50 NMAP Commands on Linux and Windows
50 NMAP Commands on Linux and Windows
Nmap or Network Mapper is the best reconnaissance tool used by modern penetration testers. This open-source application has evolved since its inception and is proving to be a game-changer in network security. Nmap is widely used to find important information from a single network. There are many Nmap commands that can be used. This application is also available for Linux, Windows, and MAC operating systems.
Malicious users also heavily exploit Nmap to determine unauthorized network entry points. Plus, a huge library of pre-built scripts makes Nmap more powerful than ever.
You can easily find problems on external networks by just doing some simple Nmap scans. It has very complete documentation, so you don't have to memorize different Nmap commands all at once. You can easily find information from the manual if you know what function you are looking for. Plus, a pre-built set of powerful NSE scripts helps automate common tasks.
NMAP Commands Commands
Basic Nmap Commands
Because Nmap offers a large combination of commands, it is important to master the basic commands first. We'll show you how to perform a simple network scan using Nmap in the following sections.
1. Scan for Single Hosts
Host is any machine connected to a particular network. Nmap allows network administrators to scan hosts by their IP address or hostname easily. The command below scans 1000 common ports and lists all open ports, their status and services.
You can replace the IP with the hostname if you wish, as shown below.
2. Scan for Multiple Hosts
Scanning multiple hosts at once is also very easy with Nmap. You can do this by simply entering the IP or hostname one by one. The example below shows this for you guys.
$nmap 192.168.1.1 192.168.1.3 192.168.1.4
$ nmap hostname1 hostname2 hostname3
Nmap also provides a handy way of doing this.
3. Scan IP Address Range
You can also scan multiple IP addresses at once. Here's an example of the command
This command will scan the first fifteen hosts of the subnetwork. Many people also use wildcards for this purpose. Adding a wildcard to your search will check every available host.
$nmap 192.168.1. *
To scan the entire subnet, use the command below.
4. Read Hosts From File And Scan
Nmap can read host addresses from files and then scan them for port information. First, create a file containing multiple hosts, as shown.
$ echo -e "192.168.1.1-10 \nlocalhost" >> /tmp/hosts
$ cat /tmp/hosts
Now hosts should contain two lines consisting of localhost and the given IP range. Use the following command to read this using Nmap.
$ nmap -iL /tmp/hosts
5. Exclude Hosts From Nmap Scan
The –exclude option allows the user to exclude certain hosts from a given IP range. You can use the –excludefile option to exclude hosts from the file. Here's an example of the command.
$ nmap 192.168.1.1/24 --exclude 192.168.1.1,3,5
$ nmap -iL /tmp/hosts --excludefile /tmp/exclude
Here, the file /tmp/exclude contains hosts that the user is not interested in.
6. Improve Verbosity Scan
The default search provides very limited information. Nmap offers the -v option to add extra verbosity to your searches. When used, this flag forces Nmap to output additional information about your search.
$ nmap -v 192.168.1.1
Simply adding this flag increases the output information by a considerable margin.
7. Detect OS Information
Nmap is a great choice for many people for remote OS detection. The -A flag tells Nmap to find and display OS information about the host you are testing.
$ nmap -A 192.168.1.1
$ nmap -A -v 192.168.1.1
So, you can add the -v flag to get additional information about your search results. This is a great way to master Nmap commands for beginners. The command below shows you how to detect the OS information for the hosts contained in the file.
$ nmap -v -A -iL /tmp/hosts
8. Get Firewall Information From Host
Any network administrator trying to keep the network behind a firewall. This can provide irrelevant information to Nmap's search potential. However, you can easily find out if a host is protected by a firewall using the following command.
$ nmap -sA 192.168.1.1
$ nmap -v -sA 192.168.1.1
If you are a novice Nmap user, we recommend that you use the verbose v flag. This will help you understand how Nmap works in more detail.
9. Scan Firewall Protected Hosts
Hosts protected by external firewalls tend to feed unnecessary information to remote scanners like Nmap. If you find that your interests are being protected in such a way, use the command below.
$ nmap -PN hostname
$nmap -PN 192.168.1.1
The IP address above represents the wireless router on the network. You can search for any host by IP or hostname.
