Monday, 16 October 2017

NMAP Commands for Scanning Hosts, Ports and Services

NMAP is quite a powerful tool for Security Penetration Testers. NMAP stands for Network Mapper and can be used at several phases of hacking/pen-testing. This tool is commonly used to scan open ports, services and the physical address (MAC address) of a host.

The tool is available in both Linux and Windows versions. The Linux version is somehow said to perform better and faster. NMAP comes together with Kali Linux - the Linux distribution often used by pen-testers.

NMAP is also available in GUI version and is called Zenmap.

NMAP Commands


We will test the commands on a local machine i.e. server1.jayitsecurity.com with IP address 192.168.43.84.

The commands are run with "root" access.

A. Scan a single host



Scan a host using its hostname

nmap server1.jayitsecurity.com

Scan a host using its IP address

nmap 192.168.43.84

Scan a host in verbose mode 

nmap -v server1.jayitsecurity.com

Fast scan a host

nmap -F server1.jayitsecurity.com

Show own host interfaces and routes

nmap --iflist

Scan a specific port

nmap -p 80 server1.jayitsecurity.com

Scan a TCP port

nmap -p T:8080 server1.jayitsecurity.com

Scan a UDP port

nmap -sU 53 server1.jayitsecurity.com

Scan multiple ports

nmap -p 21,80,8080 server1.jayitsecurity.com

Scan ports using range

nmap -p 21-80 server1.jayitsecurity.com

List services and versions on a host

nmap -sV server1.jayitsecurity.com

B. Scan multiple hosts



Scan multiple hosts

nmap server1.jayitsecurity.com 192.168.43.1 192.168.43.2

Scan a subnet

nmap 192.168.43.*

Use last octet of multiple IP addresses

nmap 192.168.43.1,2,84

Use an IP address range

nmap 192.168.43.1-100

Use list of hosts from a file

nmap -iL host_IP_address_list.txt

Exclude host(s)

nmap 192.168.43.1-100 --exclude 192.168.43.84

List live hosts in a network

nmap -sP 192.168.43.*

C. Scan to detect Operating System



Scan OS information and Traceroute

nmap -A 192.168.43.1

OS Detection

nmap -O 192.168.43.84
or
nmap -osscan-guess 192.168.43.84

D. Scan to detect Firewall



Detect firewall on host (packet filters)

nmap -sA 192.168.43.84

Detect whether a host is protected by firewall

nmap -PN 192.168.43.84

Perform TCP null scan to avoid firewall

nmap -sN 192.168.43.84

E. TCP three-way handshake

Note: If ICMP packets (eg. ping requests) are blocked, TCP ACK and TCP SYN can be used to find the live hosts/ports.


Scan using TCP ACK (PA)

nmap -PA 192.168.43.84

Scan usingTCP Syn (PS)

nmap -PS 192.168.43.84

Scan specific ports using TCP ACK

nmap -PA -p 21,22,80 192.168.43.84

Scan specific ports using TCP SYN

nmap -PS -p 21,22,80 192.168.43.84

Scan for common ports with TCP SYN

nmap -sT 192.168.43.84

F. Perform a stealthy scan



nmap -sS -p 21,22,80 192.168.43.84

Popular Posts