1.6 C
Wednesday, December 7, 2022

Cool Nmap Tricks and Techniques

Nmap is a FREE popular tool that has many powerful features and we are probably not utilizing its capabilities to the fullest.

Nmap Tricks and Techniques

Here is my list of “not so” commonly used Nmap commands which you may find useful.

Use ranges and wildcards on your scanning

- Advertisement -
nmap -sA 192.168.*.1-10,250-254

This way you will scan everything starting with 192.168 and ending either with 1-10 or 250-254

Disable DNS name resolution

nmap -p 80 -n

You may want to disable reverse DNS resolution to speed up your scans.

Scan for top ports

nmap --top-ports 100

the “–top-ports” parameter will let you scan the target(s) on the top most common ports, in this example the top 100 common ports.

Get a list of servers with a specific port open

nmap -sT -p 8080 192.168.1.* | grep open

Change the -p argument with the port you want to scan for.

Scan your network for rogue Access Points

nmap -A -p1-85,113,443,8080-8100 -T4 –min-hostgroup 50 –max-rtt-timeout 2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m –max-scan-delay 1000 -oA RogueAPScan

Scan using a decoy to avoid being caught

nmap -sS -D

With this command, you are scanning the ports on host but the security logs will show the IP address of your “decoy” address: Note that you can use multiple addresses for decoy and the decoy address needs to be alive.

Find the number of Linux and Windows devices on your network

sudo nmap -F -O | grep "Running: " > /tmp/os; echo "$(cat /tmp/os | grep Linux | wc -l) Linux device(s)"; echo "$(cat /tmp/os | grep Windows | wc -l) Window(s) devices"

Spoof source port

nmap -sS -p80 -g53 -PN -n

You can spoof the originating port of the scanner to trick firewalls that only allow traffic coming from specific ports. Port 53 (DNS) is usually allowed on most networks.

Test if the target is vulnerable to DoS attacks

nmap --script dos -Pn

You will not actually perform a DoS attack, but Nmap will tell you if the host is vulnerable to one.

Run a full vulnerability test

nmap -Pn --script vuln

This way you can run a full vulnerability test against your target using Nmap’s scripting engine (NSE)

Launch brute force attacks

nmap -p 1433 --script ms-sql-brute --script-args userdb=usersFile.txt,passdb=passwordsFile.txt

You can use Nmap to perform brute force attacks for several applications like FTP, WordPress, and MS-SQL like the example above. You must specify a user file and a password file for the scanner to use and test them against the application.

Detect malware-infected hosts

nmap -sV --script=http-malware-host

Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP.

You may also use Google’s Malware check:

nmap -p80 --script http-google-malware targetwebsite.com

List reverse DNS records on a subnet

nmap -R -sL | awk ‘{if($3==”not”)print”(“$2″) no PTR”;else print$3″ is “$2}’ | grep ‘(‘


What is the main use for Nmap?

Nmap is a network scanning tool that uses IP packets to identify all the devices connected to a network and to provide information on the services and operating systems they are running.

How many types of Nmap scans are there?

Ping sweep
SYN Scan
TCP connect scan
TCP ACK scan
TCP Maimon scan
UDP scan
Idle scan
RPC scan
TCP Window scan
Bounce scan
FIN scan
Null scan
XMAS scan

Is Nmap scanning legal?

Network probing or port scanning is only permitted when explicitly authorized by the owner of the destination host and/or network. Unauthorized port scanning, for any reason, is strictly prohibited.

Can you detect a Nmap scan?

It is hard to detect scans with high accuracy. Special tools to detect port scans like PortSentry and Scanlogd can be used to detect Nmap scans.

Can Nmap detect vulnerabilities?

Yes. Nmap can also show you a list of active live hosts, available ports, and the operating systems running on every device connected. Nmap can also be used to identify vulnerabilities in your network. Once Nmap identifies the version and applications running on a specific host it can then further determine their open vulnerabilities.

How accurate is Nmap?

Nmap is fairly accurate. There are several cases where Nmap cannot detect a machine’s OS. Nmap needs at least one open and one closed port to perform OSD accurately. In the case where a machine on the network does not accept incoming connections, Nmap will not be able to determine the machine’s OS.

Can Nmap bypass firewalls?

Nmap offers several scan methods that are good at sneaking past firewalls while still providing the desired port state information. FIN scan is one such technique.

How long does a full Nmap scan take to complete?

Nmap takes about 21 minutes for each host connected to the network.

Website | + posts

Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.

Also Read