Scribd
Upload
136 views27 pages

Top 30 Nmap Commands for Network Admins

The document discusses the nmap network scanning tool and provides 30 examples of nmap commands for system and network administrators. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Some key nmap commands covered include scanning a single host or IP, multiple IPs or a subnet, reading a host list from a file, excluding specific hosts from a scan, performing OS detection, checking for firewalls, and showing open or potentially open ports.

Uploaded by

Joerdy Lianury
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
136 views27 pages

Top 30 Nmap Commands for Network Admins

The document discusses the nmap network scanning tool and provides 30 examples of nmap commands for system and network administrators. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Some key nmap commands covered include scanning a single host or IP, multiple IPs or a subnet, reading a host list from a file, excluding specific hosts from a scan, performing OS detection, checking for firewalls, and showing open or potentially open ports.

Uploaded by

Joerdy Lianury
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

nixCraft
Linux Tips, Hacks, Tutorials, And Ideas In Blog

Top 30 Nmap Command Examples For


Sys/Network Admins
November 26, 2012
in Command Line Hacks, Howto, Networking, Security
last updated January 13, 2017

N map is short for Network Mapper. It is an open source security tool


for network exploration, security scanning and auditing. However,
nmap command comes with lots of options that can make the utility
more robust and difficult to follow for new users.

The purpose of this post is to introduce a user to the nmap command line
tool to scan a host and/or network, so to find out the possible vulnerable
points in the hosts. You will also learn how to use Nmap for offensive and
defensive purposes.

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 1 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

nmap in action

More about nmap

From the man page:

Nmap (“Network Mapper”) is an open source tool for network


exploration and security auditing. It was designed to rapidly
scan large networks, although it works fine against single
hosts. Nmap uses raw IP packets in novel ways to determine
what hosts are available on the network, what services
(application name and version) those hosts are offering, what
operating systems (and OS versions) they are running, what
type of packet filters/firewalls are in use, and dozens of other
characteristics. While Nmap is commonly used for security
audits, many systems and network administrators find it
useful for routine tasks such as network inventory, managing
service upgrade schedules, and monitoring host or service
uptime.

It was originally written by Gordon Lyon and it can answer the following
questions easily:

1. What computers did you find running on the local network?


2. What IP addresses did you find running on the local network?
3. What is the operating system of your target machine?
4. Find out what ports are open on the machine that you just scanned?

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 2 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

5. Find out if the system is infected with malware or virus.


6. Search for unauthorized servers or network service on your network.
7. Find and remove computers which don’t meet the organization’s
minimum level of security.

Sample setup (LAB)

Port scanning may be illegal in some jurisdictions. So setup a lab as


follows:

+---------+
+---------+ | Network | +-----
---+
| server1 |-----------+ swtich +---------
|server2 |
+---------+ | (sw0) | +-----
---+
+----+----+
|
|
+---------+----------+
| wks01 Linux/OSX |
+--------------------+

Where,

wks01 is your computer either running Linux/OS X or Unix like


operating system. It is used for scanning your local network. The nmap
command must be installed on this computer.
server1 can be powered by Linux / Unix / MS-Windows operating
systems. This is an unpatched server. Feel free to install a few services
such as a web-server, file server and so on.
server2 can be powered by Linux / Unix / MS-Windows operating
systems. This is a fully patched server with firewall. Again, feel free to
install few services such as a web-server, file server and so on.
All three systems are connected via switch.

How do I install nmap?

