1 |
$ nmap 192.168.1.1 |
You can replace the IP with the hostname if you want, as shown below.
1 |
$ nmap hostname |
1 2 |
$ nmap 192.168.1.1 192.168.1.3 192.168.1.5 $ nmap hostname1 hostname2 hostname3 |
1 |
$ nmap 192.168.1.1,3,5 |
1 |
$ nmap 192.168.1.1-15 |
1 |
$ nmap 192.168.1.* |
1 |
$ nmap 192.168.1.1 /16 |
1 2 |
$ echo -e "192.168.1.1-10 \nlocalhost" >> /tmp/hosts $ cat /tmp/hosts |
1 |
$ nmap -iL /tmp/hosts |
The exclude option allows users to exclude specific hosts from a given IP range. You can use the excludefile option to exclude hosts from a file. The below commands demonstrates this for you.
1 2 |
$ nmap 192.168.1.1 /24 --exclude 192.168.1.1,3,5 $ nmap -iL /tmp/hosts --excludefile /tmp/exclude |
1 |
$ nmap - v 192.168.1.1 |
1 2 |
$ nmap -A 192.168.1.1 $ nmap -A - v 192.168.1.1 |
1 |
$ nmap - v -A -iL /tmp/hosts |
Any competitive system admin will keep networks behind firewalls. This may feed irrelevant information to potential Nmap searches. However, you can easily find out if a host is protected by a firewall using the next command.
1 2 |
$ nmap -sA 192.168.1.1 $ nmap - v -sA 192.168.1.1 |
1 2 |
$ nmap -PN hostname $ nmap -PN 192.168.1.1 |
1 2 |
$ nmap -6 hostname $ nmap --6 2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
1 2 |
$ nmap -p 21,22,80,443 localhost $ nmap -p 21,22,80,443 192.168.1.1 |
1 |
$ nmap -p 1-65535 localhost |
1 |
$ nmap -p U:53, 67, 111 192.168.1.1 |
1 |
$ nmap -p -T:20-25,80,443 U:53, 67, 111 192.168.1.1 |
1 |
$ nmap -p "*" 192.168.1.1 |
1 |
$ nmap -- top -ports 10 192.168.1.1 |
1 |
$ sudo nmap -sn 192.168.1.0 /24 |
If you use Nmap for scanning random hosts and ports, itll take quite some time. Instead, you could use the fast mode where Nmap searches only for the most common ports and boosts up the scan time by some factors.
1 2 |
$ nmap -F 192.168.1.0 /24 $ nmap -F localhost |
Nmap port scans list all open and filtered ports for a host. You can limit your output to only those hosts that have open ports. However, this command also prints out possibly open ports that are perhaps filtered by external applications.
1 2 |
$ nmap -- open 192.168.1.1 $ nmap -- open localhost |
Nmap allows users to investigate why a certain port is in some specific state. Youll need to utilize the reason option for getting such results. The next command demonstrates this in action.
1 2 |
$ nmap --reason localhost $ nmap --reason 192.168.1.1 |
Understanding network configurations is essential to both security analysts and malicious users. Both want to how a potential host is connected with the worldwide web. You can use Nmap to outline the interfaces and routes of a selected host easily. The next command will show this in action.
1 |
$ nmap --iflist |
One of the most useful features of Nmap is its robust timing parameters. You can easily control the amount of time taken by each Nmap scan using the -T option. The next commands show this in action.
1 |
$ nmap -- top -ports 10 -T4 192.168.1.1 |
1 2 |
$ nmap - v -O localhost $ nmap -O 192.168.1.1 /24 |
1 |
$ nmap -O --osscan-guess 192.168.1.1 /24 |
The following commands demonstrate how you can use Nmap to detect service and version information. Malicious users usually use this to check whether a host is running any vulnerable service or not.
1 |
$ nmap -sV 192.168.1.1 /24 |
1 |
$ nmap -T5 -sV 192.168.1.1 /24 |
Often youll find remote systems firewalls blocking the standard ICMP pings sent by your usual Nmap port scans. You can use the TCP SYN scan to get out of this situation.
1 |
$ sudo nmap -PS20-25,80,110,443 192.168.1.1 /24 |
The TCP ACK method works almost like the above command. However, they work really well at finding the existence of even the most protected remote hosts. Since TCP ACK packets send acknowledging data over established TCP connections, the remote hosts need to let them know their location.
1 |
$ sudo nmap -PA20-25,80,110,443 192.168.1.1 /24 |
1 |
$ nmap -sT 192.168.1.1 /24 |
Sometime you might come across hosts that do not allow the IP protocols youre sending. You can get around this issue by determining what IP protocols the host allows by using the below command.
1 |
$ nmap - v -sO 192.168.1.1 |
1 2 3 |
$ nmap -sN 192.168.1.1 $ nmap -sF 192.168.1.1 $ nmap -sX 192.168.1.1 |
The SCTP scan is a silent but useful scan technique preferred by testers due to its effectiveness. Only highly configured IDS systems can detect such scans, so they perform very well in real-life scenarios.
1 |
$ sudo nmap -sZ -- top -ports 20 -T4 192.168.1.1 /24 |
Also known as Zombie host scan, this type of scan literally creates a zombie host on the network and scan other hosts from that host.
1 |
$ sudo nmap -sI 192.168.1.103 192.168.1.101 |
This is the best Nmap command to discover remote hosts as of now. Since no firewalls can block ARP requests, this is a useful technique for seasoned network testers.
