Skip to main content

Other Tips & Tricks


Creating Filtered Randomized Target Lists​

Nmap can manipulate target lists to create randomized target lists, exclude specific IPs from a target list, and expand IPs from a CIDR range.

nmap -sL --randomize-hosts -iL /etc/target.hosts  --excludefile /etc/exclude.hosts | grep 'report for' | awk '{print $5}'
  • -sL lists targets and expands hosts and IP CIDRs without actually scanning them
  • --randomize-hosts randomizes the output list
  • -iL takes an input list of hosts and IP addresses/CIDRs
  • --excludefile takes an input list of hosts and IP addresses/CIDRs to remove from the output list
    • --exclude can be used to provide hosts/IPs directly in the commandline

Nmap Output Formatting​

Nmap provides multiple ways to save and format scan results, making it easier to analyze, share, or automate tasks. By using the various output formats, you can store scan data for different use cases, ranging from manual analysis to automated integration into other tools.

Nmap offers several options for saving scan results in different formats:

  • Normal Output (-oN): The default human-readable detailed format.
  • XML Output (-oX): A machine-readable format that can be easily parsed.
  • Grepable Output (-oG): A line-based format useful for quick searching and filtering.
  • All Formats (-oA): Generate all of the above formats at once.
Terminal output

Using - as the "filename` for any of the output format options while redirect the output to the STDOUT terminal instead of a file. This can be used to create one-liners that immediately parse the returned data - although it is bad practice to not save it to a file first.

nmap -sV 192.168.1.0/24 -oG - | cut -d " " -f 2,4

Normal Output (-oN)​

The normal output format (-oN) is the standard, human-readable format of Nmap results. It contains detailed information about the scan, including open ports, service information, and additional host details.

  • Example:
    nmap -sV 192.168.1.1 -oN scan_results.txt
  • Use Case: When you want a detailed, human-readable summary of the scan to review or share.
  • Why: Normal output is easy to read, making it suitable for manual analysis and reporting.
  • Sample Output:
    # Nmap 7.93 scan initiated Wed Sep 20 12:34:56 2024 as: nmap -sV 192.168.1.1
    Nmap scan report for 192.168.1.1
    Host is up (0.0012s latency).
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 7.4
    80/tcp open http Apache httpd 2.4.6
    MAC Address: 00:1C:42:2E:60:4A (Unknown)

XML Output (-oX)​

XML output (-oX) is used for a structured, machine-readable format that can be parsed easily for automated tools or scripts.

  • Example:
    nmap -sV 192.168.1.1 -oX scan_results.xml
  • Use Case: Use XML output when integrating scan results into other applications or when importing into tools that accept XML.
  • Why: XML is standardized and can be parsed by scripts or imported into databases.
XML Parsing with Python

Python's xml.etree.ElementTree library can be used to parse the XML output.

import xml.etree.ElementTree as ET

tree = ET.parse('scan_results.xml')
root = tree.getroot()

for host in root.findall('host'):
address = host.find('address').get('addr')
for port in host.findall(".//port"):
portid = port.get('portid')
state = port.find('state').get('state')
print(f"Host {address} has port {portid} {state}")

Grepable Output (-oG)​

Grepable output (-oG) provides a quick way to extract relevant information by using tools like grep or awk.

  • Example:
    nmap -sV 192.168.1.1 -oG grepable_output.txt
  • Use Case: When you need to filter specific results from multiple hosts quickly.
  • Why: -oG is useful for parsing the results with command-line utilities and extracting specific information.
Grepping for a live IP list
nmap -sn 192.168.17.0/24 -oG - | grep "Status: Up" | awk '{print $2}'
192.168.17.1
192.168.17.10
192.168.17.20
192.168.17.100
192.168.17.101
192.168.17.103
192.168.17.104
192.168.17.105
Grepping for a list of IPs with a specific port open
nmap -Pn -p 5985 192.168.17.0/24 -oG - | grep "5985/open" | awk '{print $2}'
192.168.17.10
192.168.17.20
192.168.17.100
192.168.17.101
192.168.17.103
192.168.17.104
192.168.17.105

Output in All Formats (-oA)​

The -oA option allows you to generate the output in all three main formatsβ€”normal (-oN), XML (-oX), and grepable (-oG) β€” at once, resulting in .nmap, .xml, and .gnmap files respectively. This can be useful when you need to analyze the data in different ways or share it with different stakeholders.

