Nmap is a free and open-source Network Mapper. This most popular network scanner is used for network discovery and security auditing. As an administrator, you can use this network discovery tool to map your network. Nmap is also valuable for users who host their website from home since they can simulate the process that a hacker would use to attack their site. When you install Nmap, you will need to know some commands to perform some basic network scans. This article presents Tutorial Nmap Commands. To purchase your own Linux VPS, visit the available packages of Eldernode and order what you need.
Table of Contents
Nmap Commands
What is Nmap
Nmap is an open-source and free utility that makes the network discover and secure. Network administration systems find the network mapper (Nmap) useful for tasks as managing service upgrade schedules, monitoring host or service uptime, and network inventory. Nmap is also flexible, powerful, portable, easy, free, well documented, supported, acclaimed, and popular. To determine the available hosts on the network, the map uses row IP packets in a novel way. It is designed to scan large networks rapidly and works fine against single hosts.
Nmap Features
Nmap offers some features for probing computer networks. Here are the most widely used features of Nmap software. You can get other features and information with the -h switch. Let’s review some of them in the below list:
1- Quick scan of all ports
2- Target operating system identification
3- Sending an anonymous packet to filter the firewall
4- Ability to scan a certain range of ports
5- Spoofing feature
6- Ability to save the scan result with different formats
7- Ability to set TTL to filter smart firewalls
8- Ability to send packets for smart scanning
9- Ability to identify services with open port
10- Ability to adjust various scanning techniques
Top Nmap Commands with Examples
Once you have installed Nmap, you need to use Nmap commands to start scanning the host or network to find out any possible vulnerable points in the hosts. The IP entered in the commands is for example and you can enter your IP. Pay attention to uppercase and lowercase letters. Also, all commands can be run on Windows and Linux operating systems.
Stay with us to review the best Nmap commands with examples for Linux Network.
Nmap Ping Scan Command
Active hosts could be identified by Nmap on your network as its most basic function. Ping scan allows Nmap to do this and identifies all of the IP addresses that are online without sending any packets to these hosts. You can use the command below to Run a ping scan and see which servers are Active:
nmap -sp 192.100.1.1/24
Also, it returns a list of hosts on your network and the total number of assigned IP addresses. So, you can run the following command to view the returned information on every active IP on your network:
#
Nmap Host Scan Commands
The host scan is a more powerful way to scan your networks since it sends ARP request packets to all the hosts connected to your network. Then, each host responds to this packet with another ARP packet containing its status and MAC address.
Use the following command to Run a host scan:
nmap -sp <target IP range>
You can use this command as a powerful way to spot suspicious hosts connected to your network. Using this command allows you to return information on every host, their latency, their MAC address, and also any description associated with this address.
Note: You may face an unusual issue in this list. So, run a DNS query on a specific host, by using:
namp -sL <IP address>
You will view the information on what the IP is actually for since the above command returns a list of names associated with the scanned IP.
Nmap Port Scanning Commands
You can use Nmap for port scanning. Here are the most commonly used commands:
sS TCP SYN scan
sT TCP connect scan
sU UDP scans
sY SCTP INIT scan
sN TCP NULL
The differences between these types of scans are whether they cover TCP or UDP ports and whether they execute a TCP connection.
Nmap OS Scanning Commands
Another powerful feature of Nmap is OS scanning. Nmap can send TCP and UDP packets to a particular port while using this type of scan and then analyze its response. Finally by comparing the response to a database of 2600 operating systems, returns information on the OS (and version) of a host.
You can Run an OS scan by running the command below:
nmap -O <target IP>
As we mentioned, users who run Nmap on their home server, find it so valuable. If you are running Nmap on your home server, use the following command to scan a number of the most ”popular” ports for a host automatically. You just need to replace the”20” with the number of ports to scan:
nmap --top-ports 20 YourIPAddress
It returns a concise output that details the status of the most common ports. In this way, you will see if you have any unnecessarily open ports.
Nmap Output Result Commands
To output to a file, add an extension to your commands as shown below. It output the results of your Nmap scans to a file:
-oN output.txt
To your command to output the results to a text file, or:
-oX output.xml
To output to an XML.
