Skip to main content
The 2024 Developer Survey results are live! See the results

Questions tagged [nmap]

A robust and open source security tool for network discovery and security auditing.

0 votes
0 answers

Nmap can't scan ip outside my network [closed]

I am new to cyber security and networking and would like to ask, I installed on my virtual machine Kali Linux and in the settings enabled a bridged connection instead of NAT, but when a friend sent me ...
Snaks's user avatar
  • 1
5 votes
2 answers

Why does NMAP's Http-Method-Tampering Mark a Server's 405 Code as Vulnerable?

I recently tested a custom server with the http method tamper script from NMAP. It reported the server as being vulnerable with the following output: nmap -p 8000 -sV --script http-method-tamper 192....
Tung's user avatar
  • 236
2 votes
0 answers

Why is every port open on every scan i do [duplicate]

I have been hired to do some tests on networks but however everytime i do a scan every port is open. This is using nmap and homemade tools. This has been a ongoing problem. I created a script to check ...
Don Schulz's user avatar
1 vote
1 answer

nmap does not work through proxychains

Despite the already existing answers about this topic, I am still unable to use nmap through proxychains. I would like to scan the port 80 of a machine I can connect using SSH. To do so, I enabled ...
Pierre's user avatar
  • 133
0 votes
0 answers

How to perform focused scan of public IP using nmap? [duplicate]

Scanning my router using the private IP address using nmap reveals the open ports: Obtaining the public IP address of the router can be achieved by executing the command: nslookup ...
machine_1's user avatar
  • 101
2 votes
2 answers

Attack surface when no incoming port is open [closed]

Let's assume that the only attack to be feared on a computer is one via the network in which the machine is embedded. What options does an attacker have if the machine has no open incoming ports? (For ...
fkarger's user avatar
  • 21
0 votes
0 answers

Default nmap script execution when specifying --script banner

I have a subscription for a NSE scripts feed for nmap. There are some of those scripts which have the default category (among others) I am running nmap in the following way nmap --privileged -oX - -T3 ...
alvaroalo's user avatar
0 votes
0 answers

nmap scanning a slow host

Is there way how to enforce nmap waiting for replies longer (10 seconds)? I want to scan an embedded device which utilizes some sleep modes and it process packets from wi-fi module with very high ...
Misaz's user avatar
  • 101
0 votes
0 answers

NMAP same destination ip, different scanner interface, different result

I am trying to check the port status of a external IP using NMAP, I am getting different result on different interface to same destination (destination is a public IP). When NMAP tried from the ...
Shaim Khanusiya's user avatar
1 vote
0 answers

NMAP sending ARP request to destination IP instead of default gateway [closed]

I am doing an NMAP port scan to a remote IP present in a different subnet. NMAP initiates an ARP request first to the remote IP instead of the default gateway(even if the ARP entry is present in the ...
Shaim Khanusiya's user avatar
1 vote
1 answer

Vulnerability scanning on target Android device

Is there an nmap vulnerability scanning script (vuln, vulscan, nmap-vulners etc) for scanning target Android devices on the network? If not, is there any specific scanning tool that scans for CVE on ...
Ajay's user avatar
  • 41
1 vote
1 answer

Nmap recommendations for ICS scanning

ICS systems seem to have to be handled with care concerning network load. So my question is if you probably have any suggestions on how to configure nmap to scan as many machines as possible in ...
user77029's user avatar
1 vote
0 answers

What tool can I use to verify the output from Nmap? [closed]

With OS detection enabled I noticed that the device fingerprints is running something entirely wrong. Is there another tool that I can use that can verify since something looks odd?
maye's user avatar
  • 11
0 votes
1 answer

Nmap is returning different results when run on different source networks on the target same network

I am running a CODA4680 in bridge mode connected to my pfsense 1100 (and yes it is getting a true public ip). I set it up the standard way, didn't touch the rules. I performed an NMAP scan from my ...
Philimel's user avatar
0 votes
1 answer

Reason ports are toggling between no-response and host unrechable for the SAME machine, why?

I'm trying to learn pentesting and one thing that triggers me for my workshop is : I have an ip address where all reason's ports are no-response, the status for all ports are filtered but when I re-do ...
Zokulko's user avatar
  • 101
1 vote
1 answer

nmap: no exact OS matches when adding the exact signature to nmap-os-db

I'm currently trying to learn Nmap -O (OS guess feature). I'm launching the following command: nmap -O This command is generating the following fingerprint as output: No exact OS ...
kefete's user avatar
  • 11
3 votes
2 answers

nmap doesn't give service versions using -sV

Running the command nmap -sV -T4 -A x.x.x.x results in 5901/tcp open ssl/vnc-1? |_ssl-date: TLS randomness does not represent time | fingerprint-strings: | GetRequest: | HTTP/1.1 503 ...
Kusanagi's user avatar
0 votes
1 answer

Is there a way to identify whether "filtered" state in nmap output caused by a network or host-based firewall?

