cmdref.net is command references/cheat sheets/examples for system engineers.
| Cloud |
|---|
| Etc |
|---|
| Reference |
|---|
Network exploration tool and security / port scanner
# nmap -h
Usage: nmap [Scan Type(s)] [Options] {target specification}
HOST DISCOVERY:
-Pn: Treat all hosts as online -- skip host discovery
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
# man nmap
-Pn (No ping) .
-sT (TCP connect scan) .
-sU (UDP scans) .
nmap -Pn -sT -p 22 xx.xx.xx.xx nmap -Pn -sT -p 443 x.x.x.x -max-rtt-timeout 0.1
open or closed : Firewall is pass.
filterd : Firewall is blocked.
# nmap -Pn -sT -p 3306 192.168.0.100 Starting Nmap 6.40 ( http://nmap.org ) at 20xx-09-21 16:36 JST Nmap scan report for test-db-01.example.local (192.168.0.100) Host is up. PORT STATE SERVICE 3306/tcp filtered mysql Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds
#nmap google.com Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:07 JST Warning: Hostname google.com resolves to 11 IPs. Using 74.125.235.102. Interesting ports on nrt19s02-in-f6.1e100.net (74.125.235.102): Not shown: 1678 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap finished: 1 IP address (1 host up) scanned in 31.587 seconds
nmap -sU google.com
# nmap -sU -p 161 127.0.0.1 Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-18 00:47 JST Nmap scan report for localhost (127.0.0.1) Host is up (0.00024s latency). PORT STATE SERVICE 161/udp open snmp Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
# time nmap -sT -sU -Pn x.x.x.x # time nmap -sT -sU -Pn --scan-delay 10ms x.x.x.x # 100 counts/sec # time nmap -sT -sU -Pn --scan-delay 50ms x.x.x.x/24 # 20 counts/sec # time nmap -sT -sU -Pn --scan-delay 50ms -oX `date +"%Y%m%d_%H%M"`.txt x.x.x.x/24 # 20 counts/sec
# nmap -sT -sU -Pn localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:26 JST Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 3155 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 139/tcp open netbios-ssn 199/tcp open smux 445/tcp open microsoft-ds 3306/tcp open mysql 9999/tcp open abyss 123/udp open|filtered ntp 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp Nmap finished: 1 IP address (1 host up) scanned in 1.301 seconds #
# nmap -sU -sT -p 1-500 localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:28 JST Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 990 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 139/tcp open netbios-ssn 199/tcp open smux 445/tcp open microsoft-ds 123/udp open|filtered ntp 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp Nmap finished: 1 IP address (1 host up) scanned in 1.236 seconds
# nmap --script=ssl-enum-ciphers -p 443 www.google.com
nmap -sP -oG nmap.grep.txt 192.168.10.0/24 <- Output test nmap -sP -oX nmap.xml 192.168.10.0/24 <- Output XML
-O: Enable OS detection
# nmap -O localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:17 JST Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 1672 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 139/tcp open netbios-ssn 199/tcp open smux 445/tcp open microsoft-ds 3306/tcp open mysql 9999/tcp open abyss (abbr)
-sV: Probe open ports to determine service/version info
# nmap -O -sV localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:18 JST Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 1672 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.11 ((Unix) mod_ssl/2.2.11 OpenSSL/0.9.8b PHP/5.1.6) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: HELP-PAL) 199/tcp open smux Linux SNMP multiplexer 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: HELP-PAL) 3306/tcp open mysql MySQL 5.0.45-log 9999/tcp open http-proxy DeleGate proxy 9.2.3 (abbr)
-A: Enables OS detection and Version detection
# nmap -A localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:15 JST Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 1672 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.11 ((Unix) mod_ssl/2.2.11 OpenSSL/0.9.8b PHP/5.1.6) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: HELP-PAL) 199/tcp open smux Linux SNMP multiplexer 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: HELP-PAL) 3306/tcp open mysql MySQL 5.0.45-log 9999/tcp open http-proxy DeleGate proxy 9.2.3 (abbr)
nmap -sV --reason -PN -n --top-ports 100 www.example.com