Mnemata
@sanoski/

Hacking Tools

publicKnowledge base

A collection of hacking tools

#hacking

Nmap

Nmap.md

Nmap

Overview

Nmap (Network Mapper) is the industry-standard open-source tool for network discovery and security auditing. It can discover hosts, map open ports, identify running services and their versions, detect operating systems, and run scripted vulnerability checks via the Nmap Scripting Engine (NSE).

Category

#scanning #active-recon #network

Phase

Scanning

Developer

Gordon Lyon (Fyodor) — nmap.org

Install

# Debian/Ubuntu
sudo apt install nmap

# macOS
brew install nmap

# Windows — download installer from nmap.org

Core Scan Types

Flag Scan Type Notes
-sS SYN (stealth) scan Default; requires root
-sT TCP connect scan No root needed; louder
-sU UDP scan Slow but finds UDP services
-sN Null scan No flags set
-sF FIN scan Useful for firewall evasion
-sX Xmas scan Sets FIN, PSH, URG flags
-sA ACK scan Maps firewall rules
-sV Version detection Identifies service versions
-O OS detection Fingerprints OS
-sC Default NSE scripts Runs common safe scripts
-A Aggressive -sV -O -sC --traceroute

Common Commands

# Quick ping sweep of a subnet
nmap -sn 192.168.1.0/24

# Basic port scan (top 1000 ports)
nmap 192.168.1.10

# Full port scan (all 65535)
nmap -p- 192.168.1.10

# Service/version detection
nmap -sV 192.168.1.10

# OS detection + service + scripts
nmap -A 192.168.1.10

# Stealth SYN scan with OS and version
sudo nmap -sS -sV -O 192.168.1.10

# Scan specific ports
nmap -p 22,80,443,3306 192.168.1.10

# Output to all formats
nmap -oA scan_results 192.168.1.10

# Speed (T0=paranoid → T5=insane)
nmap -T4 192.168.1.0/24

# NSE script example (vuln scan)
nmap --script vuln 192.168.1.10

# SMB vulnerability check
nmap --script smb-vuln* -p 445 192.168.1.10

Output Formats

Flag Format
-oN Normal text
-oX XML
-oG Grepable
-oA All three at once

NSE Script Categories

  • auth — Authentication bypass/brute
  • broadcast — Network broadcast discovery
  • brute — Brute-force credentials
  • default / -sC — Safe default scripts
  • discovery — Enumerate hosts/services
  • exploit — Active exploitation (use carefully)
  • vuln — Vulnerability detection

OPSEC Notes

Active scanning generates traffic visible to IDS/IPS. Use -T1 or -T2 for slower, quieter scans. SYN scans (-sS) are less likely to appear in application logs than full connect scans (-sT). Avoid --script exploit on production systems without explicit authorization.

Related Tools

  • Nessus — Deep vulnerability scanning after Nmap port discovery
  • OpenVAS — Open-source alternative to Nessus
  • Metasploit — Exploit services discovered by Nmap

Tags

#ethical-hacking #scanning #network #active-recon #ports

Linked from