See:

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 3 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

1. Debian / Ubuntu Linux: Install nmap Software For Scanning Network


2. CentOS / RHEL: Install nmap Network Security Scanner
3. OpenBSD: Install nmap Network Security Scanner

#1: Scan a single host or an IP address (IPv4)

### Scan a single ip address ###


nmap 192.168.1.1

## Scan a host name ###


nmap server1.cyberciti.biz

## Scan a host name with more info###


nmap -v server1.cyberciti.biz

Sample outputs:

Fig.01: nmap output

#2: Scan multiple IP address or subnet (IPv4)

nmap 192.168.1.1 192.168.1.2 192.168.1.3


## works with same subnet i.e. 192.168.1.0/24
nmap 192.168.1.1,2,3

You can scan a range of IP address too:

nmap 192.168.1.1-20

You can scan a range of IP address using a wildcard:

nmap 192.168.1.*

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 4 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

Finally, you scan an entire subnet:

nmap 192.168.1.0/24

#3: Read list of hosts/networks from a file (IPv4)

The -iL option allows you to read the list of target systems using a text file.
This is useful to scan a large number of hosts/networks. Create a text file
as follows:

cat > /tmp/test.txt

Sample outputs:

server1.cyberciti.biz
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost

The syntax is:

nmap -iL /tmp/test.txt

#4: Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts


from a scan:

nmap 192.168.1.0/24 --exclude 192.168.1.5


nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 5 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

OR exclude list from a file called /tmp/exclude.txt

nmap -iL /tmp/scanlist.txt --excludefile


/tmp/exclude.txt

#5: Turn on OS and version detection scanning


script (IPv4)

nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt

#6: Find out if a host/network is protected by a


firewall

nmap -sA 192.168.1.254


nmap -sA server1.cyberciti.biz

#7: Scan a host when protected by the firewall

nmap -PN 192.168.1.1


nmap -PN server1.cyberciti.biz

#8: Scan an IPv6 host/address

The -6 option enable IPv6 scanning. The syntax is:

nmap -6 IPv6-Address-Here

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 6 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

nmap -6 server1.cyberciti.biz
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4

#9: Scan a network and find out which servers


and devices are up and running

This is known as host discovery or ping scan:

nmap -sP 192.168.1.0/24

Sample outputs:

Host 192.168.1.1 is up (0.00035s latency).


MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host 192.168.1.2 is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host 192.168.1.5 is up.
Host nas03 (192.168.1.12) is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80
second

#10: How do I perform a fast scan?

nmap -F 192.168.1.1

#11: Display the reason a port is in a particular


state

nmap --reason 192.168.1.1


nmap --reason server1.cyberciti.biz

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 7 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

#12: Only show open (or possibly open) ports

nmap --open 192.168.1.1


nmap --open server1.cyberciti.biz

#13: Show all packets sent and received

nmap --packet-trace 192.168.1.1


nmap --packet-trace server1.cyberciti.biz

14#: Show host interfaces and routes

This is useful for debugging (ip command or route command or netstat


command like output using nmap)

nmap --iflist

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 02:01


IST
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
lo (lo) 127.0.0.1/8 loopback up
eth0 (eth0) 192.168.1.5/24 ethernet up B8:AC:6F:6
5:31:E5
vmnet1 (vmnet1) 192.168.121.1/24 ethernet up 00:50:56:C
0:00:01
vmnet8 (vmnet8) 192.168.179.1/24 ethernet up 00:50:56:C
0:00:08
ppp0 (ppp0) 10.1.19.69/32 point2point up

**************************ROUTES**************************
DST/MASK DEV GATEWAY
10.0.31.178/32 ppp0
209.133.67.35/32 eth0 192.168.1.2
192.168.1.0/0 eth0
192.168.121.0/0 vmnet1

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 8 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

192.168.179.0/0 vmnet8
169.254.0.0/0 eth0
10.0.0.0/0 ppp0
0.0.0.0/0 eth0 192.168.1.2

#15: How do I scan specific ports?

nmap -p [port] hostName


## Scan port 80
nmap -p 80 192.168.1.1

## Scan TCP port 80


nmap -p T:80 192.168.1.1

## Scan UDP port 53


nmap -p U:53 192.168.1.1

## Scan two ports ##


nmap -p 80,443 192.168.1.1

## Scan port ranges ##


nmap -p 80-200 192.168.1.1

## Combine all options ##


nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.
biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168
.1.254

## Scan all ports with * wildcard ##


nmap -p "*" 192.168.1.1

## Scan top ports i.e. scan $number most common ports ##


nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:23


IST
Interesting ports on 192.168.1.1:
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
3389/tcp closed ms-term-serv
MAC Address: BC:AE:C5:C3:16:93 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.51 second


s

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 9 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

#16: The fastest way to scan all your


devices/computers for open ports ever

nmap -T5 192.168.1.0/24

#17: How do I detect remote operating system?

