$devvkit learn --librarie nmap-guide
Nmap Guide
[networking][security][scanning][enumeration]
Network Diagnostics
Install
sudo apt install nmap brew install nmap # Windows: nmap.org/download.html # GUI: Zenmap (included with Windows installer)
Nmap sends crafted packets and analyzes responses to determine which hosts are alive, what ports are open, and what services are running. The NSE (Nmap Scripting Engine) extends this with vulnerability checks, service enumeration, and brute-force modules.
Master these scan types: `-sS` (SYN stealth scan — default as root), `-sT` (TCP connect — no root needed), `-sU` (UDP scan — slow, pair with `--top-ports`), `-sn` (ping sweep — find live hosts). Always use `-sV` for service version detection.
NSE scripts are located in `/usr/share/nmap/scripts/`. Run `--script vuln` for a quick vulnerability assessment. Use `-oA output` to save all formats (normal, XML, grepable). GUI: Zenmap for visual topology maps and saved profiles.
Host Discovery
Ping sweep— Find live hosts on subnet.
nmap -sn 192.168.1.0/24 # Fast: ICMP + TCP 443 + TCP 80 nmap -sn 10.0.0.0/24 --exclude 10.0.0.1 sudo nmap -sL 192.168.1.0/24 # List scan — no packets, just DNS resolution
Output formats— Save results.
nmap -oN scan.txt 192.168.1.1 # Normal nmap -oX scan.xml 192.168.1.1 # XML nmap -oG scan.gnmap 192.168.1.1 # Grepable nmap -oA scan 192.168.1.1 # All formats at once # XML to HTML: xsltproc scan.xml -o scan.html
Port Scanning
Quick port scan— Top 1000 ports.
sudo nmap -sS 192.168.1.1 # SYN scan (fast, needs root) nmap -sT 192.168.1.1 # TCP connect (no root) nmap -sS -p- 192.168.1.1 # ALL ports (65535 — slow) nmap -sS -p 22,80,443,8080,8443 192.168.1.1 # Specific ports
UDP scan— Find UDP services.
sudo nmap -sU 192.168.1.1 # UDP scan (slow) sudo nmap -sU --top-ports 200 192.168.1.1 # Only top 200 UDP ports sudo nmap -sS -sU -p U:53,161,T:22,80 10.0.0.1 # Mix UDP + TCP ports
Service Detection
Service + OS detection— Fingerprint services and OS.
sudo nmap -sS -sV 192.168.1.1 # Service versions sudo nmap -sS -sV -O 192.168.1.1 # + OS detection sudo nmap -sS -sV -O --osscan-guess 192.168.1.1 # Aggressive OS guess nmap -A 192.168.1.1 # Aggressive: OS, version, scripts, traceroute
NSE Scripts
Vulnerability scripts— Run NSE vuln scan.
nmap --script vuln 192.168.1.1 # All vulnerability checks nmap --script http-* 192.168.1.1 # All HTTP-related scripts nmap --script ssl-enum-ciphers -p 443 example.com # TLS cipher audit nmap --script dns-brute --script-args dns-brute.domain=example.com
Script: HTTP enum— Enumerate web server.
nmap --script http-enum -p 80,443 example.com # Discovers: /admin, /backup, /wp-admin, /.git, /api nmap --script http-headers -p 80,443 example.com nmap --script http-methods --script-args http-methods.url-path=/api -p 80 example.com
Performance
Performance tuning— Speed up large scans.
sudo nmap -sS -T5 -p 80,443 --max-rtt-timeout 100ms 192.168.1.0/24 sudo nmap -sS --min-rate 10000 -p 80,443 10.0.0.0/8 sudo nmap -sS -T4 --max-retries 2 192.168.1.1 # -T0 (paranoid) .. -T5 (insane) — timing templates
Stealth
Firewall evasion— Detect firewall rules.
sudo nmap -sS -f 192.168.1.1 # Fragment packets (bypass some filters) sudo nmap -sS -D decoy1.com,decoy2.com 192.168.1.1 # Decoy scans sudo nmap -sS --data-length 200 192.168.1.1 # Pad packets to normal size nmap -sT --source-port 53 192.168.1.1 # Use DNS port (often allowed)