NMAP discovery options

Posted on by tmack

I will break down the options for each command.

Command 1: sudo nmap -sn 10.0.0.* -oG – | awk ‘/Up$/{print $2}’ –discovery-ignore-rst

Summary: This command is used to build a list of “up” machines on a specific subnet (in this case, 10.0.0.*).

Breakdown:

  • sudo nmap -sn 10.0.0.*: Performs a simple ping scan (-sn) on the entire 10.0.0.* subnet to discover active hosts without scanning their ports.
  • -oG -: Outputs the results in “grepable” format (-oG) and sends the output to standard output (-).
  • | awk ‘/Up$/{print $2}’: Pipes the output to the awk command, which filters for lines ending with “Up” and prints the second field, which is the IP address of the active host.
  • –discovery-ignore-rst: This option tells Nmap to ignore TCP RST packets, which can be useful in certain network environments where firewalls or other devices might send RST packets, falsely indicating that a host is down.

Command 2: sudo nmap -PS21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 -PU123,137,138,161,623,631 -v1 –max-retries=0 -sn –discovery-ignore-rst –open –reason -oA {whateverSubnet_discovery} {subnet}

Summary: This is a comprehensive discovery command used to identify active hosts on a subnet by probing a wide range of common TCP and UDP ports. It’s designed to be fast and stealthy.

Breakdown:

  • sudo nmap: Runs the command with elevated privileges.
  • -PS… -PU…: Specifies a ping scan using both TCP SYN probes (-PS) and UDP probes (-PU) on a long list of common ports. This is a more robust host discovery method than a simple ICMP ping.
  • -v1: Increases the verbosity level to 1, providing more detailed output.
  • –max-retries=0: Sets the number of retries to zero, which speeds up the scan by not re-attempting probes to non-responsive hosts.
  • -sn: Performs a host discovery scan only, without port scanning.
  • –discovery-ignore-rst: Ignores TCP RST packets during the discovery phase.
  • –open: Only shows hosts with open ports, which is a key indicator of an active machine.
  • –reason: Displays the reason Nmap decided a host or port was in its current state.
  • -oA {whateverSubnet_discovery} {subnet}: Outputs the results in all available formats (XML, Nmap, and grepable) to files with the specified base name ({whateverSubnet_discovery}) for the given subnet.

Command 3: nmap -Pn -n -sS -p- -sV –min-hostgroup 255 –min-rtt-timeout 25ms –max-rtt-timeout 100ms –max-retries 1 –max-scan-delay 0 –min-rate 1000 -oA <customer-#> -vvv –open -iL <IPLIST>

Summary: This command is a highly optimized full port scan designed for speed and thoroughness on a list of known active hosts. It aims to identify all open ports and their associated service versions.

Breakdown:

  • nmap: The command-line tool.
  • -Pn: Treats all hosts as online, skipping the host discovery phase, which is useful when you have a pre-built list of “up” machines.
  • -n: Disables DNS resolution, speeding up the scan.
  • -sS: Performs a TCP SYN scan, also known as a half-open scan, which is fast and stealthy.
  • -p-: Scans all 65535 ports on each target.
  • -sV: Attempts to determine the service and version of applications running on open ports.
  • –min-hostgroup 255: Scans 255 hosts in parallel to increase efficiency.
  • –min-rtt-timeout 25ms –max-rtt-timeout 100ms –max-retries 1: These options aggressively tune the timing parameters to make the scan very fast by reducing timeouts and retries.
  • –max-scan-delay 0: Disables the delay between probes, further increasing speed.
  • –min-rate 1000: Ensures that at least 1000 probes are sent per second.
  • -oA <customer-#>: Outputs the scan results in all three major formats (XML, Nmap, and grepable) to files with a name based on the <customer-#>.
  • -vvv: Provides a very high level of verbosity, showing a lot of detail during the scan.
  • –open: Only shows ports that are open.
  • -iL <IPLIST>: Reads the target IP addresses from a specified input file, which is likely generated by the first command.