10. Scan for IPv6 Hosts
Although still not common, IPv6 addresses are still in use and will become the standard representation of remote hosts in the near future. Nmap already supports IPv6 scanning. The following command shows you how to do it.
$ nmap -6 hostnames
$ nmap --6 2001:0db8:85a3:0000:0000:8a2e:0370:7334
The hexadecimal representation shows the host in the second example. You can add additional flags to improve the quality of your Nmap search results.
Nmap Commands For Network Administrators
Nmap offers a number of useful commands and scripts for network administrators, ethical hackers, and penetration testers. We cover some common but important commands in the sections below.
11. Scan Host For Specific Port
Nmap allows network administrators to check hosts for only certain ports. The command below will show an example.
$ nmap -p 21,22,80,443 localhost
$ nmap -p 21,22,80,443 192.168.1.1
You can also define port ranges, as shown below.
$ nmap -p 1-65535 localhost
This command will scan your localhost network for all common ports.
12. Additional Port Scan Methods
Nmap can find and check all types of ports. The following example shows how to scan UDP ports, use wildcards, etc. To perform a UDP port scan, use the following command.
$ nmap -p U:53, 67, 111 192.168.1.1
To scan TCP and UDP ports, use the following syntax.
$ nmap -p -T: 20-25,80,443 U: 53, 67, 111 192.168.1.1
The next one scans the port using wildcards. It will scan all available port configurations for a given host.
$ nmap -p "*" 192.168.1.1
The following Nmap command scans only the 10 most common ports.
$ nmap --top-ports 10 192.168.1.1
13. Host List Without Port Scan
Because port scanning a host is annoying, many network administrators don't directly scan their hosts for ports. Instead they use Nmap to send a simple ping to get a list of available hosts on the network. Malicious attackers also take advantage of such methods in an attempt to remain invisible.
$ sudo nmap -sn 192.168.1.0/24
You need the sudo command for root access to get the most out of this command. In addition Nmap will not be able to send TCP ACK requests and may miss potential hosts.
14. Perform a Quick Scan of Hosts
If you use Nmap to scan random hosts and ports, it will take a while. Instead, you can use fast mode where Nmap searches only the most common ports and increases scan time by several factors.
$ nmap -F 192.168.1.0/24
$ nmap -F localhost
The –F flag means to change Nmap to fast mode.
15. Shows Only Open Ports
Ports Nmap scans a list of all open ports and is filtered for a host. You can restrict output to only hosts that have open ports. However, this command also prints possible open ports that may be filtered by external applications.
$ nmap --open 192.168.1.1
$ nmap --open localhost
16. Show Why Ports Are In Certain States
Nmap allows users to investigate why certain ports are in certain states. You have to use the –reason option to get such a result. Here is an example of the command.
$ nmap --reason localhost
$ nmap --reason 192.168.1.1
The above command will show the reason behind the current state of the port. This information is very helpful in debugging and allows experts to better visualize their target ports.
17. Display Network Interfaces And Routes
Understanding network configuration is very important for security analysts and malicious users. Both want how potential hosts connect with the worldwide web. You can use Nmap to easily outline the interfaces and routes of selected hosts. Here is an example of using the command.
The command above will display routes and interfaces with information such as device name, IP, gateway, and so on.
18. Set Time Settings
One of Nmap's most useful features is its powerful timing parameter. You can easily control the amount of time each Nmap scan takes using the -T option. Here's an example of its use.
$ nmap --top-ports 10 -T4 192.168.1.1
This command will take much less time to complete when compared to the standard syntax. You can change the -T value from 0 to 5, where 5 indicates the most aggressive scan and 0 the most friendly. Aggressive timing parameters can cause Nmap to crash the host being scanned. The default Nmap scan uses -T3.
19. Enable OS Detect
Even though we have shown you how to get OS specific information using the -A option, there is another way to do this. The -O flag enables OS detection for the host or range of hosts.
$ nmap -v -O localhost
$ nmap -O 192.168.1.1/24
This Nmap command may fail to recognize some OS, especially if they are protected using a firewall. The following example shows you how to use aggressive OS detection to solve this.
$ nmap -O --osscan-guess 192.168.1.1/24
20. Service Detection And Version Information
The following commands show how you can use Nmap to detect service and version information. Malicious users usually use this to check whether the host is running a vulnerable service or not.