Is there a way to identify whether "filtered" state for a specific port in nmap output is caused by a network firewall or host-based firewall?
Manjula's user avatar
  • 180
2 votes
1 answer

How do I find subnets on the network in order to scan them for hosts?

I'm new to Security and I'm doing INE's Penetration Testing Student Learning path. In the current lab, (Find the Secret Server) we have this setup: The exercise focuses on adding an entry to the ...
MiguelP's user avatar
  • 121
2 votes
1 answer

How to remotely check if SSL 3.0 is enabled on server?

I would like to remotely verify whether SSL 3.0 is running on several servers. Previously, this command: openssl s_client -connect -ssl3 Would have worked but now I am getting the ...
ramenrazumov's user avatar
0 votes
0 answers

Scan for open ports on subdomain

I am curently scanning for open ports on a subdomain. Say I have and, but this subdomain can only be reached at port 8443. How can I scan for other potential open ...
vargr616's user avatar
1 vote
1 answer

How to confirm what service is running on a port identified by nmap?

Probing with nmap returns BlackICE on a couple of ports however it seems to be a really old tool according to these manuals. Starting Nmap 7.80 ( ) at 2022-10-16 20:27 EDT Nmap scan ...
Dan's user avatar
  • 141
1 vote
1 answer

How can I port scan my p2p device?

I have a device and I am trying to port scan it. I did the basic nmap -A -p0- 192.168.0.x but I am just getting 0/tcp filtered unknown so I don't think it is working. The device works on p2p so I am ...
AskedSuperior's user avatar
1 vote
1 answer

Prevent Discovery of Port from NMAP scan using -Pn

Is there a way to prevent a port from being discovered by nmap? I found that port 1433 is still being flagged as "open" when using the following command: nmap <ip_add> -Pn -p1433 or ...
Lyght's user avatar
  • 11
0 votes
1 answer

Why did Nmap not yield results when scanning a friend's public IP address? [duplicate]

I am trying to learn more about Nmap but it seems like it can only really give any information if you're actually connected to the network you're scanning on. For example, a friend and I gave each ...
user283176's user avatar
0 votes
1 answer

What is the version of the scanned OS?

I've scanned a target with metasploit scanner/smb/smb_version and nmap -O. smb_version: Windows 2016 Standard (build:14393) Nmap: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows What is ...
quality38's user avatar
0 votes
0 answers

Does fragrouter work with OpenVPN?

My goal is to evade IDS/IPS detection and scan the target with nmap. If the scan is detected, the target seems to stop responding for 10s. I think that IP Fragmentation Attack is exactly what I need. ...
ksenia pi's user avatar
1 vote
0 answers

SSLLabs' SSLTest vs. nmap ssl-enum-ciphers

Recently I conducted a SSL server test to assess the SSL configuration of my server. While the overall grade A+ was pretty good, it was found that the server supports several cipher suites that are ...
dpr's user avatar
  • 121
0 votes
1 answer

Nmap reports an open port as closed

I'm running an OpenVPN server and can use it normally; I know for a fact that the port is open. Running an Nmap scan on port 1194 (the one I'm using) says it is closed. What could be causing this ...
luisschwab's user avatar
1 vote
1 answer

The server acts as a database server , but there is no open port regarding that why?

I've taken a pen-testing course and for the final certificate, I have to analyze a server and make a report regarding the vulnerabilities. The server does multiple functionalities, It acts as a web ...
Kumar's user avatar
  • 41
0 votes
1 answer

How to interpret the output of nmap "vulners"

I am trying to judge the security of a web app and I have the sample output below from nmap. But I'm not really sure how to properly interpret it. Is it merely a printout of all the CVEs for this ...
Son of Sam's user avatar
0 votes
0 answers

Stealth scan or -PS

I want to find out how -PS works for service discovery very well when there are the stealth scan options such as -sS, available in nmap. I am currently testing and I know there is a ...
predatororc's user avatar
0 votes
1 answer

I am trying to exploit port 7000/tcp afs3-fileserver

I have been trying to exploit a cheap smart tv box that I have bought a while ago and after my nmap scan I found that port 7000/tcp was open but researching about the port gave back not much ...
M4trix's user avatar
  • 1
2 votes
0 answers

Check for allowed OpenVPN SSL/TLS cipher suites from the client-side

I would like to check cipher suites that the OpenVPN server accepts. I used nmap: nmap -sU --script ssl-enum-ciphers -p 1194 <IP> but the results are only: Host is up (0.0033s latency). PORT ...
user187205's user avatar
  • 1,353
0 votes
0 answers

nmap scanning Raspbian with strange results

I'm a high schooler in a CyberDefense Class and we are learning to PenTest. I'm on Red Team and my teacher set up a system with Rasbian as the OS. When I run a scan on the computer scanning the Top ...
Aaron908's user avatar
0 votes
0 answers

How to detect a firewall used

I was scanning a network with Nmap. I'm looking for advanced commands for detecting firewalls.
Imran Niaz's user avatar
6 votes
2 answers

How do you scan multiple subnets using Nmap?

