Top 32 Nmap Command Examples For SysNetwork Admins
Top 32 Nmap Command Examples For SysNetwork Admins
Top 32 Nmap Command Examples For SysNetwork Admins
Admins
cyberciti.biz /networking/nmap-command-examples-tutorials/
November 26,
2012
Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning
and auditing. However, nmap command comes with lots of options that can make the utility more robust and
difficult to follow for new users.
The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so
to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and
defensive purposes.
More
about
nmap
From the
man
page:
nmap in action
Nmap (Network Mapper) is an open source tool for network exploration and security auditing. It
was designed to rapidly scan large networks, although it works fine against single hosts. Nmap
uses raw IP packets in novel ways to determine what hosts are available on the network, what
services (application name and version) those hosts are offering, what operating systems (and
OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other
characteristics. While Nmap is commonly used for security audits, many systems and network
administrators find it useful for routine tasks such as network inventory, managing service
upgrade schedules, and monitoring host or service uptime.
It was originally written by Gordon Lyon and it can answer the following questions easily:
1/16
1. What computers did you find running on the local network?
2. What IP addresses did you find running on the local network?
3. What is the operating system of your target machine?
4. Find out what ports are open on the machine that you just scanned?
5. Find out if the system is infected with malware or virus.
6. Search for unauthorized servers or network service on your network.
7. Find and remove computers which dont meet the organizations minimum level of security.
+---------+
+---------+ | Network | +------
--+
| server1 |-----------+ swtich +---------|server2
|
+---------+ | (sw0) | +-----
---+
+----+----+
|
|
+---------+----------+
| wks01 Linux/OSX |
+--------------------+
Where,
wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning
your local network. The nmap command must be installed on this computer.
server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server.
Feel free to install a few services such as a web-server, file server and so on.
server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server
with firewall. Again, feel free to install few services such as a web-server, file server and so on.
All three systems are connected via switch.
2/16
### Scan a single ip address ###
nmap 192.168.1.1
Sample outputs:
#2:
Scan
nmap 192.168.1.1-20
nmap
192.168.1.*
nmap
192.168.1.0/24
3/16
cat >
/tmp/test.txt
Sample outputs:
server1.cyberciti.biz
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost
nmap -iL
/tmp/test.txt
nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt
4/16
The -6 option enable IPv6 scanning. The syntax is:
nmap -6 IPv6-Address-Here
nmap -6 server1.cyberciti.biz
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6
2607:f0d0:1002:51::4
#9: Scan a network and find out which servers and devices are up and running
This is known as host discovery or ping scan:
nmap -sP
192.168.1.0/24
Sample outputs:
nmap -F
192.168.1.1
nmap --
iflist
Sample outputs:
**************************ROUTES**************************
DST/MASK DEV GATEWAY
10.0.31.178/32 ppp0
209.133.67.35/32 eth0 192.168.1.2
192.168.1.0/0 eth0
192.168.121.0/0 vmnet1
192.168.179.0/0 vmnet8
169.254.0.0/0 eth0
10.0.0.0/0 ppp0
0.0.0.0/0 eth0 192.168.1.2
6/16
nmap -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
Sample outputs:
#16: The fastest way to scan all your devices/computers for open ports ever
nmap -T5
192.168.1.0/24
7/16
#17: How do I detect remote operating system?
You can identify a remote host apps and OS using the -O option:
nmap -O 192.168.1.1
nmap -O --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess
192.168.1.1
Sample outputs:
8/16
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:29 IST
NSE: Loaded 0 scripts for scanning.
Initiating ARP Ping Scan at 01:29
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
Host 192.168.1.1 is up (0.00049s latency).
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Device type: WAP|general purpose|router|printer|broadband router
Running (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%),
MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-
Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), OpenWrt 0.9
- 7.09 (Linux 2.4.30 - 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (94%),
Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.6.15 - 2.6.23 (embedded)
(92%), Linux 2.6.15 - 2.6.24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik
RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)
No exact OS matches for host (If you know what OS is running on it, see
http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CA
OS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5
OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%W
OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds
Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)
See also: Fingerprinting a web-server and a dns server command line tools for more information.
Sample outputs:
#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping
If firewall is blocking standard ICMP pings, try the following host discovery methods:
nmap -PO
192.168.1.1
#22: Find out the most commonly used TCP ports using TCP SYN Scan
10/16
### Stealthy scan ###
nmap -sS 192.168.1.1
### Find out the most commonly used TCP ports using TCP connect scan (warning:
no stealth scan)
### OS Fingerprinting ###
nmap -sT 192.168.1.1
### Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1
### Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1
### Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1
Sample outputs:
nmap -sO
192.168.1.1
11/16
#25: Scan a firewall for security weakness
The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:
See how to block Xmas packkets, syn-floods and other conman attacks with iptables.
nmap -f 192.168.1.1
nmap -f fw2.nixcraft.net.in
nmap -f 15 fw2.nixcraft.net.in
12/16
### Spoof your MAC address ##
nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
#30 Scans for web servers and pipes into Nikto for scanning
nmap -p80 192.168.1.2/24 -oG - | /path/to/nikto.pl -h -
nmap -p80,443 192.168.1.2/24 -oG - | /path/to/nikto.pl -h
-
TRACEROUTE
HOP RTT ADDRESS
1 0.44 ms dellm6700 (192.168.2.15)
14/16
#32: Not a fan of command line tools?
Try zenmap the official network mapper front end:
Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac
OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners
to use while providing advanced features for experienced Nmap users. Frequently used scans
can be saved as profiles to make them easy to run repeatedly. A command creator allows
interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved
scan results can be compared with one another to see how they differ. The results of recent scans
are stored in a searchable database.
1. How to use psad tool to detect and block port scan attacks in real time .
2. Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall).
3. CentOS / Redhat Iptables Firewall Configuration Tutorial.
4. Linux: 20 Iptables Examples For New SysAdmins.
5. 20 Linux Server Hardening Security Tips.
15/16
References:
The official Nmap project guide to network discovery and security Scanning.
The official Nmap project home page.
The nmap command has many more options, please go through man page or the documentation for more
information. What are some of your favorite nmap command-line tricks? Share your favorite tips, tricks, and
advice in the comments below.
seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global
clients and in various industries, including IT, education, defense and space research, and the nonprofit sector.
Follow him on Twitter, Facebook, Google+.
16/16