$ nmap -sV 192.168.1.1/24
Adding -sV enables Nmap version detection. This provides much of the same information that you previously obtained using the -A option. Since this command scans all available hosts for the 192.168.1.1/24 subnet, it may take longer. The next example speeds up this process using the -T option mentioned earlier.
$ nmap -T5 -sV 192.168.1.1/24
21. Scan Hosts Using TCP SYN
Often you will find your system's remote firewall blocking the standard ICMP pings sent by your usual Nmap port scan. You can use TCP SYN scan to get out of this situation.
$ sudo nmap -PS20-25,80.110.443 192.168.1.1/24
The command above allows Nmap to find if a host is up and scan its ports without completing standard TCP communication.
22. Scan Hosts Using TCP ACK
The TCP ACK method works almost like the command above. However, they work very well for discovering the whereabouts of even the most protected remote hosts. Because TCP ACK packets send data that is acknowledged over the TCP connection that has been established, the remote host needs to tell them its location.
$ sudo nmap -PA20-25,80.110.443 192.168.1.1/24
Both of the above commands allow the user to specify the port just like with -p. However, neither -PS nor -PA space after them. So be aware of this, otherwise your search will not bring up any valid information.
23. Get Fingerprints OS
OS fingerprinting refers to the passive collection of remote host information during network communication. Nmap allows network administrators to do this, as shown below. This is useful for cloaking your scanning presence from a remote system's firewall but still getting relevant OS information.
$ nmap -sT 192.168.1.1/24
The connection scheme above is known as a TCP connection scan in Nmap.
24. Scan Using IP Protocol
Sometimes you may find hosts that don't allow the IP protocol you are sending on. You can solve this problem by specifying what IP protocols are allowed by the host by using the command below.
$ nmap -v -sO 192.168.1.1
Once you've got the supported protocols, you can use the appropriate Nmap command to scan for these hosts.
25. Scan for Weaknesses in the Firewall / IDS
It's very common for testers to find firewalls or intrusion detection systems rejecting Nmap scanning attempts. Fortunately, the powerful Nmap command allows users to solve this problem by providing them with firewall information. The command below will show this for you guys.
$ nmap -sN 192.168.1.1
$ nmap -sF 192.168.1.1
$ nmap -sX 192.168.1.1
The first command sends the TCP flag zero, the second sets the FIN bit, and the last sets the FIN, PSH, and URG bits. They trick non-stateful firewalls into providing information about port state.
Nmap Commands For Ethical Hackers
Ethical hackers are professionals who look for potential vulnerabilities, including network vulnerabilities in IT infrastructure. They use a combination of powerful Nmap options to get things done fast. The next section shows some such commands.
26. Scan Remote Hosts Using SCTP
SCTP scanning is a stealthy but useful scanning technique favored by testers for its effectiveness. Only highly configured IDS systems can detect such scans.
$ sudo nmap -sZ --top-ports 20 -T4 192.168.1.1/24
The command above scans the top 20 common ports for the specified subnet. You can omit the -T or time parameter if you want it to be more stealthy and have no problem waiting a few more minutes.
27. Scan for Remote Hosts Using Idle Scan
This is usually known as a Zombie host scan, this type of scan actually creates a Zombie host on the network and scans for other hosts than that host.
$ sudo nmap -sI 192.168.1.103 192.168.1.101
In the command above, 192.168.1.103 is the Zombie host, and 192.168.1.101 is the remote target machine.
28. Scan Remote Hosts Using ARP PING
This is the best Nmap command for finding remote hosts as of now. Since no firewall can block ARP requests, this is a useful technique for experienced network testers.
$ sudo nmap -PR 192.168.1.1
However, you must have access to localhost if you want to use this command. But that shouldn't be a problem for professional penetration testers.
29. Define Route To Remote Host
If you are an experienced network administrator, chances are you have worked with traceroute before. This is an interesting UNIX tool that maps routes to target machines in a network. The command below shows how you can use traceroute from Nmap.
$ sudo nmap --traceroute 192.168.1.1
This command will display the HOP distance and time to reach the destination.
