29 Useful Commands in Nmap (Plus a Bonus)

#1: Scan a single host or an IP address (IPv4)

### Scan a single ip address###nmap 192.168.1.1 ## Scan a host name###nmap server1.cyberciti.biz ## Scan a host name with more info###nmap -v server1.cyberciti.biz

Fig.01: nmap output

#2: Scan multiple IP address or subnet (IPv4)

nmap 192.168.1.1 192.168.1.2 192.168.1.3## works with same subnet i.e. 192.168.1.0/24nmap 192.168.1.1,2,3

nmap 192.168.1.1-20

nmap 192.168.1.*

nmap 192.168.1.0/24

#3: Read list of hosts/networks from a file (IPv4)

cat > /tmp/test.txt

server1.cyberciti.biz192.168.1.0/24192.168.1.1/2410.1.2.3localhost

nmap -iL /tmp/test.txt

#4: Excluding hosts/networks (IPv4)

nmap 192.168.1.0/24 --exclude 192.168.1.5nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt

#5: Turn on OS and version detection scanning script (IPv4)

nmap -A 192.168.1.254nmap -v -A 192.168.1.1nmap -A -iL /tmp/scanlist.txt

#6: Find out if a host/network is protected by a firewall

nmap -sA 192.168.1.254nmap -sA server1.cyberciti.biz

#7: Scan a host when protected by the firewall

nmap -PN 192.168.1.1nmap -PN server1.cyberciti.biz

#8: Scan an IPv6 host/address

nmap -6 IPv6-Address-Herenmap -6 server1.cyberciti.biznmap -6 2607:f0d0:1002:51::4nmap -v A -6 2607:f0d0:1002:51::4

#9: Scan a network and find out which servers and devices are up and running

nmap -sP 192.168.1.0/24

Host 192.168.1.1 is up (0.00035s latency).MAC Address: BC:AE:C5:C3:16:93 (Unknown)Host 192.168.1.2 is up (0.0038s latency).MAC Address: 74:44:01:40:57:FB (Unknown)Host 192.168.1.5 is up.Host nas03 (192.168.1.12) is up (0.0091s latency).MAC Address: 00:11:32:11:15:FC (Synology Incorporated)Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second

#10: How do I perform a fast scan?

nmap -F 192.168.1.1

#11: Display the reason a port is in a particular state

nmap --reason 192.168.1.1nmap --reason server1.cyberciti.biz

#12: Only show open (or possibly open) ports

nmap --open 192.168.1.1nmap --open server1.cyberciti.biz

#13: Show all packets sent and received

nmap --packet-trace 192.168.1.1nmap --packet-trace server1.cyberciti.biz

14#: Show host interfaces and routes

nmap --iflist

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 02:01 IST************************INTERFACES************************DEV    (SHORT)  IP/MASK          TYPE        UP MAClo     (lo)     127.0.0.1/8      loopback    upeth0   (eth0)   192.168.1.5/24   ethernet    up B8:AC:6F:65:31:E5vmnet1 (vmnet1) 192.168.121.1/24 ethernet    up 00:50:56:C0:00:01vmnet8 (vmnet8) 192.168.179.1/24 ethernet    up 00:50:56:C0:00:08ppp0   (ppp0)   10.1.19.69/32    point2point up **************************ROUTES**************************DST/MASK         DEV    GATEWAY10.0.31.178/32   ppp0209.133.67.35/32 eth0   192.168.1.2192.168.1.0/0    eth0192.168.121.0/0  vmnet1192.168.179.0/0  vmnet8169.254.0.0/0    eth010.0.0.0/0       ppp00.0.0.0/0        eth0   192.168.1.2

#15: How do I scan specific ports?

nmap -p [port] hostName## Scan port 80nmap -p 80 192.168.1.1 ## Scan TCP port 80nmap -p T:80 192.168.1.1 ## Scan UDP port 53nmap -p U:53 192.168.1.1 ## Scan two ports##nmap -p 80,443 192.168.1.1 ## Scan port ranges##nmap -p 80-200 192.168.1.1 ## Combine all options##nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biznmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254 ## Scan all ports with * wildcard##nmap -p "*" 192.168.1.1 ## Scan top ports i.e. scan $number most common ports##nmap --top-ports 5 192.168.1.1nmap --top-ports 10 192.168.1.1

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:23 ISTInteresting ports on 192.168.1.1:PORT     STATE  SERVICE21/tcp   closed ftp22/tcp   open   ssh23/tcp   closed telnet25/tcp   closed smtp80/tcp   open   http110/tcp  closed pop3139/tcp  closed netbios-ssn443/tcp  closed https445/tcp  closed microsoft-ds3389/tcp closed ms-term-servMAC Address: BC:AE:C5:C3:16:93 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

#16: The fastest way to scan all your devices/computers for open ports ever

nmap -T5 192.168.1.0/24

#17: How do I detect remote operating system?

nmap -O 192.168.1.1nmap -O  --osscan-guess 192.168.1.1nmap -v -O --osscan-guess 192.168.1.1

