Nmap

Nmap Commands and Examples

Nmap Commands and Examples

The Nmap aka Network Mapper is an open source and a very versatile tool for Linuxsystem/network administrators. Nmap is used for exploring networks, perform security scans, network audit and finding open ports on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions. Org, and Codetalker Digest. Here is examples of Nmap commands

1. Scan a System with Hostname and IP Address
Scan using Hostname
nmap host-name-here
$nmap server1.nmaptutorial.com

Scan using IP Address
nmap IP-address-here
$nmap 172.16.6.152

2. Scan a whole Subnet
scan a whole subnet or IP range with Nmap by providing * wildcard with it.
$nmap 172.16.6.*

3. Scan Multiple Servers using last octet of IP address :
Perform scans on multiple IP address by simple specifying last octet of IP address. For example, here I performing a scan on IP addresses 172.16.6.152, 172.16.6.153 and 172.16.6.154. or 172.16.6.152,153,154
$nmap 172.16.6.152,153,154
$nmap 172.16.6.152, 172.16.6.153, 172.16.6.154

4. Scan an IP Address Range
You can specify an IP range while performing scan with Nmap.for example 172.16.6.152-160
$nmap 172.16.6.152-160

5. Scan Network Excluding Remote Hosts
You can exclude some hosts while performing a full network scan or when you are scanning with wildcards with “–exclude” option.
$nmap 172.16.6.* –exclude 172.16.6.100

6. Scan OS information and Traceroute
With Nmap, you can detect which OS and version is running on the remote host. To enable OS & version detection, script scanning and traceroute, we can use “-A” option with NMAP.
$nmap -A 172.16.6.152

7. Enable OS Detection with Nmap
$nmap -O server2.nmaptutorial.com

8. Scan a Host to Detect Firewall
$nmap -sA 172.16.6.152

9. Scan a Host to check its protected by Firewall
$nmap -PN 172.16.6.152

10. Find out Live hosts in a Network
$nmap -sP 172.16.6.*

11. Perform a Fast Scan
$nmap -F 172.16.6.152

12. Find Nmap version
$nmap -V

13. Scan Ports Consecutively
$nmap -r 172.16.6.152

14. Print Host interfaces and Routes
$nmap –iflist

15. Scan for specific Port
$nmap -p 80 server2.nmaptutorial.com

16. Scan a TCP Port
$nmap -p T:8888,80 server2.nmaptutorial.com

17. Scan a UDP Port
-sU (UDP scans):-UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the –data, –data-string, or –data-length options are specified.
$nmap -sU 53 server2.nmaptutorial.com

18. Scan Multiple Ports
$nmap -p 80,443 172.16.6.152

19. Scan Ports by Network Range
$nmap -p 80-160 172.16.6.152

20. Find Host Services version Numbers
Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.
$nmap -sV 172.16.6.152

21. Scan remote hosts using TCP ACK (PA) and TCP Syn (PS)
$nmap -PS 172.16.6.152

22. Scan Remote host for specific ports with TCP ACK
$nmap -PA -p 22,80 172.16.6.152

23. Scan Remote host for specific ports with TCP Syn
$nmap -PS -p 22,80 172.16.6.152

24. Perform a stealthy Scan
-sS (TCP SYN scan):-SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.
$nmap -sS 172.16.6.152

25. Check most commonly used Ports with TCP Syn
-sT (TCP connect scan):-TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
$nmap -sT 172.16.6.152

26. Perform a tcp null scan to fool a firewall
Null scan (-sN)-Does not set any bits (TCP flag header is 0)
$nmap -sN 172.16.6.152

27. Scan targets from a text file
$nmap -iL list-of-ips.txt

28. Scan all 65535 ports
$nmap -p- 172.168.6.152

29. IP Address information
$nmap –script=asn-query,whois,ip-geolocation-maxmind 172.16.6.152/24

30. Detect Heartbleed SSL Vulnerability
$nmap -sV -p 443 –script=ssl-heartbleed 172.16.6.152/24

31. HTTP Service Information
Gather page titles from HTTP services: $nmap –script=http-title 172.16.6.152/24
Get HTTP headers of web services: $nmap –script=http-headers 172.16.6.152/24
Find web apps from known paths: $nmap –script=http-enum 172.16.6.152/24

32. A scan to search for DDOS reflection UDP services
Scan for UDP DDOS reflectors : $nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 172.16.6.152/24

33. Nmap Output Formats
Save default output to file: $nmap -oN outputfile.txt 172.16.6.152
Save results as XML: $nmap -oX outputfile.xml 172.16.6.152
Save results in a format for grep: $nmap -oG outputfile.txt 172.16.6.152
Save in all formats: $nmap -oA outputfile 172.16.6.152

34. NSE Scripts
Scan using default safe scripts : $nmap -sV -sC 192.168.1.1
Get help for a script nmap : $–script-help=ssl-heartbleed
Scan using a specific NSE script: $nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
Scan with a set of scripts: $nmap -sV –script=smb* 192.168.1.1

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

To Top