You can identify a remote host apps and OS using the -O option:

nmap -O 192.168.1.1
nmap -O --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27


01:29 IST
NSE: Loaded 0 scripts for scanning.
Initiating ARP Ping Scan at 01:29
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total
hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29,
0.22s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000
total ports)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
Host 192.168.1.1 is up (0.00049s latency).
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: BC:AE:C5:C3:16:93 (Unknown)

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 10 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

Device type: WAP|general


purpose|router|printer|broadband router
Running (JUST GUESSING) : Linksys Linux 2.4.X (95%),
Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%),
Lexmark embedded (90%), Enterasys embedded (89%), D-Link
Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux
2.4.30) (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 -
2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22)
(94%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%),
Linux 2.6.15 - 2.6.23 (embedded) (92%), Linux 2.6.15 -
2.6.24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik
RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22
(90%)
No exact OS matches for host (If you know what OS is
running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y
%M=BCAEC5%TM=50B3CA
OS:4B%P=x86_64-unknown-linux-
gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2
%O4=M2300ST11NW2%O5
OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E
8%W4=45E8%W5=45E8%W
OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=
)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W
=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=
164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 12.990 days (since Wed Nov 14 01:44:40
2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect
results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.38
seconds
Raw packets sent: 1126 (53.832KB) | Rcvd:
1066 (46.100KB)

See also: Fingerprinting a web-server and a dns server command line

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 11 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

tools for more information.

#18: How do I detect remote services (server /


daemon) version numbers?

nmap -sV 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27


01:34 IST
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.52 (protocol
2.0)
80/tcp open http?
1 service unrecognized despite returning data.

#19: Scan a host using TCP ACK (PA) and TCP Syn
(PS) ping

If firewall is blocking standard ICMP pings, try the following host


discovery methods:

nmap -PS 192.168.1.1


nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1
nmap -PA 80,21,200-512 192.168.1.1

#20: Scan a host using IP protocol ping

nmap -PO 192.168.1.1

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 12 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

#21: Scan a host using UDP ping

This scan bypasses firewalls and filters that only screen TCP:

nmap -PU 192.168.1.1


nmap -PU 2000.2001 192.168.1.1

#22: Find out the most commonly used TCP ports


using TCP SYN Scan

### Stealthy scan ###


nmap -sS 192.168.1.1

### Find out the most commonly used TCP ports using TCP c
onnect scan (warning: no stealth scan)
### OS Fingerprinting ###
nmap -sT 192.168.1.1

### Find out the most commonly used TCP ports using TCP AC
K scan
nmap -sA 192.168.1.1

### Find out the most commonly used TCP ports using TCP Wi
ndow scan
nmap -sW 192.168.1.1

### Find out the most commonly used TCP ports using TCP Ma
imon scan
nmap -sM 192.168.1.1

#23: Scan a host for UDP services (UDP scan)

Most popular services on the Internet run over the TCP protocol. DNS,
SNMP, and DHCP are three of the most common UDP services. Use the
following syntax to find out UDP services:

nmap -sU nas03


nmap -sU 192.168.1.1

Sample outputs:

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 13 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 00:52


IST
Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 underg
oing UDP Scan
UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 re
maining)
Interesting ports on nas03 (192.168.1.12):
Not shown: 995 closed ports
PORT STATE SERVICE
111/udp open|filtered rpcbind
123/udp open|filtered ntp
161/udp open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)