1 |
$ sudo nmap -PR 192.168.1.1 |
1 |
$ sudo nmap -- traceroute 192.168.1.1 |
By default, Nmap performs reverse DNS resolution for only hosts that are discovered online. However, they decrease Nmaps performance by a considerable factor. Ethical hackers usually turn this off for all hosts since they could obtain DNS information legally from their clients.
1 |
$ nmap -n 192.168.1.1 |
Earlier, weve obtained version information for OS and other services. The problem is that most of the time Nmap shows the default services associated with a port. This can cause problems for testers since hosts can use any other services instead of the default service for some ports.
1 |
$ nmap -V 192.168.1.1 |
weve shown you how to detect version information of remote services using the standard -sV flag. The following command demonstrates how to control version detection using similar Nmap commands.
1 |
$ nmap -sV --version-intensity 5 192.168.1.1 |
1 |
$ nmap -sV --version-intensity 1 192.168.1.1 |
Nmap allows system admins to scan remote hosts via utilizing fragmented IP packets. It essentially breaks down the IP packets into small parts and makes them hard to detect via external IDS/firewalls.
1 |
$ sudo nmap -f 192.168.1.1 |
1 |
$ sudo nmap --mtu 16 192.168.1.1 |
Since most commercial systems are protected by highly configured firewalls, they often detect remote port scans very fast. This is problematic for both security auditors and intrusive system breakers. Nmap allows users to use decoy IPs for cloaking their identity for this purpose.
1 |
$ nmap -- top -ports 10 -D10.1.1.2, 10.1.1.4, 10.1.1.6 192.168.1.1 |
NSE comes pre-loaded with a large number of safe scripts that do their tasks exceptionally well. The next command utilizes the default safe script for version detection.
1 |
$ nmap -sV -sC 192.168.1.1 |
You can locate all the available NSE scripts in your system using the command $ locate *.nse. These scripts are written using Lua and allows users to create personalized scripts that you want. The next command uses a specific NSE script called whois-ip.
1 |
$ nmap --script=whois-ip.nse scanme.nmap.org |
The http-enum.nse NSE script sends over 2000 queries for common files and directories. You can use this script to get critical information on whether some known services exist on a remote server or not.
1 |
$ nmap -n --script=http-enum.nse 192.168.1.1 |
You can use the Nmap http-title script for obtaining the titles of remote web pages. This can be extremely helpful at deducing the content of remote servers. Check out the below command to see this into action.
1 |
$ nmap --script=http-title 192.168.1.1 |
By default, NSE scripts are categorized by their usage, such as brute, discovery, exploit, and vuln. You can instruct Nmap to use all scripts that belong to some categories, as shown below.
1 |
$ nmap --script discovery,brute 192.168.1.1 |
1 |
$ nmap --script "ssh*" 192.168.1.1 |
Nmap allows users to select their NSE scripts using boolean expressions such as and, or, not. The below commands will demonstrate some examples of this.
1 2 3 |
$ nmap --script "not vuln" 192.168.1.1 $ nmap --script "default or broadcast" 192.168.1.1 $ nmap --script /path/to/scripts 192.168.1.1 |
Since Nmap offers an abundance of default and custom scripts, its hard to remember the details about them. Thankfully, Nmap offers excellent documentation for its NSE scripts. The below commands will show you how to invoke them for detailed information.
1 2 |
$ nmap --script-help "ssh-*" $ nmap --script-help "ssh-*" and "discovery" |
Since Nmap commands allow users to combine a plethora of options, you can easily create an unending number of commands. We outline some often used commands in the below section.
The SSL Heartbleed vulnerability is a well-known attack surface for starting malicious attackers. The next command checks whether a host contains this vulnerability using the NSE script heartbleed.
1 |
$ nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.1 |
Digging up IP information is one of the first tasks remote attackers do when checking up on a target. Some essential IP information includes whois data, geolocation, etc. The next command illustrates Nmaps usage in such passive reconnaissance.
1 |
$ nmap --script=whois*,ip-geolocation-maxmind,asn-query 192.168.1.1 |
Although Nmaps default output format is great, often, youll want to save your scan output for later use. its very easy, as you can see from the below examples.
1 2 |
$ nmap -oN scan-report -n 192.168.1.1 $ nmap -n 192.168.1.1 > scan-report |
Therere several Nmap commands that allow users to format their output more conveniently. The below examples demonstrate some essential ones for you.
1 2 3 |
$ nmap -oX scan-report.xml -n 192.168.1.1 $ nmap -oG scan-report -n 192.168.1.1 $ nmap -oA scan-report -n 192.168.1.1 |
Nikto is a compelling vulnerability scanner that is used to detect dangerous files, misconfigured CGIs, legacy servers, and so on. The following command feeds Nmap scan results to Nikto.
1 |
$ nmap -- top -ports 10 192.168.1.1 /24 -oG - | /path/of/nikto .pl -h - |
Banner grabbing is a widely used information-gathering technique that reveals service information of open ports in remote hosts. The below command grabs the banners of a network using the NSE banner script.
1 |
$ nmap --script=banner 192.168.1.1 /24 |
Since Nmap has largely grown over time, its pretty hard to remember all of its functions for beginners. Luckily, the Nmap documentation provides excellent information to help to start users with this issue.
1 2 |
$ nmap --help $ man nmap |