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:29 ISTNSE: Loaded 0 scripts for scanning.Initiating ARP Ping Scan at 01:29Scanning 192.168.1.1 [1 port]Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 01:29Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsedInitiating SYN Stealth Scan at 01:29Scanning 192.168.1.1 [1000 ports]Discovered open port 80/tcp on 192.168.1.1Discovered open port 22/tcp on 192.168.1.1Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)Initiating OS detection (try#1) against 192.168.1.1Retrying OS detection (try#2) against 192.168.1.1Retrying OS detection (try#3) against 192.168.1.1Retrying OS detection (try#4) against 192.168.1.1Retrying OS detection (try#5) against 192.168.1.1Host 192.168.1.1 is up (0.00049s latency).Interesting ports on 192.168.1.1:Not shown: 998 closed portsPORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpMAC Address: BC:AE:C5:C3:16:93 (Unknown)Device type: WAP|general purpose|router|printer|broadband routerRunning (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (94%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.6.15 - 2.6.23 (embedded) (92%), Linux 2.6.15 - 2.6.24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CAOS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%WOS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%SOS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%ROS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RIDOS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=200 (Good luck!)IP ID Sequence Generation: All zerosRead data files from: /usr/share/nmapOS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds           Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)

#18: How do I detect remote services (server / daemon) version numbers?

nmap -sV 192.168.1.1

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:34 ISTInteresting ports on 192.168.1.1:Not shown: 998 closed portsPORT   STATE SERVICE VERSION22/tcp open  ssh     Dropbear sshd 0.52 (protocol 2.0)80/tcp open  http?1 service unrecognized despite returning data.

#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

nmap -PS 192.168.1.1nmap -PS 80,21,443 192.168.1.1nmap -PA 192.168.1.1nmap -PA 80,21,200-512 192.168.1.1

#20: Scan a host using IP protocol ping

nmap -PO 192.168.1.1

#21: Scan a host using UDP ping

nmap -PU 192.168.1.1nmap -PU 2000.2001 192.168.1.1

#22: Find out the most commonly used TCP ports using TCP SYN Scan

### Stealthy scan###nmap -sS 192.168.1.1 ### Find out the most commonly used TCP ports using  TCP connect scan (warning: no stealth scan)###  OS Fingerprinting###nmap -sT 192.168.1.1 ### Find out the most commonly used TCP ports using TCP ACK scannmap -sA 192.168.1.1 ### Find out the most commonly used TCP ports using TCP Window scannmap -sW 192.168.1.1 ### Find out the most commonly used TCP ports using TCP Maimon scannmap -sM 192.168.1.1

#23: Scan a host for UDP services (UDP scan)

nmap -sU nas03nmap -sU 192.168.1.1

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 00:52 ISTStats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP ScanUDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)Interesting ports on nas03 (192.168.1.12):Not shown: 995 closed portsPORT     STATE         SERVICE111/udp  open|filtered rpcbind123/udp  open|filtered ntp161/udp  open|filtered snmp2049/udp open|filtered nfs5353/udp open|filtered zeroconfMAC Address: 00:11:32:11:15:FC (Synology Incorporated) Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds

#24: Scan for IP Protocol

nmap -sO 192.168.1.1

#25: Scan a firewall for security weakness

## TCP Null Scan to fool a firewall to generate a response#### Does not set any bits (TCP flag header is 0)##nmap -sN 192.168.1.254 ## TCP Fin scan to check firewall#### Sets just the TCP FIN bit##nmap -sF 192.168.1.254 ## TCP Xmas scan to check firewall#### Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree##nmap -sX 192.168.1.254

#26: Scan a firewall for packets fragments

nmap -f 192.168.1.1nmap -f fw2.nixcraft.net.innmap -f 15 fw2.nixcraft.net.in## Set your own offset size with the --mtu option ##nmap --mtu 32 192.168.1.1

#27: Cloak a scan with decoys

nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ipnmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5

#28: Scan a firewall for MAC address spoofing

### Spoof your MAC address##nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1 ### Add other options###nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1  ### Use a random MAC address###### The number 0, means nmap chooses a completely random MAC address###nmap -v -sT -PN --spoof-mac 0 192.168.1.1

#29: How do I save output to a text file?

nmap 192.168.1.1 > output.txtnmap -oN /path/to/filename 192.168.1.1nmap -oN output.txt 192.168.1.1

BONUS -#30: Not a fan of command line tools?

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

$ sudo apt-get install zenmap

Sample outputs:

[sudo] password for vivek:Reading package lists... DoneBuilding dependency treeReading state information... DoneThe following NEW packages will be installed:  zenmap0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.Need to get 616 kB of archives.After this operation, 1,827 kB of additional disk space will be used.Get:1 http://debian.osuosl.org/debian/ squeeze/main zenmap amd64 5.00-3 [616 kB]Fetched 616 kB in 3s (199 kB/s)Selecting previously deselected package zenmap.(Reading database ... 281105 files and directories currently installed.)Unpacking zenmap (from .../zenmap_5.00-3_amd64.deb) ...Processing triggers for desktop-file-utils ...Processing triggers for gnome-menus ...Processing triggers for man-db ...Setting up zenmap (5.00-3) ...Processing triggers for python-central ...

$ sudo zenmap

Sample outputs: