Nmap Command Examples (with examples)

Nmap is a powerful network exploration tool and security/port scanner that is commonly used for network and system auditing. In this article, we will explore different use cases of the nmap command along with their code examples, motivations, explanations, and example outputs.

1: Check if an IP Address is Up and Guess the Remote Host’s Operating System

Code:

nmap -O ip_or_hostname

Motivation: This use case is helpful to quickly check the status of an IP address or hostname and determine the operating system running on the remote host. It can be useful during network troubleshooting or reconnaissance activities.

Explanation: The -O option enables operating system detection while scanning the specified IP address or hostname. Nmap sends various probes and analyzes the responses to make an educated guess about the remote host’s operating system.

Example Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
443/tcp   open  https
8080/tcp  open  http-proxy
44584/tcp open  unknown
Device type: general purpose|specialized
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9

2: Try to Determine Whether the Specified Hosts are Up (Ping Scan) and Obtain Their Names and MAC Addresses

Code:

sudo nmap -sn ip_or_hostname optional_another_address

Motivation: This use case is useful when you want to quickly scan and determine the availability of multiple hosts in a network. It helps to identify live hosts and obtain their respective hostname and MAC addresses, which can aid in network mapping.

Explanation: The -sn option enables “ping scan” mode, where Nmap sends ICMP echo requests (pings) to determine if the hosts are up. By running the command with sudo, Nmap can use more advanced techniques to detect live hosts. The specified IP addresses or hostnames are the targets for the scan.

Example Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
MAC Address: 11:22:33:44:55:AA (Manufacturer)
Hostname: example-host

Nmap scan report for 192.168.0.2
Host is up (0.02s latency).
MAC Address: 66:77:88:99:AA:BB (Manufacturer)
Hostname: another-host

Nmap scan report for 192.168.0.3
Host is up.
MAC Address: (Unknown)
Hostname: unknown-host

3: Enable Scripts, Service Detection, OS Fingerprinting, and Traceroute

Code:

nmap -A address_or_addresses

Motivation: This use case is valuable for comprehensive network exploration, where you want to gather extensive information about the target hosts. It combines various scanning techniques and scripts to uncover services, operating systems, and perform network tracing.

Explanation: The -A option enables aggressive scanning, which includes enabling scripts (-sC), service detection (-sV), OS fingerprinting, and traceroute. The address_or_addresses can be a single IP address or a range of addresses.

Example Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   RSA 2048 SHA256:1234567890...
|   ECDSA 256 SHA256:0987654321...
|_  Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds

Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.43 ((Unix))
| http-methods: GET HEAD OPTIONS TRACE
|_http-server-header: Apache/2.4.43 (Unix)
|_http-title: My Website
|_  Nmap done: 1 IP address (2 hosts up) scanned in 3.54 seconds

4: Scan Specific List of Ports

Code:

nmap -p port1,port2,...,portN address_or_addresses

Motivation: Sometimes, you may only want to scan specific ports instead of the entire range of 1 to 65535 ports. This use case allows you to focus and scan only the ports that are relevant to your needs, reducing scan time and network impact.

Explanation: The -p option specifies the list of ports to scan. You can specify multiple ports by separating them with commas. The address_or_addresses can be a single IP address or a range of addresses.

Example Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  closed https
8080/tcp open  http-proxy

Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

5: Perform Service and Version Detection of the Top 1000 Ports Using Default NSE Scripts

Code:

nmap -sC -sV -oN top-1000-ports.txt address_or_addresses

Motivation: This use case is useful when you want to gather detailed information about the services and their versions running on the target hosts. By using the default NSE (Nmap Scripting Engine) scripts, you can automate the process and collect valuable data.

Explanation: The -sC option enables the default NSE script scan, -sV enables version detection, and -oN specifies the output file for the scan results. The top 1000 ports are scanned by default. The address_or_addresses can be a single IP address or a range of addresses.

Example Output (top-1000-ports.txt):

# Nmap 7.91 scan initiated Thu Sep 30 12:00:00 2021 as: nmap -sC -sV -oN top-1000-ports.txt example.com
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.43 ((Unix))
443/tcp  closed https
8080/tcp open  http    Apache httpd 2.4.43 ((Unix))

# Nmap done at Thu Sep 30 12:00:02 2021 -- 1 IP address (1 host up) scanned in 2.23 seconds

6: Scan Target(s) Carefully Using ‘Default and Safe’ NSE Scripts

Code:

nmap --script "default and safe" address_or_addresses

Motivation: When performing scans with Nmap, you may want to ensure that the scripts used are carefully chosen and safe. This use case allows you to execute default and safe NSE scripts that are known to be less intrusive and less likely to cause adverse effects.

Explanation: The --script option enables script scanning, and the argument "default and safe" specifies to use only the default and safe NSE scripts. The address_or_addresses can be a single IP address or a range of addresses.

Example Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  closed https
8080/tcp open  http-proxy

Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https

7: Scan Web Server Running on Standard Ports 80 and 443 Using All Available ‘http-*’ NSE Scripts

Code:

nmap --script "http-*" address_or_addresses -p 80,443

Motivation: When conducting a specialized scan for web servers running on standard ports 80 and 443, you can utilize Nmap’s ‘http-*’ NSE scripts. This use case enables you to perform targeted web server scanning and collect specific information related to HTTP services.

Explanation: The --script option with the argument "http-*" specifies to execute all available ‘http-*’ NSE scripts. Additionally, the -p option restricts the scan to ports 80 and 443. The address_or_addresses can be a single IP address or a range of addresses.

Example Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
80/tcp open  http
| http-methods: GET HEAD OPTIONS TRACE
|_http-server-header: Apache/2.4.43 (Unix)
|_http-title: My Website

Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-methods: GET HEAD OPTIONS TRACE
|_http-server-header: Apache/2.4.43 (Unix)
|_http-title: Secure Website

8: Perform a Stealthy Very Slow Scan (’-T0’) Trying to Avoid Detection by IDS/IPS and Use Decoy (’-D’) Source IP Addresses

Code:

nmap -T0 -D decoy1_ipaddress,decoy2_ipaddress,...,decoyN_ipaddress address_or_addresses

Motivation: In certain scenarios, you may want to perform a stealthy scan to avoid detection by Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). By using decoy source IP addresses, you can make it harder for network security systems to detect and block the scanning activities.

Explanation: The -T0 option sets the scan speed to the slowest and most covert timing mode. The -D option specifies multiple decoy source IP addresses to confuse network security systems. The address_or_addresses can be a single IP address or a range of addresses.

Example Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  closed https
8080/tcp open  http-proxy

Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https

By exploring these different use cases of the nmap command, you can effectively leverage its features to perform various types of network scanning and exploration. From checking the availability of hosts to gathering detailed information about services and operating systems, Nmap proves to be an invaluable tool for network administrators, security analysts, and penetration testers.