30. Disable Reverse DNS Resolution for All Hosts
By default, Nmap performs Reverse DNS Resolution for hosts that are only found online. However, they degrade Nmap's performance by a considerable factor. Ethical hackers usually turn it off for all hosts because they can legally obtain DNS information from their clients.
$ nmap -n 192.168.1.1
This will significantly increase your search speed. Usually people use this instead of -T to maintain search speed while still maintaining anonymity.
31. Retrieve Version Information
Previously, we obtained version information for the OS and other services. The problem is that most of the time Nmap shows the default service associated with the port. This can cause problems for testers because hosts may use other services than the default service for some ports.
$ nmap -V 192.168.1.1
This command will display lots of relevant information like platform, compilation tool, and so on.
32. Control Version Detection
We have shown you how to detect remote service version information using the standard -sV flag. The following command shows how to control version detection using similar Nmap commands.
$ nmap -sV --version-intensity 5 192.168.1.1
It performs very aggressive version detection and will likely alert remote hosts. You can decrease the value of the –version-intensity option to increase anonymity. However, this will limit version detection. The next command displays a light banner retrieved from the specified host.
$ nmap -sV --version-intensity 1 192.168.1.1
33. Scan Hosts Using IP Fragments
Nmap allows network administrators to scan remote hosts through the use of fragmented IP packets. It basically breaks the IP packet into smaller parts and makes it difficult to detect through external IDS/firewalls.
$ sudo nmap -f 192.168.1.1
Users can also set a personalized offset using the –mtu option, as shown below.
$ sudo nmap --mtu 16 192.168.1.1
34. Use decoy IP addresses
Since most commercial systems are protected by highly configured firewalls, they often detect remote port scans very quickly. This is problematic for security auditors and intrusive system breaker. Nmap allows users to use decoy IPs to cloak their identities for this purpose.
$ nmap --top-ports 10 -D10.1.1.2, 10.1.1.4, 10.1.1.6 192.168.1.1
Let's assume your IP is the second (10.1.1.4), and you scan 192.168.1.1. Now the remote host will know about the scan but not be sure about its origin.
Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) is a powerful tool that allows users to leverage a large number of powerful scripts to perform effective reconnaissance. The following section shows some of the common Nmap commands that make use of NSE scripts.
35. Use Default Safe Scripts
NSE comes pre-loaded with a large number of secure scripts that do their job very well. The command below uses the default safe scripts for version detection.
$ nmap -sV -sC 192.168.1.1
Usually, scanning with an NSE script rather than the standard option will yield more accurate information. The command above executes the default version detection script for Nmap.
36. Use Custom NSE Scripts
You can find all the NSE scripts available on your system using the $ loc * .nse command. These scripts are written using Lua and allow users to create personalized scripts that you want. Subsequent commands use a specific NSE script called whois-ip.
$ nmap --script=whois-ip.nse scanme.nmap.org
You can simply replace the hostname with your target's IP to get the relevant whois information. Note that the .nse extension is optional.
37. Scan Common Files/Directories
You should know that http-enum.nse is an NSE script that sends more than 2000 requests for common files and directories. You can use this script to get important information about whether some known service exists on a remote server or not.
$ nmap -n --script = http-enum.nse 192.168.1.1
This command will try to get important service information using the script.
38. Get HTTP Page Title
You can use Nmap's http-title script to get the title of the remote web page. This can be very helpful in inferring the contents of a remote server. Here's an example of its use.
$ nmap -n --script=http-enum.nse 192.168.1.1
This command will retrieve and display the HTTP header.
39. Use Multiple Script Categories
By default, NSE scripts are categorized based on their use, such as brute, discovery, exploit, and vuln. You can instruct Nmap to use all scripts that fall into several categories, as shown below.
$ nmap --script discovery,brute 192.168.1.1
The above command will take advantage of all NSE scripts that fall into the discovery and brute categories. So, it will try to find available hosts and try to brute force them.
40. Use Wildcards For Script Selection
Nmap allows you to use the wildcard character “*” to select all scripts that match some criteria. The following command will take advantage of all ssh-started scripts.
$ nmap --script "ssh *" 192.168.1.1
You can add additional options to these types of Nmap commands for greater flexibility.
41. Use Boolean Expressions For Script Options
Nmap allows users to select their NSE scripts using boolean expressions such as and, or, not. The commands below will show some examples.
