Nmap (Network Mapper) is one of the most utilized tools in penetration testing. This guide will discuss some awesome options and how to get the most out of using nmap.
DISCLAIMER: Methods discussed should be used for ethical use only. Be sure to obtain permission (preferably written) prior to running scans or attacks against machines that you do not own.
Starting Point
Here is a starting point that you can utilize. Depending on your situation, you may need to modify or adapt the commands below. We will discuss the options later in better detail.
A fast TCP scan with versions and default scripts:
sudo nmap -F -sV -sC -oA fast-tcp <target>A fast UDP scan:
sudo nmap -F -sU -oA fast-udp <target>A full TCP scan:
sudo nmap -p- -oA full-tcp <target>A full UDP scan:
sudo nmap -p- -sU full-udp <target>Use Sudo
If possible, run nmap as root using sudo when performing scans. Only the privileged user root is able to send/receive raw TCP packets. Without root privileges, nmap will automatically employ a workaround using the connect system call, limiting Nmap’s scanning power and flexibility.
Going Fast
The -F option indicates to scan 100 of the most popular ports. According to Performance Port Selection, the first 100 ports provides 70-80% effectiveness for scans for TCP ports. You receive diminishing returns for additional ports scanned. UDP ports have a more linear progression of effectiveness, but can take much longer to scan due to the nature of UDP’s connectionless protocol.
To ensure that “no stone is left unturned.” I recommend completing a separate full scan while enumerating any services found during the first scan.
Enumerating Versions
The -sV option enables version detection. Nmap does its best to determine what version is utilized by each exposed service. I have found that you cannot 100% rely on this information. If you find that a service is not interacting as you expect, consider whether or not a different version is being utilized.
Default Script
Nmap contains a powerful scripting engine, called the Nmap Scripting Engine (NSE), that can provide useful information about exposed services. The -sC option enables default scripts to be executed based on the scan results.
On Kali, the Nmap scripts are located at /usr/share/nmap/scripts/*
If you grep for categories, you can see which scripts are labeled as default, among other categories (safe, version, etc.):
grep categories /usr/share/nmap/scripts/*It is possible to further customize which scripts are executed by using the –script option. Here are some examples:
| Option | Description |
| –script=safe | Execute safe scripts |
| –script=snmp* | Execute all scripts beginning with snmp |
There are even more ways to run scripts with the ability to pass options. To read more about scripts, refer to Nmap NSE.
Output
Nmap can output the results into various file formats. Depending on which format you choose, more or less data may be collected in those formats. For example, the .xml output file can provide additional details compared to the .nmap file. Tools exist that can take various nmap output files as input and provide a web page of results for easier viewing (i.e., xsltproc).
Scans can take a while to run and it is very easy to output to all formats. It’s better to have the additional information and not need it, rather than performing the entire scan again because we failed to capture it.
Conclusion
This guide only scratches the surface for the amount of flexibility and options Nmap provides. You are now prepared to perform effective scans for common scenarios!