This is a neat and concise video by HackerSploit who makes a bunch of great videos. If you watch this video you’ll understand the basics of using Nmap and its’ a superb video for beginners to check out.
What Is Nmap?
Nmap is traditionally described as being a Port Scanner Tool.
Another explanation for Nmap is that it’s an extremely popular hacker tool used for footprinting and especially for reconnaissance. And, as we all know, reconnaissance is considered as being one of the most important aspects of any Penetration Test.
The tool is really best used when you need to establish information regarding your actual target or IP that you’re interested in.
The tool is available on almost every platform imaginable, and of course, if you download and install a copy of Kali Linux, Parrot, Backbox or similar then Nmap ships with those Linux Distros.
Popular & Useful Nmap Commands
In this post we’ll list out some highly useful Nmap commands that will help you out when you perform your Penetration Test or Security Audit.
- How To Launch A Basic Nmap Scan Against A Single IP, Host Or Target
- How To Scan Specific Ports Or Scan Entire Port Ranges On A Local Or Remote Server
- How To Scan Multiple IP Addresses
- How To Scan A Set Of IP Ranges
- How To Scan The Most Popular And Well-known Ports
- How To Scan Hosts And IP Addresses Reading From A Text File
- How To Save Your Nmap Scan Results To A Text File
- How To Disable DNS Name Resolution
- How To Scan For Operating Systems
- Detect Service/Daemon Versions
- Scan Using TCP or UDP Protocols
- How To Execute CVE Detection Using Nmap
- How To Launch a DoS With Nmap
- How To Launch a Brute Force Attack Using Nmap
- How To Detect Malware Infections On Remote Hosts
- Combining Nikto Scan and Nmap
1. How To Launch A Basic Nmap Scan Against A Single IP, Host Or Target
Fire-up nmap by simply typing in this command:
Then, and this is ultra-mega easy, just type in the IP address if your target!
You can also scan a specific hostname, just replace the IP for the hostname like this:
If you’re just getting started with your PenTest or Security Audit then this type of initial scan could be appropriate, but – proceed with caution since it will be fairly noisy and any Firewall with decent setup will flag this behavior pretty much instantly and kick you off.
2. How To Scan Specific Ports Or An Entire Port Ranges On A Server
nmap -p 1-65535 servername
The command we used above uses the flag
-P which signals that Nmap will associate itself with Ports (hence the “P” – simple stuff really!).
The reason there are 65535 is because that is how many ports there are in real-life.
Using this above command Nmap will patiently scan all possible ports but it might be unnecessary, perhaps you just want to scan specific ports. To do that do the following:
nmap -p 80,443 126.96.36.199
This would check the two access ports for public viewing of webpages. Plain vanilla HTML would be served via Port 80, whilst SSL is of course 443.
For other basic Protocols like that, I have a resource here that might be of use.
3. How To Scan Multiple IP Addresses Using Nmap
Good question! If your client has a bunch of domains to scan then you’d just need to append a comma to the end of the syntax as follows:
Of course, replace the “X” with a digit – I just used that because I want to highlight the appended “2,3,4” to show the extra IP addresses.
nmap -p X.X.X.X,2,3,4
This will scan
4. How To Scan IP ranges
What about being able to scan the entire IP range? Great question! You’d do that by executing this syntax and append the slash for the 0-28 CIDR IP Range. For example:
nmap -p X.X.X.X/28
Of course, replace the X with real digits.
5. How To Scan The Most Popular Ports
Just hit the following command for the “most popular” and commonly open ports on a network
nmap --top-ports 30 192.168.1.106
Replace “30” with the number of ports that you want to scan.
Commonly scanned Nmap ports, which are really protocols, include some of the following:
PORT STATE SERVICE
6. How To Scan Hosts And IP Addresses Reading From A Text File
You might have a list of IP’s or domains or DNS records to scan. Then no worries, this is what you’d do:
nmap -iL mylist.txt
Place all references in a simple text file like this:
7. How To Save Your Nmap Scan Results To A File
If you’re on a Pentest you’ll want to save your results, and perhaps use them for later viewing or perhaps even insert them into another tool like Metasploit.
Here’s how you’d do that:
nmap -oN outputdata.txt concise-courses.com
And, to convert that into
XML just switch out the
nmap -oX outputdata.xml concise-courses.com
8. How To Disable DNS Name Resolution
To speed up your Nmap scan (they can take quite long) just add the
-n flag which will disable the DNS resolution.
nmap -p 80 -n 188.8.131.52
9. How To Scan For Operating Systems
Simply use the “-A” flag and you’ll be good to go, for example:
nmap -A -T4 192.168.1.102.com
10. How To Detect Service/Daemon Versions
This can be done by using the –
sV flag as such:
nmap -sV 192.168.1.24
11. How To Scan Using TCP or UDP Protocols
Nmap, like other network scanners, can execute scans against a variety of port protocols such as UDP and TCP. What’s the difference? It’s all in the handshakes. TCP is the “bread and butter” of the HTML/IP Protocol which includes basically anything text and the vast majority of traffic within the Internet.
TCP is very strict. UDP is not. Video streaming services would use UDP because if the video (data) is slightly delayed then that’s just buffering and the user experience expects this. The user would never accept a half-baked received email.
Here’s a TCP Nmap command:
nmap -sT 192.168.1.1
And, here’s a UDP Nmap command:
nmap -sU 192.168.1.1
12. How To Execute a CVE Detection Using Nmap
Nmap has its’ own unique scripts known as “Nmap Scripting Engine” and have the extension
So, to load CVE’s into your scan you’d fire up the -Pn flag to execute scripts to test for known vulnerabilities.
nmap -Pn --script vuln 192.168.1.112
13. How To Launch a DOS Attack with Nmap
Of course, you’d only use this to test your own or your client’s network as a “stress test” to see how their services respond to DoS attacks.
Again, we’d deploy NSE for this command and run a command like this:
nmap 192.168.1.110 -max-parallelism 700 -Pn --script http-name-of-known-hack --script-args http-name-of-known-hack.runforever=true
14. How To Launch brute Force Attacks Using Nmap
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105
And for the Venerable FTP:
nmap --script ftp-brute -p 21 192.168.1.112
Of course, as we all know from the early days, Port 21 runs an FTP service, hence the
-p flag (for the port) and 21 for the necessary port.
15. How To Detect Malware Infections on Remote Hosts
I must say, I didn’t know about this when I was researching and updating this post: Nmap can detect malware. Pretty cool stuff.
I’d recommend using the Google Malware check resource which you can combine with Nmap like this:
nmap -p123 --script http-google-malware clientinfectedsitexyz.com
16 Combining Nmap and Nikto
We’ve covered Nikto here, but here’s a command that you can use alongside Nmap:
nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h -
Nmap rightfully has had a coveted spot in my Hacker Tools List of every year and remains firmly there is 2020.
It’s also worth mentioning that there is a GUI version called ZenMap.
As ever, if you want concrete results you should always combine the result of several Port Scanning and Penetration Testing tools to get a solid and (virtually) indisputable result especially when presenting it to your client.