$ nmap --script "not vuln" 192.168.1.1
$ nmap --script "default or broadcast" 192.168.1.1
$ nmap --script /path/to/scripts 192.168.1.1
The first example loads all NSE scripts except vuln. The second command loads the script from the default or broadcast category. The last example loads a script from a directory. You can write personalized NSE scripts and load them this way.
42. Get Script Documentation
Because Nmap offers many default and custom scripts, it's difficult to remember details about them. Fortunately, Nmap offers excellent documentation for its NSE scripts. The command below will show you how to do it.
$ nmap --script-help "ssh- *"
$ nmap --script-help "ssh- *" and "discovery"
The first example shows help for all scripts starting with ssh- and the second shows the discovery script alongside ssh-ones.
Other Nmap Commands
Since Nmap commands allow users to combine a number of options, you can easily create an endless number of commands. Here are some frequently used commands.
43. Check for Heartbleed Vulnerabilities
The Heartbleed SSL vulnerability is a well-known attack to initiate malicious attackers. The next command checks whether a host contains this vulnerability using the NSE heartbleed script.
$ nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.1
The output of this command can help network administrators to check for outdated SSL services and patch them before intrusion attempts.
44. Retrieve IP Information
Digging up IP information is one of the first tasks a remote attacker performs when probing a target. Some important IP information including whois data, geolocation, etc. The following commands describe using Nmap in passive reconnaissance.
$ nmap --script=whois*,ip-geolocation-maxmind,asn-query 192.168.1.1
This command finds out information about the remote host's whois entries, geolocations, and asn requests using ready-made NSE scripts.
45. Save the Nmap Output
Although Nmap's default output format is often required. If you want to save your scan results for later use. It's very easy, as you can see from the example below.
$ nmap -oN scan-report -n 192.168.1.1
$ nmap -n 192.168.1.1> scan-report
The first example scans the remote host and saves the output to a file called scan-report in the current directory. You can also do this using the Unix redirect operator, as the second example shows.
46. ??Additional Output Formats
There are already several Nmap commands that allow users to format their output more easily. The examples below show some that are important to you.
$ nmap -oX scan-report.xml -n 192.168.1.1
$ nmap -oG scan-report -n 192.168.1.1
$ nmap -oA scan-report -n 192.168.1.1
The former saves the scan results as an XML file. The second example saves the result in a format that grep can easily access. The last example tells Nmap to save results in all formats.
47. Scan for DDoS Reflective UDP Services
Often attackers take advantage of UDP-based DDoS attacks to bring down remote targets. The following Nmap command scans the target network for such DDoS reflective services and provides tips on how to block them.
$ nmap –sU –A –PN –n –pU:19,53,161 –script=snmp-sysdescr,dns-recursion,ntp-monlist 192.168.1.1
Even though it looks complicated, it's just a command with a few options and a script.
48. Send Nmap Scan Feed Results To Nikto
Nikto is a vulnerability scanner used to detect malicious files, misconfigured CGIs, legacy servers and so on. The following command returns Nmap scan results to Nikto.
$ nmap --top-ports 10 192.168.1.1/24 -oG - | /path/of/nikto.pl -h -
Now Nikto will use your Nmap results to perform its own scan.
49. Get Banners Using NSE Script
Banner capture is a widely used information gathering technique that reveals open port service information on a remote host. The command below retrieves the network banner using the NSE banner script.
$ nmap --script=banner 192.168.1.1/24
50. Consult the Nmap Documentation
Since most of Nmap has evolved over time, it can be quite difficult to remember all of its functions for a beginner. Fortunately, the Nmap documentation provides excellent information to help start users with this problem.
$ man nmap
The first command will give you all the options available for Nmap. You can consult the manual if looking for detailed information using the latter.
So those are some NMAP commands. Actually the Nmap command is much more powerful than many people think. Experienced users can easily find vulnerable web servers and related information with just a few commands.
Hackers rely on that information to devise exploits and compromise remote hosts. So it is important for network administrators to know these things and fix such problems for their infrastructure.
So many articles 50 NMAP commands on Linux and Windows. Look forward to other interesting articles and don't forget to share this article with your friends. Thank you…
Post a Comment