Scanning profiles are a combination of Nmap options and arguments that can be used to save time when launching Nmap scans.
This recipe is about adding, editing, and deleting a scanning profile in Zenmap.
Let's add a new profile for scanning web servers:
- Launch Zenmap.
- Click on
Profile
on the main toolbar. - Click on
New Profile
orCommand
(Ctrl + P). TheProfile Editor
will be launched. - Enter a profile name and a description on the
Profile
tab. - Enable
Version detection
and select TCP connect scan (-sT
) in theScan
tab. - Enable
Don't ping before scanning
(-Pn
) in thePing
tab. - Enable the following scripts on the
Scripting
tab:hostmap-ip2hosts
http-apache-negotiation
http-apache-server
http-auth-finder
http-backup-finder
http-config-backup
http-cors
http-cross-domain-policy
http-csrf
http-default-accounts
http-devframework
http-dombased-xss
http-enum
http-exif-spider
http-favicon
http-git
http-headers
http-iis-short-name-brute
http-methods
http-mobileversion-checker
http-ntlm-info
http-open-proxy
http-open-redirect
http-trace
http-php-version
http-phpself-xss
http-robots.txt
http-server-header
http-shellshock
http-svn-info
http-title
- Next, go to the
Target
tab and click onPorts to scan
(-p
) and enter80
,443
.
- Save your changes by clicking on
Save Changes
:
Your new scanning profile should be available on the Profile
drop-down menu.
After using the editor to create our profile, we are left with the following Nmap command:
$ nmap -sT -sV -p 80,443 -T4 -v -Pn --script hostmap-ip2hosts,http-apache-negotiation,http-apache-server-status,http-auth-finder,http-backup-finder,http-config-backup,http-cors,http-cross-domain-policy,http-csrf,http-default-accounts,http-devframework,http-dombased-xss,http-exif-spider,http-git,http-headers,http-iis-short-name-brute,http-methods,http-ntlm-info,http-open-proxy,http-open-redirect,http-phpself-xss,http-robots.txt,http-server-header,http-shellshock,http-svn-info,http-title,http-waf-detect <target>
Using the Profile
wizard, we have enabled service scanning (-sV
), set the scanning ports to 80
and 443
, configure ping options (-Pn
), and select a bunch of HTTP-related scripts to gather as much information as possible from this web server. We now have this command saved for our scanning activities against new targets in the future.
Customizing scan profiles can be done through the user interface. Default scanning profiles can be used as templates when creating new ones. Let's review how we work with the scanning profiles.
The predefined Zenmap scanning profiles help newcomers familiarize themselves with Nmap. I recommend you to analyze them to understand the scanning techniques available in Nmap, along with some useful combinations of its options:
- Intense scan:
nmap -T4 -A -v
- Intense scan plus UDP:
nmap -sS -sU -T4 -A -v
- Intense scan, all TCP ports:
nmap -p 1-65535 -T4 -A -v
- Intense scan, no ping:
nmap -T4 -A -v -Pn
- Ping scan:
nmap -sn
- Quick scan:
nmap -T4 -F
- Quick scan plus:
nmap -sV -T4 -O -F -version-light
- Quick traceroute:
nmap -sn -traceroute
- Regular scan:
nmap
- Slow comprehensive scan:
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script default or discovery and safe
Note
You can find more scanning profiles at https://github.com/cldrn/rainmap-lite/wiki/Scanning-profiles.
To edit or delete a scan profile, you need to select the entry you wish to modify from the Profile
drop-down menu. Click on Profile
on the main toolbar and select Edit Selected Profile
(Ctrl + E).
The editor will be launched allowing you to edit or delete the selected profile.