Nmap done: 1 IP address (1 host up) scanned in 1099.55 sec


onds

#24: Scan for IP protocol

This type of scan allows you to determine which IP protocols (TCP, ICMP,
IGMP, etc.) are supported by target machines:

nmap -sO 192.168.1.1

#25: Scan a firewall for security weakness

The following scan types exploit a subtle loophole in the TCP and good for
testing security of common attacks:

## TCP Null Scan to fool a firewall to generate a response


##
## Does not set any bits (TCP flag header is 0) ##
nmap -sN 192.168.1.254

## TCP Fin scan to check firewall ##


## Sets just the TCP FIN bit ##
nmap -sF 192.168.1.254

## TCP Xmas scan to check firewall ##


## Sets the FIN, PSH, and URG flags, lighting the packet up
like a Christmas tree ##
nmap -sX 192.168.1.254

See how to block Xmas packkets, syn-floods and other conman attacks
with iptables.

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 14 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

#26: Scan a firewall for packets fragments

The -f option causes the requested scan (including ping scans) to use tiny
fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection
systems, and other annoyances to detect what you are doing.

nmap -f 192.168.1.1
nmap -f fw2.nixcraft.net.in
nmap -f 15 fw2.nixcraft.net.in

## Set your own offset size with the --mtu option ##


nmap --mtu 32 192.168.1.1

#27: Cloak a scan with decoys

The -D option it appear to the remote host that the host(s) you specify as
decoys are scanning the target network too. Thus their IDS might report
5-10 port scans from unique IP addresses, but they won’t know which IP
was scanning them and which were innocent decoys:

nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-
ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1
192.168.1.5

#28: Scan a firewall for MAC address spoofing

### Spoof your MAC address ##


nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

### Add other options ###


nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

### Use a random MAC address ###


### The number 0, means nmap chooses a completely random M
AC address ###
nmap -v -sT -PN --spoof-mac 0 192.168.1.1

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 15 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

#29: How do I save output to a text file?

The syntax is:

nmap 192.168.1.1 > output.txt


nmap -oN /path/to/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1

#30: Not a fan of command line tools?

Try zenmap the official network mapper front end:

Zenmap is the official Nmap Security Scanner GUI. It is a


multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and
open source application which aims to make Nmap easy for
beginners to use while providing advanced features for
experienced Nmap users. Frequently used scans can be saved
as profiles to make them easy to run repeatedly. A command
creator allows interactive creation of Nmap command lines.
Scan results can be saved and viewed later. Saved scan results
can be compared with one another to see how they differ.
The results of recent scans are stored in a searchable
database.

You can install zenmap using the following apt-get command:

$ sudo apt-get install zenmap

Sample outputs:

[sudo] password for vivek:


Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
zenmap
0 upgraded, 1 newly installed, 0 to remove and 11 not
upgraded.
Need to get 616 kB of archives.
After this operation, 1,827 kB of additional disk space
will be used.

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 16 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

Get:1 http://debian.osuosl.org/debian/ squeeze/main


zenmap amd64 5.00-3 [616 kB]
Fetched 616 kB in 3s (199 kB/s)
Selecting previously deselected package zenmap.
(Reading database ... 281105 files and directories
currently installed.)
Unpacking zenmap (from .../zenmap_5.00-3_amd64.deb) ...
Processing triggers for desktop-file-utils ...
Processing triggers for gnome-menus ...
Processing triggers for man-db ...
Setting up zenmap (5.00-3) ...
Processing triggers for python-central ...

Type the following command to start zenmap:

$ sudo zenmap

Sample outputs

Fig.02: zenmap in action

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 17 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

How do I detect and block port scanning?

Try the following resources:

1. How to use psad tool to detect and block port scan attacks in real
time.
2. Debian / Ubuntu Linux: Install and Configure Shoreline Firewall
(Shorewall).
3. CentOS / Redhat Iptables Firewall Configuration Tutorial.
4. Linux: 20 Iptables Examples For New SysAdmins.
5. 20 Linux Server Hardening Security Tips.

References:

The official Nmap project guide to network discovery and security


Scanning.
The official Nmap project home page.

