Explore Nmap Help and Options in Nmap

Introduction

In this lab, you will explore Nmap help and options to enhance your understanding of this powerful network scanning tool. You'll start by opening the terminal and running nmap --help to access the comprehensive help documentation. Then, you'll list scan types, view output options, and check timing templates using relevant commands. Additionally, you'll save the help information to a file and open it in the Xfce text editor.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/basic_syntax("Basic Command Syntax") nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/scan_types("Scan Types and Techniques") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/timing_performance("Timing and Performance") subgraph Lab Skills nmap/basic_syntax -.-> lab-547101{{"Explore Nmap Help and Options in Nmap"}} nmap/output_formats -.-> lab-547101{{"Explore Nmap Help and Options in Nmap"}} nmap/save_output -.-> lab-547101{{"Explore Nmap Help and Options in Nmap"}} nmap/scan_types -.-> lab-547101{{"Explore Nmap Help and Options in Nmap"}} nmap/target_specification -.-> lab-547101{{"Explore Nmap Help and Options in Nmap"}} nmap/timing_performance -.-> lab-547101{{"Explore Nmap Help and Options in Nmap"}} end

Open terminal and run nmap --help

In this step, you will learn how to access the help documentation for nmap directly from the terminal. nmap is a powerful network scanning tool, and understanding its options is crucial for effective usage. The --help option provides a comprehensive overview of nmap's functionalities, syntax, and available options.

To begin, open the terminal in your LabEx VM. You can find the terminal icon on the Xfce desktop. Once the terminal is open, type the following command and press Enter:

nmap --help

This command will display the nmap help documentation directly in the terminal. The output will include a description of nmap, its usage syntax, a list of available scan types, options, and other useful information.

You should see a long list of options and descriptions scroll through your terminal. Take a moment to review the output. You'll notice sections covering target specification, scan techniques, port specification, service and version detection, script scanning, OS detection, timing and performance, firewall/IDS evasion and spoofing, output, and miscellaneous options.

Example output (a snippet of the full output):

Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
...

This step has shown you how to access nmap's built-in help documentation. This is a valuable resource for understanding the tool's capabilities and options. In the following steps, you will explore some of these options in more detail.

List scan types with nmap -s*

In this step, you will explore how to list the available scan types in nmap using the -s* option. This option, combined with wildcard characters, allows you to quickly filter and identify scan types supported by nmap. Understanding scan types is essential for choosing the appropriate technique for your network assessment goals.

Open the terminal in your LabEx VM. If you closed it after the previous step, you can find the terminal icon on the Xfce desktop. Now, type the following command and press Enter:

nmap -s*

This command will likely result in an error message from nmap. This is because -s* by itself is not a valid command. The -s option in nmap is used to specify a scan type, and it requires a specific scan type identifier (e.g., -sS for TCP SYN scan, -sU for UDP scan). The * wildcard character is interpreted by the shell before being passed to nmap. Since there's no valid scan type that is literally named "*", nmap will complain.

However, we can use the output of nmap --help from the previous step and grep to filter for lines that describe scan types. Scan types are usually listed with the -s option.

To list the scan types, we can use the following command, which combines nmap --help with grep:

nmap --help | grep " -s[A-Z]"

This command first executes nmap --help and then pipes the output to the grep command. The grep command filters the output, searching for lines that contain " -s" followed by an uppercase letter. This pattern is commonly used to list the different scan types available in nmap.

Example output:

  -sL: List Scan - simply list targets to scan
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -sV: Probe open ports to determine service/version info
  -sC: equivalent to --script=default

The output shows a list of scan types, such as TCP SYN scan (-sS), TCP Connect scan (-sT), UDP scan (-sU), and others. Each scan type uses a different technique to probe the target system and gather information.

This step demonstrated how to use grep to filter the output of nmap --help and list the available scan types. In the following steps, you will explore other useful nmap options.

