Nmap Commands with Examples

Nmap (Network Mapper,) is a free and opensource security tool used for network scanning. Some of the main features of Nmap are scan for open ports, service discovery and security, and vulnerability auditing.

Nmap is most commonly used via a command-line interface and is available for many different operating systems such as Ubuntu, CentOS, Redhat, Free BSD, and Mint.

In this tutorial, we are going to look at the some of the most frequently used Nmap command with some examples.

Install NMAP

Be default, nmap is not installed on most Linux distributions like Debian, Ubuntu, Hat, CentOS and Fedora. But its available on yum and apt repo for an easy install.

The following commands install nmap on Linux:

CentOS and Redhat based systems

$ sudo yum install nmap

On Ubuntu and Debian based systems

$ sudo apt-get install nmap

1. Scan Specific Host

To scan a specific host (this assumes that you already have the host's IP or hostname)  and reveal basic information, use the command:

$ nmap  IP-address

For example,

$ nmap 192.163.43.103

nmap command with examples

The command above is quick and generates output within a short time

You can also scan using the hostname instead of the IP address for example

$ nmap ubuntu-server

nmap hostname

To scan a range of IPs, use the syntax

$ nmap 192.163.43.1-103

The command will scan all hosts from IP 192.168.43.1 to 192.168.43.103

scan a range of IP addresses

2. Perform a thorough scan on a system

You can reveal all the information about a host system using the -A flag as shown below. This will reveal all the information pertaining to the host system such as the underlying OS, open ports, services running and their versions, etc.

$ nmap  -A 192.163.43.103

nmap aggressive scan

From the output, you can see that the command performs os and service detection, giving you detailed information such as the type of service and its version, and the port it is running on.  The command usually takes a while to run but it is thorough and gives you all you need about the particular host system.

3. Scanning a particular port

To scan a specific port and check if it is open use the -p flag in the syntax below:

$ nmap  -p port_number IP-address

For example, to scan port 80 on a host system run:

$ nmap  -p 80  192.168.43.103

nmap check port number

To scan a range of ports, for example between 80-433 use the syntax:

$ nmap  -p 25-443  192.168.43.13
or
$ nmap -p 80,443 192.168.43.13

nmap a range of ports

4. Find Host service name and its version

To check basic information about the services running on a host, then  use the -sV flag as shown:

$ nmap  -sV 192.168.43.103

nmap command with examples

5. Scanning an entire network subnet

To scan devices in a network subnet, use the CIDR notation as shown

$ nmap  192.168.43.0/24

scan a subnet with nmap

6. Exclude specific host on Scan

As you perform a full network scan, you can choose to exclude a specific host using the --exclude flag . In the example below, we shall exclude our Kali Linux machine from being scanned.

$ nmap 192.168.43.* --exclude 192.168.43.8

nmap exclude scanning host

7. Display host interfaces and routes

To display interfaces and routes on a particular host use the --iflist flag as shown.

$ nmap 192.168.43.103 --iflist

 Display host interfaces and routes

8. Scan Remote Host using TCP ACK and TCP Syn

At times, firewalls can block ICMP requests interfering with the scan results. In that case, we use the TCP syn (PS)  and TCP ACK (PA) to achieve the desired results.

$ nmap -PS 192.168.43.103

nmap TCP ACK syn

$ nmap -PA 192.168.43.103

nmap TCP PA

9. Scan to detect firewall settings

You can use the Nmap tool to perform a scan to show whether the firewall is open or not as shown

$ nmap  -sA  192.168.43.223

Scan if firewall is open or not

In the first instance, the firewall is disabled and therefore not running. (Ports are unfiltered). In the second instance, the firewall has been enabled and chances of discovering open ports will be minimal.

10. Scanning TCP or UDP ports

To scan TCP ports that are open on the host, use the -sT flag as shown:

$ nmap  -sT  192.168.43.103

nmap command with examples

To scan UDP ports, use the -sU flag

$ nmap  -sU  192.168.43.103

11.  Save scan results in a file

After you have completed your scan, you can save the results in a text file using the -oN flag and specifying the output file as shown below:

$ nmap  -oN scan.txt 192.168.43.103

The file will be created in your current working directory. To view the view simply use the cat command as shown:

$ cat results.txt

view output of cat command

Also, you can use the redirection symbol (>) greater than symbol to redirect the output to a different file for example,

$ nmap  192.168.43.103 > output.txt

save output

12. Scan with a set of Nmap scripts

Nmap comes packed with numerous and powerful scripts that are used for vulnerability scanning and thereby pointing out weaknesses in a system. To get the location of NSE scripts simply run the command:

$ locate *nse

check location of NSE scripts

You can load an Nmap script using the --script option as shown.

$ nmap -sV --script=mysql-info.nse 192.168.43.103

To scan with the most default scripts use the syntax

$ nmap -sC  192.168.43.103

namp command with scripts

If you are looking for automation then NSE is the answer (NMAP Scripting Engine)

Conclusion

If you are looking for automation then NSE is the answer (NMAP Scripting Engine). To get help with commands on Nmap simply run $ nmap -h. And that's all we had for this topic. We do hope that you are comfortable using nmap command to scan your network and discover more details about your host systems.

Bobbin Zachariah 8:00 am

Comments

Your email address will not be published. Required fields are marked *