  • Example:
    nmap -sV 192.168.1.1 -oA scan_results
  • Use Case: When you need versatile output for different purposes.
  • Why: -oA saves time and ensures you have the results in every format you might need for detailed analysis, automation, and quick extraction.

Verbose and Debug Output​

Nmap also provides options for controlling the verbosity and debugging level of the output.

Verbose Mode (-v and -vv)​

  • Use Case: Use verbose output to get more information during a scan, especially for tracking progress.
  • Why: Adding -v or -vv increases the verbosity level, giving more information about the scan process.

Debugging (-d and -dd)​

  • Use Case: Use debugging to troubleshoot issues or understand the scan's behavior in detail.
  • Why: The -d or -dd flag adds detailed debug information to the output, which is useful for understanding Nmap’s internal processing. Saving Output and Combining with Other Tools The output saved from Nmap can be directly used or piped into other tools for extended analysis.

Scanning Speed​

Nmap's scan speed can be adjusted using timing templates and specific options to optimize for stealth, speed, or efficiency based on your requirements and the nature of the target network. The speed of the scan is an important consideration depending on whether you want to be stealthy, minimize network impact, or quickly gather results.

Timing Templates: -T0 to -T5​

Nmap provides predefined timing templates (-T0 to -T5) to adjust the speed of scans. Each template is suited for a different purpose, allowing you to balance between speed and stealth.

  • -T0 (Paranoid)

    • Use Case: Used when scanning extremely sensitive networks or when attempting to avoid detection by Intrusion Detection Systems (IDS).
    • Speed: Very slow; it sends probes with long delays between them.
    • Why: It waits up to 5 minutes between probes, which makes it much less likely to be detected by IDS or automated defense mechanisms, making it useful for stealth scanning in highly monitored environments.
  • -T1 (Sneaky)

    • Use Case: Useful for environments where stealth is a priority, but you need slightly faster scans than -T0.
    • Speed: Slow, but faster than -T0.
    • Why: It introduces delays between probes, reducing the chances of detection while being a little more practical than -T0 for larger-scale scanning.
  • -T2 (Polite)

    • Use Case: When you need to avoid overwhelming the target or affecting network performance but can compromise a bit on speed.
    • Speed: Moderate; Nmap introduces delays to avoid congesting the network.
    • Why: This setting is particularly useful for scanning production networks during non-offensive security assessments where the goal is to minimize impact on services.
  • -T3 (Normal)

    • Use Case: The default setting for Nmap. Suitable for most general scanning scenarios where balance between speed and efficiency is needed.
    • Speed: Normal; no extra delays, balanced between speed and avoiding congestion.
    • Why: This option is a good starting point for general reconnaissance unless specific timing constraints or stealth requirements apply.
  • -T4 (Aggressive)

    • Use Case: When scanning within environments where you control the network or have permission to be fast, such as internal assessments.
    • Speed: Faster than default; sends probes with minimal delay.
    • Why: This setting increases the number of packets sent per second and reduces wait times, making it effective for quickly enumerating hosts and services in permissive networks.
  • -T5 (Insane)

    • Use Case: Ideal for situations where speed is the primary concern, such as very large-scale scans or testing your own network’s defenses.
    • Speed: Very fast; sends probes at the highest rate.
    • Why: This mode is highly likely to be detected by firewalls and IDS and could overwhelm the target, but it is useful for controlled environments where speed is the goal.

Fine-Tuning Scan Speed​

In addition to the timing templates, there are specific options and parameters that allow you to adjust the speed of Nmap scans more precisely.

