Ultimate Nmap Scan

I have been doing lots of InfoSec research recently and have been learning quite a bit about nmap (Nmap is an open source security scanner that is used heavily by the pentesting community. Nmap can be used for several types of enumeration including host discovery, OS/version detection, port scanning, and even has its own scripting engine allowing the user to extend its functionality as desired). After reading what I can only describe as the nmap bible  (much the explanations provided for individual flags are heavily based on this book) and talking to some professionals I have a very robust nmap recipe for port scanning. 

sudo nmap --spoof-mac Cisco --data-length 9 \ -f -D,RND:5,ME -v -n -O -sS -sV \ -oA /home/rich/metasploit/ --log-errors \ -append-output -p T:1-1024,1433,2222,2249,7778,8080,9999 \ --randomize-hosts

Important always run nmap as the root user, running nmap as anything other than the super user with not actually allow you to run a stealth scan on a tcp system because of the layer of abstraction between the regular user and the interface. Also, port scanning is legal in the US, however some of these techniques would be considered intrusive (nearly all of the “aggressive mode” features) so as with all pentesting related things don’t be stupid and only scan what you have permission to scan.

Now for a flag by flag break down:

–spoof-mac Cisco: Spoof your mac address, other valid options would be a complete mac address, 0 for a completely random mac, a vendor’s OUI prefix, or another vendor name

–data-length 9: Appends 9 random bytes to most of the packets it sends

-f: Fragment packets

-D,RND:5,ME: Causes decoy scans to run simultaneously with your actual scan to help ids evasion and cause far more traffic in system logs

-v: Increases the verbosity of the output, you can also run -v -v to increase the verbosity to a higher level

-n: No DNS resolution

-O: Enables OS detection, less aggressive than nmap’s advanced OS detection and is usually just as good

-sS: Stealth TCP SYN scan, the most popular scan option. It is both quick and unobtrusive because it never completes any TCP connections.

-sV: Enables version detection

-oA /home/rich/metasploit/ Output to all formats (normal, greppable, and XML) and where to save the information

–log-errors: Self explanatory 

-append-output: If you prefer to keep scan results in a single file and keep appending new information to it this option is perfect, if you would like to create new files for various reasons leave this flag out 

-p T:1-1024,1433,2222,2249,7778,8080,9999: Specifies which TCP ports to scan. The ports specified in list list are generally the ones that provide the most valuable information. If not interested in specifying each one a similar option is the –top-ports followed by an integer of one or greater. The integer is the N highest ratio of ports found in nmap services. Finally to specify UDP ports you would replace T: with U:

–randomize-hosts Randomizes the target host order


–traceroute: To trace path to host over various hops

-A: Aggressive mode, this could be used instead of -sV -O –traceroute amongst other things. Helps keep the list of flags one needs to know shorter but would be considered intrusive.

-T paranoid|sneaky|polite|agressive|insane: Various timing controls for your scans

-PN: No Ping, to determine active machines to scan more robustly later

Excel-Fu: Column to comma separated

Bla bla bla nmap so on and so forth..

So here you are…a port scan result list. One column of data, and there’s nothing between you plugging this info into your vuln scanner besides the fact that your vuln scanner needs a comma separated list.

If Laziness prevails, skip the script writing and turn to Excel.

if Column A contains your ports(or anything else you want to craft into a list separated by commas..or whatever)…

Insert this function into cell B1

Insert this function into cell B2


And then drag the formula in B2 down to fill the rest of the B columns until there is no more data to match in column A.

The value in the last nonblank cell in column B will be your separated one line list.

Credit:Superuser.com: http://superuser.com/questions/240858/convert-a-column-into-a-comma-separated-list