NETHRAX — Nmap

// Basics

// WHAT IS NMAP

Nmap (Network Mapper) is a free, open-source tool for network discovery and security auditing. It sends raw packets to discover hosts, open ports, running services and OS details.

// HOW IT WORKS

Nmap crafts and sends packets to target hosts and analyses responses. Different scan types use different packet types — TCP SYN, UDP, ICMP, etc.

// BASIC SYNTAX

The general form is nmap [options] [target]. The target can be a single IP, a hostname, a range or a CIDR subnet.

🚨

Legal warning: Only scan networks and hosts you own or have explicit written permission to test. Unauthorised scanning is illegal in most countries.

// Target Specification

BASH

nmap 192.168.1.1                    # single IP
nmap 192.168.1.1-254                # IP range
nmap 192.168.1.0/24                 # entire subnet (CIDR)
nmap 10.0.0.1 10.0.0.2 10.0.0.3   # multiple targets
nmap example.com                    # hostname
nmap -iL targets.txt               # read targets from file
nmap --exclude 192.168.1.5         # exclude specific host
nmap --excludefile exclude.txt     # exclude hosts from file

// Host Discovery

FLAG	NAME	DESCRIPTION
`-sn`	Ping scan	Discover live hosts without port scanning
`-Pn`	No ping	Skip host discovery — treat all hosts as online
`-PS`	TCP SYN ping	Send TCP SYN packets for discovery
`-PA`	TCP ACK ping	Send TCP ACK packets for discovery
`-PU`	UDP ping	Send UDP packets for discovery
`-PE`	ICMP echo	Use ICMP echo requests (traditional ping)
`-n`	No DNS	Skip DNS resolution — speeds up scans
`-R`	Resolve all	Force DNS resolution for all hosts

BASH

nmap -sn 192.168.1.0/24             # ping sweep — find live hosts
nmap -Pn 192.168.1.1               # skip ping, scan anyway
nmap -sn -n 10.0.0.0/24            # fast sweep, no DNS lookup

// Port Scanning

FLAG	SCAN TYPE	DESCRIPTION
`-sS`	TCP SYN (Stealth)	Default. Half-open scan — fast and less detectable
`-sT`	TCP Connect	Full TCP handshake. Used when SYN scan isn't possible
`-sU`	UDP	Scan UDP ports — slow but important
`-sA`	TCP ACK	Map firewall rules, not open ports
`-sN`	TCP Null	No flags set — can bypass some firewalls
`-sF`	TCP FIN	FIN flag only — firewall evasion
`-sX`	Xmas	FIN+PSH+URG flags set

BASH

# Port selection
nmap -p 80 192.168.1.1              # single port
nmap -p 80,443,8080 192.168.1.1    # multiple ports
nmap -p 1-1024 192.168.1.1        # port range
nmap -p- 192.168.1.1               # all 65535 ports
nmap --top-ports 100 192.168.1.1  # top 100 most common ports
nmap -F 192.168.1.1                # fast scan (top 100 ports)

# Scan types
nmap -sS 192.168.1.1               # SYN stealth scan (requires root)
nmap -sU -p 53,161,162 192.168.1.1 # UDP scan common ports
nmap -sS -sU 192.168.1.1           # combined TCP + UDP scan

// Service & OS Detection

FLAG	DESCRIPTION
`-sV`	Detect service versions running on open ports
`-O`	Enable OS detection (requires root)
`-A`	Aggressive: OS + version + scripts + traceroute
`--version-intensity 9`	Max version detection intensity (0–9)
`--osscan-guess`	Guess OS more aggressively when uncertain

BASH

nmap -sV 192.168.1.1               # detect service versions
nmap -O  192.168.1.1               # detect OS (needs root/sudo)
nmap -A  192.168.1.1               # everything: OS+version+scripts
nmap -sV --version-intensity 9 192.168.1.1  # max version detection

💡

Tip: -A is noisy and slow — great for thorough testing, but avoid it when stealth matters. Use -sV alone for quieter version detection.

// Timing & Performance

FLAG	TEMPLATE	SPEED	USE CASE
`-T0`	Paranoid	Slowest	IDS evasion
`-T1`	Sneaky	Very slow	IDS evasion
`-T2`	Polite	Slow	Avoid overloading target
`-T3`	Normal	Default	Standard scanning
`-T4`	Aggressive	Fast	Fast, reliable networks
`-T5`	Insane	Fastest	Speed over accuracy

BASH

nmap -T4 192.168.1.0/24             # fast scan on local network
nmap -T1 192.168.1.1               # slow and quiet
nmap --min-rate 1000 192.168.1.1  # send at least 1000 packets/sec
nmap --max-retries 2 192.168.1.1  # limit retransmissions

// NSE Scripts

// WHAT IS NSE

The Nmap Scripting Engine lets you run Lua scripts against targets for deeper enumeration — vuln detection, brute force, service info and more.

// SCRIPT CATEGORIES

Scripts are grouped: auth, brute, default, discovery, dos, exploit, fuzzer, intrusive, safe, vuln.

BASH

# Run scripts
nmap -sC 192.168.1.1               # run default scripts
nmap --script vuln 192.168.1.1    # run all vuln scripts
nmap --script http-title 192.168.1.1        # single script
nmap --script http-title,http-headers 192.168.1.1 # multiple scripts
nmap --script "http-*" 192.168.1.1 # all http scripts

# Useful scripts
nmap --script smb-vuln-ms17-010 192.168.1.1  # EternalBlue check
nmap --script ssh-brute 192.168.1.1          # SSH brute force
nmap --script ftp-anon 192.168.1.1           # check anonymous FTP
nmap --script dns-brute example.com          # subdomain brute force
nmap --script snmp-info -sU -p 161 192.168.1.1 # SNMP enumeration

# Script args
nmap --script http-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.1

# Update script database
nmap --script-updatedb

// Output Formats

FLAG	FORMAT	DESCRIPTION
`-oN`	Normal	Human-readable text output
`-oX`	XML	Machine-parseable XML
`-oG`	Grepable	Easy to grep/parse with scripts
`-oA`	All	Save in all three formats at once
`-v`	Verbose	Show more detail in real time
`-vv`	Very verbose	Even more detail
`-d`	Debug	Debug level output

BASH

nmap -oN scan.txt 192.168.1.1      # save normal output
nmap -oX scan.xml 192.168.1.1      # save XML output
nmap -oA scan 192.168.1.1          # save all formats (scan.nmap, scan.xml, scan.gnmap)
nmap -v -oN scan.txt 192.168.1.1  # verbose + save

// Common Scan Recipes

💡

These are the scans you'll use most often. Copy and adapt them for your targets.

BASH

# Quick recon — find live hosts on subnet
nmap -sn -n -T4 192.168.1.0/24

# Standard port + version scan
nmap -sS -sV -T4 -p- 192.168.1.1

# Full aggressive scan with scripts
nmap -A -T4 -p- 192.168.1.1

# Stealth scan with no DNS
nmap -sS -n -Pn -T2 192.168.1.1

# UDP top ports (slow — be patient)
nmap -sU --top-ports 20 192.168.1.1

# Web server recon
nmap -sV -p 80,443,8080,8443 --script http-title,http-headers 192.168.1.1

# Vulnerability scan
nmap --script vuln -sV 192.168.1.1

# Save everything
nmap -A -T4 -oA output/scan 192.168.1.1

🔍 NMAP

// Basics

// Target Specification

// Host Discovery

// Port Scanning

// Service & OS Detection

// Timing & Performance

// NSE Scripts

// Output Formats

// Common Scan Recipes