Nmap Commands (With Examples) You Must Master In 2022

Introduction

The current world is like a technical frontier where gadgets and technologies control, process, and perform everything. The introduction of networks has given rise to networking administrators whose most important job is executing Nmap commands or mapping and port scanning. With such a massive number of monitoring tools already available in the market, Nmap is still an industry-standard preferred by many experts. 

IT managers, administrators, and security professionals: every one of them faces a never-ending battle with network traffic. They have to constantly check their networks, figure out if there are any vulnerabilities or junk, and eradicate them from the system. It is their duty to use various Nmap commands for vulnerability scanning and eliminate lurking threats. The usability and versatility offered by Nmap are incomparable to the various other technologies available in the market. Nmap is a widely and extensively used software for enumeration and detection scans.

 

Table of Contents

1. What Is a Nmap Command?
2. Nmap Command in Linux
3. Nmap Commands for System Administrators With Examples

1) What Is a Nmap Command?

Before we try and explore the various Nmap commands, we should get acquainted with the term first. It is an open-source monitoring tool that can help scan and discover networks and network problems respectively.

2) Nmap Command in Linux

Linux is an integral part of the designing and digital world; many coders still use this platform to perform various tasks. Some Nmap commands can make operations easier on this platform. Here is the Nmap command in Linux that can help you in installation.

• CentOS/Fedora: sudo dnf install nmap
• Ubuntu/Debian: sudo apt-get install nmap

The Nmap commands for Windows are slightly different, but they are not as complex as this one because of the automated downloader that helps install Nmap within seconds. 

 

3) Nmap Commands for System Administrators With Examples

We have established an understanding of what Nmap is and how we can use it. Here are some basic Nmap commands that administrators can use to their advantage. 

1. Nmap Port Scan Command

If you wish to scan a port or even an entire port range on remote or local servers, you will have to execute the Nmap port scan command. Here is what the Nmap port scan command will be:

nmap -p 1-65535 localhost

Now, in this example, you scanned 65535 ports on the local host computer. You can change the values according to your need, and the number of ports getting scanned will also change completely. Nmap command to scan all ports can also help execute the process better and in an easy way.

 

2. Nmap Scan Against Host and Ip Address

While this is included in the Nmap basic commands, the scan against the host or IP address can come in handy. The command that can help in executing this process is:

nmap 1.1.1.1

The above example is for the host’s IP address, but you just have to replace the address with the name when you scan the hostname. 

For e.g., 

nmap cloudflare.com

3. Ping Scan Using Nmap

The Nmap command list is vast and extensive. Several examples can be listed, but if you wish to ping scan using Nmap, here is what you need to do: 

nmap -sp 192.168.5.0/24

This is probably one of the most used and popular Nmap commands to help host detection on any network. 

4. Multiple Ip Address Scan

The list of Nmap commands also includes the IP address scanner. If you wish to scan one IP address, follow the code given in point number 2, but if you have multiple IP addresses to scan, you need to follow the steps listed below. 

nmap 1.1.1.1 8.8.8.8

This syntax will help in scanning multiple addresses. You do have other syntaxes for consecutive IP addresses.

 

5. Scanning Ip Range

A Nmap scan command helps in scanning the entire IP range. This syntax will help in knowing the entire CIDR range of IP addresses. Example:

nmap -p 8.8.8.0/28

Like the other syntaxes, you will have to select the random ranges even in IP range scanning. Several syntaxes can help scan alternate IPs in the range, and some others can scan consecutive IPs. 

6. Popular Ports Scanning

There is a syntax for everything in Nmap, but you must use the one below for popular port scanning. 

nmap –top-ports 20 192.168.1.106

Using top ports with specific numbers can help the user scan the top ‘X’ number of the common ports in the given an example. You can replace the number 20 from the above syntax, and here are the outputs that can be expected.

[root@securitytrails:~]nmap –top-ports 20 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2018-10-01 10:02 EDT

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000016s latency).

Other addresses for localhost (not scanned): 127.0.0.1

PORT     STATE    SERVICE

21/tcp   closed   ftp

22/tcp   closed   ssh

23/tcp   closed   telnet

25/tcp   closed   smtp

53/tcp   closed   domain

80/tcp   filtered http

110/tcp  closed   pop3

111/tcp  closed   rpcbind

135/tcp  closed   msrpc

139/tcp  closed   netbios-ssn

143/tcp  closed   imap

443/tcp  filtered https

445/tcp  closed   microsoft-ds

993/tcp  closed   imaps

995/tcp  closed   pop3s

1723/tcp closed   pptp

3306/tcp closed   mysql

3389/tcp closed   ms-wbt-server

5900/tcp closed   vnc

8080/tcp closed   http-proxy

7. Scanning Ip Addresses and Scan Host from a Text File

Nmap is proficient in scanning; one can use a few syntaxes to read text files. You need to keep the only thing in mind is that it contains IPs and hosts inside. To use this Nmap command, you need first to create a list.txt file and ensure that the file contains this syntax:

192.168.1.106

cloudflare.com

microsoft.com

securitytrails.com

The iL parameter in the syntax will help you read the file and scan the host simultaneously. The syntax is:

nmap -iL list.txt

8. Disabling Dns Name Resolution

If you have a lot of scans to perform, you will need to speed up your scans. To speed your scans up, you will have to disable the reverse DNS for the scans you do. Make sure to include the “-n” parameter. Here is the syntax that can be used:

[root@securitytrails:~]nmap -p 80 -n 8.8.8.8

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03

Nmap scan report for 8.8.8.8

Host is up (0.014s latency).