View output options with nmap -o*

In this step, you will learn how to list the available output options in nmap using the -o* notation. nmap provides various options for saving scan results in different formats. Understanding these options is crucial for effective reporting and analysis of scan data.

Open the terminal in your LabEx VM. If you closed it after the previous step, you can find the terminal icon on the Xfce desktop. Similar to the previous step, directly using nmap -o* will not work as intended because the shell expands the * before passing it to nmap, and nmap doesn't recognize the expanded argument.

Instead, we will use grep to filter the output of nmap --help and identify the lines that describe output options. The output options in nmap typically start with -o.

To list the output options, use the following command:

nmap --help | grep " -o[A-Z]"

This command executes nmap --help and pipes the output to the grep command. The grep command filters the output, searching for lines that contain " -o" followed by an uppercase letter. This pattern is commonly used to list the different output options available in nmap.

Example output:

  -oN <filespec>: Output scan in normal format to the given filename
  -oX <filespec>: Output scan as XML to the given filename
  -oS <filespec>: Output scan as s|<rIpt kIdd|3 format to the given filename
  -oG <filespec>: Output scan as grepable format to the given filename
  -oA <basename>: Output in the three major formats at once

The output shows a list of output options, such as normal output (-oN), XML output (-oX), script kiddie output (-oS), grepable output (-oG), and all formats output (-oA). Each option allows you to save the scan results in a specific format suitable for different purposes.

This step demonstrated how to use grep to filter the output of nmap --help and list the available output options. In the following steps, you will explore other useful nmap options.

Check timing templates with nmap -T*

In this step, you will learn how to check the available timing templates in nmap using the -T* notation. nmap provides timing templates that control the speed and aggressiveness of scans. Understanding these templates is important for balancing scan speed with accuracy and avoiding detection.

Open the terminal in your LabEx VM. If you closed it after the previous step, you can find the terminal icon on the Xfce desktop. Similar to the previous step, directly using nmap -T* will not work as intended because the shell expands the * before passing it to nmap, and nmap doesn't recognize the expanded argument.

Instead, we will use grep to filter the output of nmap --help and identify the lines that describe the timing templates. The timing templates in nmap are usually described with -T<0-5>.

To list the timing templates, use the following command:

nmap --help | grep " -T<0-5>:"

This command executes nmap --help and pipes the output to the grep command. The grep command filters the output, searching for lines that contain " -T" followed by a number between 0 and 5, and then a colon. This pattern is commonly used to list the different timing templates available in nmap.

Example output:

  -T<0-5>: Set timing template (higher is faster)

To get more details about each timing template, you can search for the description of each template individually. For example:

nmap --help | grep "time"

This will give you a more detailed explanation of the timing templates:

  -T<0-5>: Set timing template (higher is faster)
  --min-rtt-timeout <time>, --max-rtt-timeout <time>, --initial-rtt-timeout <time>: Specifies probe round trip time.

While this doesn't list each template individually, it shows the main option and hints at related timing options. To see the description of each template, you can manually search the output of nmap --help or refer to the nmap documentation online. The timing templates are:

-T0: paranoid (very slow, used for evasion)
-T1: sneaky (slow, used for evasion)
-T2: polite (slows down the scan to avoid overwhelming the target)
-T3: normal (default speed, a good balance between speed and accuracy)
-T4: aggressive (assumes a fast and reliable network)
-T5: insane (very aggressive, may be unreliable and overwhelming)

This step demonstrated how to use grep to filter the output of nmap --help and identify the timing template options. Understanding these templates allows you to adjust the scan speed and aggressiveness based on the target environment and your objectives.

Summary

In this lab, you explored Nmap help and options. First, you opened the terminal in your LabEx VM and ran nmap --help to access the comprehensive help documentation, which includes descriptions of usage syntax, scan types, and various options. You then listed scan types with nmap -s*, viewed output options with nmap -o*, and checked timing templates with nmap -T*. Finally, you saved the help to a file using nmap --help > nmap_help.txt and opened the file in the Xfce text editor.