Nmap notes: Difference between revisions

From Helpful
Jump to navigation Jump to search
m (Removed redirect to Network tools#nmap notes)
Tag: Removed redirect
 
Line 1: Line 1:
{{networking stuff}}
{{networking stuff}}


===nmap notes===
 
(assumption is use on home LAN. For security stuff, learn it properly)
(assumption is use on home LAN. For security stuff, learn it properly)


Latest revision as of 13:34, 20 June 2024

For other network related things, see:


Also:


(assumption is use on home LAN. For security stuff, learn it properly)


Nmap port states

  • open:
computer is listen()ing and will accept() connections on port
  • closed:
host responds with ICMP 'Port Unreachable' message
probably because it's not listen()ing on port
those ICMP packets can also be generated by firewall rules - meaning that this port may be closed to you but open to others
  • filtered can mean a few things:
got some ICMP unreachable errors that aren't Port Unreachable (net unreachable, host unreachable, etc.)(verify)
OR when there is no response after some time, e.g if the packets were dropped (at the host, or a router on the way)
  • unfiltered:
most other ports were filtered, but this one is closed (verify)


Note that different ICMP rejections in iptables can lead to either 'closed' or 'filtered', so ports may still be open to other places (or under other conditions).

Some arguments

  • -Tn: aggressiveness/speed. See [1]
0 and 1 will avoid most intrusion detection, but also take very long
Default is -T3
-T4 and -T5 are often acceptable on LAN
-T4 may affect your internet access, -T5 is a bit asocial and may affect accuracy. Both are likely to be blocked if there is any intrusion detection


Quick (and approximate) host discovery:

  • -sP, later -sn
    • Ping only, no port scan after it
    • won't report hosts not responding to ping
nmap -sP 192.168.1.0/24


Interesting arguments:

  • -p: port(s) to scan on.
By default it scans 1000 commonly used ports
with -F it scans 100 commonly used ports
If you're interested in a faster scan and only a single service, e.g. -p 22
...or finding hosts with a bunch of services, e.g. -p 1-200
...or a few specific things, say -p 80,22,5353,445,139,631,123,3689,548,7,5900,5000
...or really everything, with -p 0-65535
Note that scans on the same subnet are a lot faster than those elsewhere


Target spec

I commonly use 192.168.2.0/24 style

Other options:

  • example.org/24 - mask is applied after resolving the name to an IP
  • list and ranges like 1,20-200,250-254, probably but not necessarily in the last octet
192.168.2.20-200
192.168.0-255.1
192.168.0,1,2,100.1,20-200,254


There are more tricks, see http://nmap.org/book/man-target-specification.html


"Host is down. If it is really up, but blocking our ping probes, try -Pn"

Retrieved from "https://helpful.knobs-dials.com/index.php?title=Nmap_notes&oldid=97374"