The nmap command has many more options, please go through man
page or the documentation for more information. What are some of your
favorite nmap command-line tricks? Share your favorite tips, tricks, and
advice in the comments below.

Tagged as: Apple, Debian Linux, FreeBSD, Linux, Ubuntu, Unix

25 comment

Kris April 5, 2017 at 12:54 pm

Is there maybe a way to become the netmask of a known host, IP


address???
(with nmap … or an other command, solution)

With
WIRESHARK – I’m able to define the IP-address
NMAP – I’m able to define the MAC-addres (ping doesn’t work yet)
ARP – I get the IP-address and MAC-address

but I’ve to put my interface in the same netmask range as the host, before

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 18 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

I’m able to connect to it.

Any suggestions.

Thks

Manoel Bezerra April 5, 2017 at 11:32 am

Excellent document. The examples given illustrate the operation of the


nmap command. Congratulations for the initiative.

Muhammad Karam Shehzad November 4, 2016 at 11:54 am

What is the best way to go about finding all ports being used by MySQL
for clustering purposes?
I am on Linux platform with MySQL NDB 5.7. I am trying to monitor all
traffic related to MySQL clustering – between data nodes, management
node and sql nodes. To that end, I used netstat to list all open ports
listening on my machine before starting MySQL cluster. Then, I started
MySQL cluster and ran netstat again. I assumed that the ports that were
listening the second time around, but not the first time, were related to
MySQL clustering.
But there are two problems with this. First, there could be ports opened
by other processes between the two netstat runs. Second, MySQL might
open other ports after I ran the netstat command the second time.
What is the best way to go about finding all ports being used by MySQL
for clustering purposes?
I believe ephemeral ports are picked dynamically, so perhaps if I knew all
the MySQL clustering related processes that would be running, I can
figure out every port that they are using. Pointers will be very welcome.

Ar3xXx May 13, 2016 at 12:47 pm

Thx mate I will use this as cheat sheet :)

phoenix6142 March 16, 2016 at 12:15 am

I found this article very helpful. I’m definitely saving this Bookmark for
future reference. I’ve been using “nmap -sP 192.168.1.0/24” for a very long
time just to see which clients are online. OS Detect is also very useful in
Armitage and Metasploit. Long live Linux!

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 19 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

P4 January 5, 2016 at 1:36 pm

for blocking a portscan give portsentry a try :)


https://plus.google.com/+RemikPi/posts/TB3Wu2xJMsB

Bob Cynic November 10, 2014 at 5:29 am

Beautifully formatted man page…thanks! ;)

far November 4, 2014 at 3:30 am

what does nmap –sn –PI 192.168.1.0/24 do?

Scott September 22, 2014 at 6:00 pm

Anyone got any examples of using nmap to generate a RARP message?

Murphy Mason June 21, 2014 at 4:52 pm

very interreting

HD May 6, 2014 at 12:09 pm

The question is how to monitor people who use/run NMAP and create a
report about it …
Thanks

benhuan December 10, 2013 at 9:41 am

Love it , Thanks for sharing

s33d3r November 7, 2013 at 5:59 am

Very Useful and Thanks for the information

Andrew July 23, 2013 at 3:46 pm

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 20 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

One of the uses for nmap, as stated above, is to “find out if the system is
infected with malware or virus.” How is this accomplished? Are you
referring to using the script, http-malware-host?

S Mohamed May 15, 2013 at 12:40 pm

My favorite nmap to scan for OS of a range of IPs, with output as a XML


file:
nmap -A -T3 -oX MyFile.xml 192.168.56.101-120
(A: OS detection, version detection, script scanning, traceroute T3: Speed
medium)

Ksdyathish December 7, 2012 at 6:18 pm

Very very useful and simple commands! Thank you.