PORT   STATE    SERVICE

80/tcp filtered http

If you want to see the difference between the scan speeds of disabled and enabled DNS resolution, then here it is: 

[root@securitytrails:~]nmap -p 80 8.8.8.8

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03

Nmap scan report for google-public-dns-a.google.com (8.8.8.8)

Host is up (0.014s latency).

PORT   STATE    SERVICE

80/tcp filtered http

9. Saving the Result to a File

Nmap command use has become a crucial part of the coding world. If you want to save the results, here is how you can do it:

nmap -oN output.txt securitytrails.com

This command will help you export or save the result from a file without reading it. 

10. Detection of Services

From the Nmap full scan command to the Nmap help command, there is something for everything you want. Similarly, the detection of services is also a command that people extensively use. You can easily execute the detecting services by using the -sV parameters. The syntax for the same is: 

nmap -sV localhost

A good and expressive example of this syntax is given below:

[root@securitytrails:~]nmap -sV localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000020s latency).

Other addresses for localhost (not scanned): ::1

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

111/tcp open rpcbind 2-4 (RPC #100000)

631/tcp open ipp CUPS 2.2

902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.

Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds.

You can use this code as a Nmap os detection command.

11. Scanning Using Udp and Tcp

One of the best things is the Nmap command to check open ports, and the second-best thing about Nmap is its power to work with TCP and UDP without any hiccups. Several services are limited to just TCP, but people understand the advantage of scanning UDP-based services. Here are examples of both these services that are allowed by Nmap.

The output you get when you scan using standard TCP:

[root@securitytrails:~]nmap -sT 192.168.1.1

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03

Nmap scan report for 192.168.1.1

Host is up (0.58s latency).

Not shown: 995 closed ports

PORT STATE SERVICE

80/tcp open http

1900/tcp open upnp

20005/tcp open btx

49152/tcp open unknown

49153/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds.

Now, when you do the same process using UDP:

[root@securitytrails:~]nmap -sU localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000021s latency).

Other addresses for localhost (not scanned): ::1

Not shown: 997 closed ports

PORT STATE SERVICE

68/udp open|filtered dhcpc

111/udp open rpcbind

5353/udp open|filtered zeroconf

 

12. Using Nmap for Cve Detection

Many system administrators are unaware of this feature offered by Nmap — detection of CVE. It is one of the best features that is under-utilized by people. There is a predefined script present in the command in Nmap that allows users to execute this process. One can use these predefined scripts or own their Lua programming language to derive a specific functionality that can help in CVE detection. Listed below is the command that you need to use:

nmap -Pn –script vuln 192.168.1.105

The best example to understand the command is listed below:

[root@securitytrails:~]nmap -Pn –script vuln 192.168.1.105

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03

Pre-scan script results:

| broadcast-avahi-dos:

| Discovered hosts:

| 224.0.0.251

| After NULL UDP avahi packet DoS (CVE-2011-1002).

|_ Hosts are all up (not vulnerable).

Nmap scan report for 192.168.1.105

Host is up (0.00032s latency).

Not shown: 995 closed ports

PORT STATE SERVICE

80/tcp open http

|_http-csrf: Couldn’t find any CSRF vulnerabilities.

|_http-dombased-xss: Couldn’t find any DOM based XSS.

| http-slowloris-check:

| VULNERABLE:

| Slowloris DOS attack

| State: LIKELY VULNERABLE

| IDs: CVE:CVE-2007-6750

| Slowloris tries to keep many connections to the target web server open and hold

| them open as long as possible. It accomplishes this by opening connections to

| the target web server and sending a partial request. By doing so, it starves

| the http server’s resources causing Denial Of Service.

|

| Disclosure date: 2009-09-17

| References:

| http://ha.ckers.org/slowloris/

|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750

|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.

|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)

1900/tcp open upnp

20005/tcp open btx

49152/tcp open unknown

49153/tcp open unknown

13. How to Launch Dos With Nmap

One thing that Nmap will never have a shortage of is the number of features. From Nmap commands cheat sheet to termux Nmap commands, there are several features on all the platforms available on Nmap. Apart from every other command that is executed on Nmap, you get a chance to launch DOS files on this platform. This can be done against network testing. 

The command that you will have to follow to get this done is:

nmap 192.168.1.105 -max-parallelism 800 -Pn –script http-slowloris –script-args http-slowloris.runforever=true

14. Brute Force Attacks Launching

You can also use Nmap to launch a brute-force attack. Its command is different on different browsers.

To do this process on WordPress, you will have to use the command: 

nmap -sV –script http-wordpress-brute –script-args ‘userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true’ 192.168.1.105

Brute force attack against MS-SQL:

nmap -p 1433 –script ms-sql-brute –script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105

Brute force attack against FTP:

nmap –script ftp-brute -p 21 192.168.1.105

15. Remote Host Malware Infection Detection

Nmap commands in kali Linux, Nmap commands in termux, or even Nmap commands for vulnerability scanning are essential for system administrators, but detecting remote host malware is more critical.

You can simply use the Google malware checker by the command:

nmap -p80 –script http-google-malware infectedsite.com

Conclusion

There are various ways you can improve your Nmap using capabilities. These commands and examples can help you to understand and explore the Nmap monitoring tool. Have a look at the entire blog keeping in mind the commands that are useful for your systems. There are some specific sets of commands for every platform and UI, but on the flip side, several of them are common and can be used in all of them.

So, have you made up your mind to make a career in Cyber Security? Visit our Postgraduate Certificate Program in Cybersecurity to check out your best option for kickstarting a successful career in Cybersecurity.

ALSO READ,

• Ethical Hacking: A Comprehensive Guide In 2020