Also, you can save the output to a text file by running the commands below:
nmap 192.168.1.1 > output.txt
nmap -oN /path/to/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1
How to speed up Nmap Scans
Especially in large network scans, if you disable reverse DNS resolution, you can speed up your Nmap scans by using -n parameters. For example, to turn off DNS resolution for the basic ping scan mentioned above, add -n:
nmap -sp -n 192.100.1.1/24
To perform a fast scan use the Nmap command below:
nmap -F 192.168.1.1
nmap -6 -F IPv6_Address_Here
In the following of this article, let’s see some other commands to use Nmap.
_ Quick scan of a system:
nmap -F 192.168.1.1
_ Quick scan with details and version of ports:
nmap -v 192.168.1.1
_ Identify the operating system with a detailed scan:
nmap -v -A 192.168.1.1
_ Full scan with the desired range of port numbers:
nmap -v -p 1-100 192.168.1.1
In the above command, only ports 1 to 100 are scanned and reported.
_ Scan by sending random packets to block the destination system firewall:
nmap -v -f
_ Send packets from a specific port for an anonymous scan:
nmap -v 192.168.1.1 -g 80
In the above command, Nmap sends all the packets through your port 80 and the destination system looks at it as a web request.
To show all packets sent and received, run:
nmap --packet-trace 192.168.1.1
nmap --packet-trace server1.YourDomainAddress
_ Scan a system when the system has blocked the ping:
nmap -v -Pn
Nmap software uses the ICMP protocol to check the status of the system, and if the user has blocked this protocol, you must use the -pn switch.
_ An example of a complete command to use Nmap:
nmap -v -A -Pn -f -p 1-65535 192.168.1.1 -g 80
Your system will send the packets with port 80, also check and display along with the operating system specifications. Also, Nmap software does not care about closing the ICMP protocol of the destination system and sends the packets randomly.
How to Scan a large number of hosts/networks
To scan a large number of hosts/networks you can use the -iL option. Using this option allows you to read the list of target systems using a text file:
cat > /tmp/test.txt
Then, append names as follows:
server1.YourDomainAddress
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost
The syntax is as follows:
nmap -iL /tmp/test.txt
How to exclude hosts/networks (IPv4)
To exclude hosts/networks (IPv4) from Nmap scan examples while scanning a large number of them, use the following command:
nmap 192.168.1.0/24 --exclude 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254
OR exclude list from a file called /tmp/exclude.txt:
nmap -iL /tmp/scanlist.txt --e xcludefile /tmp/exclude.txt
How to detect firewall setting using Nmap Command
You can use firewall detection during penetration testing and vulnerability scans. Several functions can be used to detect firewall settings across the given hosts, but the -sA flag is the most common:
nmap command examples for your host
nmap -sA 192.168.1.254
nmap -sA server1.YourDomainAddress
Then, you can Scan a host when protected by the firewall using the commands below. For example, to scan a router/wifi device having 192.168.1.1 as IP:
nmap -PN 192.168.1.1
nmap -PN server1.YourDomainAddress
How to view open ports using the Nmap command
To show open or possibly open posts you can use the below Nmap commands in Linux:
nmap --open 192.168.1.1
nmap --open server1.YourDomainAddress
nmap --open 192.168.2.18
To scan all your devices/computers for open ports ever, type:
nmap -T5 192.168.1.0/24
nmap -T5 {sub/net}
How to use Nmap command for Nikto
Recently, Nikto was introduced to you. To scan web servers and pipes into Nikto for scanning, run the following commands:
nmap -p80 192.168.1.2/24 -oG - | /path/to/nikto.pl -h -
nmap -p80,443 192.168.1.2/24 -oG - | /path/to/nikto.pl -h -
Conclusion
In this article, you reviewed the most important Nmap commands. The Nmap command comes with lots of options, now you know how to use Nmap for offensive and defensive purposes. However, if you are not comfortable with the CLI you can use the GUI app named Zenmap. It is the official Nmap Security Scanner GUI. If you are interested to learn more, refer to How to scan ports using connects scan and Fin scan on Nmap.