Networking/Computing Tips/Tricks

In my prior article on nmap, I showed you how to get started with this superb network scanner.  In that article we did basic scans to locate what hosts were on a given network and display what services were running on those hosts.  In this article I am going to dig a little deeper, and scan a little deeper!  

Remember you can look at all the nmap options with ‘nmap -help’.  We certainly are not going to run through all of the options (there are so many).  But here are some fun ones to do a deeper dive.

Be careful here – make sure you have permission to scan the network you are on!

Sounds like a blast, so let's get started.  First a little video:

You can use nmap to get a nice report of what interfaces you have running on your system:

nmap --iflist

This will show interfaces, their addresses, the type of interface, status, MTU, and MAC.  You will also get a report of any routes available.  So nice.

Moving on.  In my case I have a system at the following IP:  Let's do a normal scan first:

Screen Shot 2014-07-20 at 11.42.11 PM

Now let's do an AGGRESSIVE scan!!  This is done with the '-A' command:

Screen Shot 2014-07-20 at 11.44.32 PM


Look at all the information we learned via nmap:  the operating system, the computer name, even the source SSH key, and much more.

Let me explain.  The -A command stands for aggressive scan, and it combines several other specific scan options:

  • -O [this is operating system detection]
  • -sC [for speed and verbosity]
  • -traceroute [performs a traceroute to the host]

Depending on the device being scanned you may get more or less fingerprint and factual information.

As we discussed in the first tip, nmap starts by using Ping and ICMP to discover and scan devices on the network.  If some devices are filtering ICMP you may not see them, and so a cool way to bypass the ICMP filters is to use a TCP scan.  TCP or Transmission Control Protocol uses a three way handshake (SYN, SYN-ACK, ACK) to establish a session.  So what nmap does is it fakes this out the host by sending a SYN packet to the IP address and see if it responds!  Clever.  To do this use the -PS option.  Simply type:

nmap -PS

The default here is to use port 80.  But if you want to change that let's say to ports 21,22, and 80, you can change the command as follows:

nmap -PS21,22,80

You are not going to get much difference in output, but you may discover some additional hosts on the network.

If you want to not use SYN packets but ACK packets, just change the command to use a -PA instead:

nmap -PA

There are lots of options with different discovery options in nmap and the -P command.  Check out the man page for deeper information.

One of my favorite protocols to use for discovery is ARP (Address Resolutioon Protocol).  Since this protocol MUST be supported in Ethernets we can leverage it to discover systems.  To do this you will have to be root, so the command is preceded with 'sudo', and you will be prompted for your password:

sudo nmap -PR

You can thee that the '-PR' (R is the ARP protocol) has been used.  The output will be all the systems on the Ethernet that answer to that IP address range.  You cannot use thisthis to scan hosts that are not on your local network.  This one is one of my favorites.  

A slightly different scan approach uses the '-s' command instead of the '-P' command.  With the '-s' you may need root privileges so just in case I show them with the sudo command.  Here are a few I like:

  • sudo nmap -sS {IP address}  [this is for a TCP SYN scan]
  • sudo nmap -sA {IP address}  [this is for a TCP ACK scan]
  • sudo nmap -sF {IP address}  [this is for a TCP FIN scan]
  • sudo nmap -sT {IP address}  [this is for a TCP connect scan, less stealthy]
  • sudo nmap -n {Ip address}   [this is for a TCP null scan]
  • sudo nmap -sU {IP address}  [this is for a UDP scan]
  • sudo nmap -sX {IP address}  [this is for a Xmas with Urgent, FIN, and PSH bits set!]

Another cool one is to look at the Layer 3 IP and scan those protocols using the '-sO' (not zero):

sudo nmap -sO {IP address}  [this is for a IP scan and will check icmp, igmp, etc.]

You can also use nmap to do detailed traceroutes with the '-traceroute' option:

sudo nmap --traceroute {ip adress or URL}

Here is an example (sorry Google):

Screen Shot 2014-07-21 at 12.43.32 AM


OK - what if you want to get a complete, quick and dirty scan of a network?  My favorite is this command:

nmap -sL

It will list out every address scanned and what, if any, devices it found on that network!  And it does this very quickly.  Try it. You may have to add sudo in front, but I usually do not.

You can control how often the the scan occurs with the -T command.  The example below is going to scan every 5 seconds:

nmap -T10

What if ytou do not want to reveal what source address is doing the scan?  The answer is to use the -D command – the decoy command.  The address after the -D (there can be more than one) is the source that will be used:

nmap -sO -D

If you want verbose out put, use the -v command:

nmap -v

What about IPv6?  Well start here assuming IPv6 is working on the machine ytou are running nmap on:

nmap -6 2001:db8::/64

I would always encourage you to do these scans on a network that you control or have permission to do these scans, and to use Wireshark to watch these processes so you can observe the behavior of nmap and the network devices being scanned.

As I said, there are many more options.  We hope this helps. 


Comments powered by CComment

The nicest thing you can do is use these inks to support us!  Thank you!

Support our research!  Buy me a coffee :)

Support our research. Become a Patron!

Find by Tag

4G Networks 5G Networks 6in4 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Addressing Analysis Ansible Architecture ARP AToM BGP Bloom's Taxonomy Broadband Cable cat CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud Coloring Rules Computer Consulting CPI Customer Support Data Center Data Networking DHCPv6 DNS Docker Documentation Dublin-Traceroute dumpcap ECMP Ethernet Ethics Fragmentation G-MPLS Git GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 Interface Control Internet IoT IPsec IPv4 IPv6 IS-IS L2VPN L3VPN LDP Linux LLN LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring MPLS MTU Multicast My Room Name Resolution Netcat Netmiko NetMon netsh Networking Network Science nmap Npcap Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Paris-Traceroute Parrot PIM pktmon PMTU Policy POTS POTS to Pipes PPP Profile Programming Project Management Protocol 41 PW3E Python QoS QUIC Remote Desktop Requirements RIP Routing RPL RSVP Rural SAS SDN Security Service Provider Small Business SONET Speed SS7 SSH SSL Subnetting SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone termshark TLS Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Webex WEP Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Wi-Fi 6/6E Windows Winpcap Wireless Wireless 5G Wireshark Wireshark Tip WLAN WPA2 Zenmap ZigBee Zoom

Support us by clicking:

Twitter Feed