A white hatter November 30, 2012 at 10:48 pm

Several places mentioned the -PN switch, but this is depreciated, use -Pn
instead.
-Pn (No ping) .
This option skips the Nmap discovery stage altogether. Normally, Nmap
uses this stage to determine active machines for heavier scanning. By
default, Nmap only performs heavy probing such as port scans, version
detection,
or OS detection against hosts that are found to be up. Disabling host
discovery with -Pn causes Nmap to attempt the requested scanning
functions against every target IP address specified. So if a class B target
address
space (/16) is specified on the command line, all 65,536 IP addresses are
scanned. Proper host discovery is skipped as with the list scan, but
instead of stopping and printing the target list, Nmap continues to
perform
requested functions as if each target IP is active. To skip ping scan and
port scan, while still allowing NSE to run, use the two options -Pn -sn
together.

For machines on a local ethernet network, ARP scanning will still be


performed (unless –send-ip is specified) because Nmap needs MAC
addresses to further scan target hosts. In previous versions of Nmap, -Pn
was -P0.

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 21 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

and -PN..

DUNGNA November 28, 2012 at 1:49 pm

Thanks you for sharing…!

Chris November 27, 2012 at 8:07 pm

Thanks for this very usefull post!!

Jalal Hajigholamali November 27, 2012 at 5:49 am

Hi,

Very nice and useful article

Thanks again

cycop November 27, 2012 at 4:58 am

Nice Info,,,

Nully man January 16, 2015 at 6:48 pm

hello pleas i have download nmap and install , but idnt know wher to
even run it

HoppingBunny May 14, 2015 at 3:20 am

If you are on a linux or similar system, it should be available on the


command line like this:

sudo nmap -F http://www.gmail.com <== type this on the


command line

you will get the output below:

Starting Nmap 5.51 ( http://nmap.org ) at 2015-05-13 23:18 EDT


Nmap scan report for http://www.gmail.com (216.58.219.197)
Host is up (0.010s latency).

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 22 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

rDNS record for 216.58.219.197: lga25s40-in-f5.1e100.net


Not shown: 98 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

Roy November 27, 2012 at 4:30 am

I love namp. Great post Sir.

Felipe November 26, 2012 at 10:32 pm

Wow ! Pretty good and easy. Thank you so much for the great topic, I’m a
huge fan of nmap/zenmap

GET
NIXC
RAFT
IN
YOUR
INBO
X IT’S
FREE

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 23 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

FEATURED
ARTICLES:

30 Cool Open Source


Software I Discovered
in 2013

30 Handy Bash Shell


Aliases For Linux /
Unix / Mac OS X

Top 30 Nmap
Command Examples
For Sys/Network
Admins

25 PHP Security Best


Practices For Sys
Admins

20 Linux System
Monitoring Tools
Every SysAdmin
Should Know

20 Linux Server
Hardening Security
Tips

Linux: 20 Iptables

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 24 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

Examples For New


SysAdmins

Top 20 OpenSSH
Server Best Security
Practices

Top 20 Nginx
WebServer Best
Security Practices

20 Examples: Make
Sure Unix / Linux
Configuration Files
Are Free From Syntax
Errors

15 Greatest Open
Source Terminal
Applications Of 2012

My 10 UNIX
Command Line
Mistakes

Top 10 Open Source


Web-Based Project
Management
Software

Top 5 Email Client For


Linux, Mac OS X, and
Windows Users

The Novice Guide To


Buying A Linux
Laptop

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 25 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

First 64 bit
Raspberry P

How to chec
port is in us

HowTo: Find
Fin
DNS Server

30 Cool Ope
Source
Software...

dstat: Moni
Linux System
Syste

Linux: Chec
Speed and T

nmap Comm
Scan A Sing

FOLLOW US

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 26 of 27
Top 30 Nmap Command Examples For Sys/Network Admins – nixCraft 4/21/17, 09:01

Twitter

Facebook

Google+

@2000-2017 nixCraft. All rights reserved.


PRIVACY TERM OF SERVICE CONTACT/EMAIL

DONATIONS

Hosted by Linode DNS & CDN by Cloudflare and StackPath Designed and Developed by Prospect One

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/ Page 27 of 27

You might also like