection
-sV: Probe open ports to determine service/version info
Output
-oN: Save results in normal format-oG: Save results in grepable format-v,-vv: Increase verbosity
Miscellaneous
-A: Enable OS detection, version detection, script scanning, and traceroute (aggressive scan)