Nmap Commands and Examples

Nmap Commands and Examples

The Nmap aka Network Mapper is an open source and a very versatile tool for Linuxsystem/network administrators. Nmap is used for exploring networks, perform security scans, network audit and finding open ports on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions. Org, and Codetalker Digest. Here is examples of Nmap commands

1. Scan a System with Hostname and IP Address
Scan using Hostname
nmap host-name-here
$nmap server1.nmaptutorial.com

Scan using IP Address
nmap IP-address-here

2. Scan a whole Subnet
scan a whole subnet or IP range with Nmap by providing * wildcard with it.
$nmap 172.16.6.*

3. Scan Multiple Servers using last octet of IP address :
Perform scans on multiple IP address by simple specifying last octet of IP address. For example, here I performing a scan on IP addresses, and or,153,154

4. Scan an IP Address Range
You can specify an IP range while performing scan with Nmap.for example

5. Scan Network Excluding Remote Hosts
You can exclude some hosts while performing a full network scan or when you are scanning with wildcards with “–exclude” option.
$nmap 172.16.6.* –exclude

6. Scan OS information and Traceroute
With Nmap, you can detect which OS and version is running on the remote host. To enable OS & version detection, script scanning and traceroute, we can use “-A” option with NMAP.
$nmap -A

7. Enable OS Detection with Nmap
$nmap -O server2.nmaptutorial.com

8. Scan a Host to Detect Firewall
$nmap -sA

9. Scan a Host to check its protected by Firewall
$nmap -PN

10. Find out Live hosts in a Network
$nmap -sP 172.16.6.*

11. Perform a Fast Scan
$nmap -F

12. Find Nmap version
$nmap -V

13. Scan Ports Consecutively
$nmap -r

14. Print Host interfaces and Routes
$nmap –iflist

15. Scan for specific Port
$nmap -p 80 server2.nmaptutorial.com

16. Scan a TCP Port
$nmap -p T:8888,80 server2.nmaptutorial.com

17. Scan a UDP Port
-sU (UDP scans):-UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the –data, –data-string, or –data-length options are specified.
$nmap -sU 53 server2.nmaptutorial.com

18. Scan Multiple Ports
$nmap -p 80,443

19. Scan Ports by Network Range
$nmap -p 80-160

20. Find Host Services version Numbers
Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.
$nmap -sV

21. Scan remote hosts using TCP ACK (PA) and TCP Syn (PS)
$nmap -PS

22. Scan Remote host for specific ports with TCP ACK
$nmap -PA -p 22,80

23. Scan Remote host for specific ports with TCP Syn
$nmap -PS -p 22,80

24. Perform a stealthy Scan
-sS (TCP SYN scan):-SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.
$nmap -sS

25. Check most commonly used Ports with TCP Syn
-sT (TCP connect scan):-TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
$nmap -sT

26. Perform a tcp null scan to fool a firewall
Null scan (-sN)-Does not set any bits (TCP flag header is 0)
$nmap -sN

27. Scan targets from a text file
$nmap -iL list-of-ips.txt

28. Scan all 65535 ports
$nmap -p-

29. IP Address information
$nmap –script=asn-query,whois,ip-geolocation-maxmind

30. Detect Heartbleed SSL Vulnerability
$nmap -sV -p 443 –script=ssl-heartbleed

31. HTTP Service Information
Gather page titles from HTTP services: $nmap –script=http-title
Get HTTP headers of web services: $nmap –script=http-headers
Find web apps from known paths: $nmap –script=http-enum

32. A scan to search for DDOS reflection UDP services
Scan for UDP DDOS reflectors : $nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr

33. Nmap Output Formats
Save default output to file: $nmap -oN outputfile.txt
Save results as XML: $nmap -oX outputfile.xml
Save results in a format for grep: $nmap -oG outputfile.txt
Save in all formats: $nmap -oA outputfile

34. NSE Scripts
Scan using default safe scripts : $nmap -sV -sC
Get help for a script nmap : $–script-help=ssl-heartbleed
Scan using a specific NSE script: $nmap -sV -p 443 –script=ssl-heartbleed.nse
Scan with a set of scripts: $nmap -sV –script=smb*

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

To Top