  • --host-timeout

    • Use Case: Specifies a maximum time limit to scan each host.
    • Example:
      nmap --host-timeout 30s 192.168.1.1
    • Why To avoid spending too much time on unresponsive hosts, --host-timeout sets a deadline for each host, ensuring that scans do not get stuck.
  • --min-rate and --max-rate

    • Use Case: Adjusts the rate of packet transmission per second, providing fine control over how aggressive the scan is.
    • Example:
      nmap --min-rate 1000 192.168.1.1
    • Why The --min-rate option forces Nmap to send at least 1000 packets per second, increasing the speed of the scan. Conversely, --max-rate limits the speed to avoid overwhelming the network.
  • --min-parallelism and --max-parallelism

    • Use Case: Controls the number of parallel operations used during a scan.
    • Example:
      nmap --min-parallelism 10 192.168.1.1
    • Why Increasing parallelism allows Nmap to perform multiple operations simultaneously, speeding up the overall process. Be cautious, as it could lead to more detectable traffic.
  • --scan-delay and --max-scan-delay

    • Use Case: Introduces a delay between sending probes.
    • Example:
      nmap --scan-delay 500ms 192.168.1.1
    • Why Adding a delay between probes helps in avoiding IDS or traffic rate limits. --scan-delay sets a fixed delay, while --max-scan-delay lets Nmap adapt delays as needed.

Nmap Scripting Engine (NSE)​

The Nmap Scripting Engine (NSE) allows users to leverage a large number of custom scripts for more powerful scans, ranging from service enumeration to vulnerability detection and exploitation.

NSE scripts are written in the Lua programming language and are designed to extend Nmap’s functionality beyond simple scanning and port identification. Scripts are grouped into different categories, like auth, discovery, exploit, vuln, etc.

Script Categories

Scripts in NSE are grouped by categories, allowing you to target specific types of information.

  • auth: Determination of authentication credentials.
  • broadcast: Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
  • brute: Executes scripts that try to log in to the respective service by brute-forcing with credentials.
  • default: Default scripts executed by using the -sC option.
  • discovery: Evaluation of accessible services.
  • dos: These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
  • exploit: This category of scripts tries to exploit known vulnerabilities for the scanned port.
  • external: Scripts that use external services for further processing.
  • fuzzer: This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
  • intrusive: Intrusive scripts that could negatively affect the target system.
  • malware: Checks if some malware infects the target system.
  • safe: Defensive scripts that do not perform intrusive and destructive access.
  • version: Extension for service detection.
  • vuln: Identification of specific vulnerabilities.
Listing Available Scripts

You can list all available NSE scripts by enumerating their default directory:

ls /usr/share/nmap/scripts/
Getting Script Help

You can get detailed info about how a particular script works, as well as available arguments and a description with --script-help <SCRIPT_NAME>.

Passing Arguments to Scripts

Many NSE scripts accept arguments to customize their behavior - some scripts require arguments to work effectively, especially those that interact with services needing credentials.

This example shows performing a brute-force attack on an FTP service using custom username and password lists.

nmap --script ftp-brute --script-args userdb=/path/to/users.txt,passdb=/path/to/passwords.txt 192.168.1.1

Running Default Scripts​

The default script scan uses a collection of NSE scripts considered safe and useful for general reconnaissance.

nmap -sC 192.168.1.1
  • Use Case: A general script scan to discover service versions and gather additional information about a target.
  • Why: -sC is equivalent to --script=default, running a set of useful but safe scripts without much risk of triggering defenses or causing harm.

Running a Specific Script​

Running multiple scripts

You can use wildcards to select scripts, such as so:

nmap --script 'http-*'

This will run all scripts that start with http-.

You can also run multiple scripts by separating them with commas.

nmap --script=ftp-anon,http-methods 192.168.1.1

You can specify a particular script to target specific services or vulnerabilities.

nmap --script=http-title 192.168.1.1
  • Use Case: Depends on the script, but in this example the script extracts the title of web pages from HTTP services.
  • Why: Depends on the script, but in this example the http-title script helps quickly identify the purpose of websites running on open ports.