🛠Security Tool Cheatsheet
Alex Morgan — Senior Penetration Tester
What is Nmap?
Nmap (Network Mapper) is a powerful open-source tool designed for network exploration and security auditing. It’s widely used by security professionals for discovering hosts and services on a computer network, thus creating a ‘map’ of the network. Nmap can quickly identify devices within a network and their corresponding open ports, which can aid in detecting potential vulnerabilities.
Installation
Nmap can be installed on various operating systems. Below are installation instructions for some common platforms:
- Linux: Most distributions have Nmap in their package manager. Example for Ubuntu:
sudo apt install nmap
- macOS: You can use Homebrew:
brew install nmap
- Windows: Download the installer from the official Nmap website or use the package manager Chocolatey:
choco install nmap
Basic Syntax
nmap [options] [targets]
Discovery
Scan a single host
nmap 192.168.1.1
Scan multiple hosts
nmap 192.168.1.1,192.168.1.2
Scan a range of IPs
nmap 192.168.1.1-50
Scan an entire subnet
nmap 192.168.1.0/24
Scanning
TCP Connect Scan
nmap -sT 192.168.1.1
Stealth Scan (SYN scan)
nmap -sS 192.168.1.1
Service Version Detection
nmap -sV 192.168.1.1
Exploitation
Script Scanning
Nmap includes a scripting engine that allows users to write scripts to automate tasks. To use a specific script:
nmap --script=192.168.1.1
Analysis
OS Detection
nmap -O 192.168.1.1
Output in XML format
nmap -oX output.xml 192.168.1.1
Output in JSON format
nmap -oJ output.json 192.168.1.1
Evasion
Use decoy scan to hide real source
nmap -D RND:10 192.168.1.1
Reporting
Save output to a text file
nmap -oN output.txt 192.168.1.1
Quick Reference Table
| Flag | Description |
|---|---|
| -sT | TCP connect scan |
| -sS | SYN stealth scan |
| -sV | Service version detection |
| -O | OS detection |
| -oN | Output in normal text format |
Pro Tips
- Consider using the -Pn flag to skip host discovery. This is useful if you know the host is up, but you want to scan without ICMP.
- Leverage the –top-ports option to perform a scan on a specific number of commonly used ports for efficiency.
- Utilities like grepable and xml output formats help you automate further analysis on the scan results.
Real-World Examples
Find all open ports and services on a specific host
nmap -sS -sV -O -p- 192.168.1.1
This command performs a SYN scan, detects service versions, identifies the OS, and scans all ports on the target host.
Quick reconnaissance of your network
nmap -sP 192.168.1.0/24
This is useful for quickly pinging all devices within your subnet to find active hosts.