I'm looking to scan a network with multiple subnets. I'm looking for a way to shorten this to one command rather than entering each subnet. So let's say I'm try to scan 192.168.1.xx, 192.168.2.xx and ...
sketch54's user avatar
2 votes
1 answer

How are nmap arp pings implemented?

Nmap issues the raw ARP requests and handles retransmission and timeout periods at its own discretion The above is how nmap describes arp pings, but how is a layer 2 concept returned to the sender (...
Happy Jerry's user avatar
2 votes
0 answers

How to evaluate a responsive but unknown network protocol?

I am studying CREST CPSA where the syllabus is listed here. There is a part of the syllabus which states I should know the Evaluation of responsive but unknown network applications. I find this ...
questioner's user avatar
2 votes
0 answers

Windows XP SP3 2002 is not vulnerable to MS08-067

Why is my VM not vulnerable to MS08-067? There are similar question on stack exchange, yes, but they fail to specify all relevant information and so non receive a meaningful, thoughtful nor thorough ...
HackingAndJiuJItsu's user avatar
1 vote
1 answer

Why when i nmap scan a machine i get the port 554 (RTSP) open?

I train on vulnerable boxes and during my recon phase, I use nmap to collect info on open ports. I use the command nmap -sS [IP|URL] and no matter the machine, I get the result that port 554 - RTSP ...
Jarthaul's user avatar
1 vote
1 answer

What are the drawbacks of a stealthy port scan?

I read that port scanning services like nmap will conduct a "TCP Connect Scan". They'll attempt to make a TCP connection to each of the ports within the range provided. But because each of ...
redpanda2236's user avatar
0 votes
1 answer

Nmap returns both, mysql and mariadb versions, how do I khow which one is actually running?

I ran nmap scan and output included following line: 3306/tcp open mysql MySQL 5.5.5-10.3.25-MariaDB-0+deb10u1 How do I know which one is actually running, MySQL or MariaDB?
beardeadclown's user avatar
3 votes
3 answers

What is the value of port knocking when I have strict firewall rules

I have specifically allowed three external machines to SSH into my server. All other traffic will be dropped. Using nmap from another machine, I am unable to see my server's SSH port and it shows ...
Mervyn Heng's user avatar
0 votes
0 answers

How to configure Snort 3 to detect nmap's port scanning? [duplicate]

How to configure snort 3 to detect nmap's port scanning? For instance I want to know that an external machine A is looking with nmap for open ports on my machine B. Such a port scan can include all ...
Dawid's user avatar
  • 101
0 votes
1 answer

ncrack ssl option

There is the following option in ncrack (from the man page): Misc options: ssl: enable SSL over this service ssl (Enable/Disable SSL over service) By enabling SSL, Ncrack will try to open a TCP ...
secf00tprint's user avatar
2 votes
1 answer

difference between icmp ping scan and normal ping scan

I'm learning to use nmap on my kali linux and was testing out the various types of scans available in it. -sn is for ping scan which basically prevents nmap from scanning all the ports (and probably ...
weebHackr's user avatar
  • 123
0 votes
1 answer

Fingerprinting Cisco ASA Device

I have used Nessus to determine that a client's Cisco ASA is vulnerable to a Read-Only Path Traversal Vulnerability. So far I have tried viewing the logon portal page source code, nmap -sV -A <host&...
jh2014's user avatar
  • 3
1 vote
1 answer

Blocking nginx from nmap version detection [duplicate]

Is there an efficient way to hide nginx from Nmap's Version Detection scan (nmap -sV)? The following is a sample result, we are trying to hide the nginx (reverse proxy) string. PORT STATE SERVICE ...
jonathan's user avatar
2 votes
1 answer

does Nmap automatically use proxychains if configured?

I have configured my proxy chains in /etc/proxychains.conf. Then when just run nmap or even nc without the proxychains prefix, it automatically uses the proxy chains and routes the traffic through the ...
JackDVD's user avatar
  • 31

15 30 50 per page
2 3 4 5