2024-05-08
Common Nmap Flags

Typically, if one wants to detect port somehow dropped by cloud service providers like AWS, the flag -sS or SYN stealth scan shall be enough.

Further info can be collected once the port has been confirmed open.


  1. -sS (TCP SYN Scan):
  • This flag instructs Nmap to perform a TCP SYN scan, also known as a half-open scan. It sends SYN packets to the target ports and analyzes the responses to determine which ports are open, closed, or filtered.
  1. -sT (TCP Connect Scan):
  • This flag tells Nmap to perform a TCP connect scan, in which Nmap completes the full TCP three-way handshake to determine the state of the target ports.
  1. -sU (UDP Scan):
  • This flag enables Nmap to perform a UDP scan, used to identify open UDP ports on the target system. UDP scans can be slower than TCP scans due to the stateless nature of the UDP protocol.
  1. -p (Port Specification):
  • The -p flag allows you to specify which ports to scan. You can specify individual ports, ranges of ports, or combination of both. For example, -p 1-1000 scans ports 1 through 1000.
  1. -A (Aggressive Scan):
  • The -A flag enables OS detection, version detection, script scanning, and traceroute. It’s a comprehensive option that provides detailed information about the target.
  1. -O (Enable OS Detection):
  • This flag instructs Nmap to attempt to determine the operating system running on the target host based on various characteristics observed during the scan.
  1. -v (Verbose Output):
  • The -v flag increases the verbosity of Nmap’s output, providing more detailed information about the scan process.
  1. -T (Timing Template):
  • The -T flag allows you to specify the timing template for the scan. Options range from 0 (paranoid) to 5 (insane), affecting the speed and aggressiveness of the scan.
  1. -O (Output to File):
  • The -o flag allows you to specify the output format and destination for the scan results. For example, -oN scan_results.txt saves the output in normal format to a file named scan_results.txt.
Read More

2024-04-03
Nmap Service Resolution

There are two files we are interested in.

  • nmap-services: a list of well known services by port

  • nmap-service-probes: matching rules for detecting service by response

The default service to port mapping in Python socket module is incomplete.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# find that with mlocate
# file_path = '/usr/share/nmap/nmap-services'
file_path = "./nmap-services"
with open(file_path, 'r') as f:
line_list = f.read().split('\n')
for line in line_list:
if line.startswith("#"):
# it is a comment
continue
else:
# process this line
content = line.split('#')[0].strip() # strip away comments
components = content.split(" ")
# must be three.
assert len(components) == 3, f"abnormal component count for content: '{content}'"

Read More

2022-12-02
Exploring Python Libraries And Resources For Nmap Network Scanning

nmap python scripting

python3-nmap and doc

doc of nmapthon python scriptable nse

python-nmap

Read More