Nmap Command Examples (with examples)
Nmap is a powerful network exploration tool and security/port scanner that is commonly used for network and system auditing. In this article, we will explore different use cases of the nmap
command along with their code examples, motivations, explanations, and example outputs.
1: Check if an IP Address is Up and Guess the Remote Host’s Operating System
Code:
nmap -O ip_or_hostname
Motivation: This use case is helpful to quickly check the status of an IP address or hostname and determine the operating system running on the remote host. It can be useful during network troubleshooting or reconnaissance activities.
Explanation:
The -O
option enables operating system detection while scanning the specified IP address or hostname. Nmap sends various probes and analyzes the responses to make an educated guess about the remote host’s operating system.
Example Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
44584/tcp open unknown
Device type: general purpose|specialized
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
2: Try to Determine Whether the Specified Hosts are Up (Ping Scan) and Obtain Their Names and MAC Addresses
Code:
sudo nmap -sn ip_or_hostname optional_another_address
Motivation: This use case is useful when you want to quickly scan and determine the availability of multiple hosts in a network. It helps to identify live hosts and obtain their respective hostname and MAC addresses, which can aid in network mapping.
Explanation:
The -sn
option enables “ping scan” mode, where Nmap sends ICMP echo requests (pings) to determine if the hosts are up. By running the command with sudo
, Nmap can use more advanced techniques to detect live hosts. The specified IP addresses or hostnames are the targets for the scan.
Example Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
MAC Address: 11:22:33:44:55:AA (Manufacturer)
Hostname: example-host
Nmap scan report for 192.168.0.2
Host is up (0.02s latency).
MAC Address: 66:77:88:99:AA:BB (Manufacturer)
Hostname: another-host
Nmap scan report for 192.168.0.3
Host is up.
MAC Address: (Unknown)
Hostname: unknown-host
3: Enable Scripts, Service Detection, OS Fingerprinting, and Traceroute
Code:
nmap -A address_or_addresses
Motivation: This use case is valuable for comprehensive network exploration, where you want to gather extensive information about the target hosts. It combines various scanning techniques and scripts to uncover services, operating systems, and perform network tracing.
Explanation:
The -A
option enables aggressive scanning, which includes enabling scripts (-sC
), service detection (-sV
), OS fingerprinting, and traceroute. The address_or_addresses
can be a single IP address or a range of addresses.
Example Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| RSA 2048 SHA256:1234567890...
| ECDSA 256 SHA256:0987654321...
|_ Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds
Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.43 ((Unix))
| http-methods: GET HEAD OPTIONS TRACE
|_http-server-header: Apache/2.4.43 (Unix)
|_http-title: My Website
|_ Nmap done: 1 IP address (2 hosts up) scanned in 3.54 seconds
4: Scan Specific List of Ports
Code:
nmap -p port1,port2,...,portN address_or_addresses
Motivation: Sometimes, you may only want to scan specific ports instead of the entire range of 1 to 65535 ports. This use case allows you to focus and scan only the ports that are relevant to your needs, reducing scan time and network impact.
Explanation:
The -p
option specifies the list of ports to scan. You can specify multiple ports by separating them with commas. The address_or_addresses
can be a single IP address or a range of addresses.
Example Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
8080/tcp open http-proxy
Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
5: Perform Service and Version Detection of the Top 1000 Ports Using Default NSE Scripts
Code:
nmap -sC -sV -oN top-1000-ports.txt address_or_addresses
Motivation: This use case is useful when you want to gather detailed information about the services and their versions running on the target hosts. By using the default NSE (Nmap Scripting Engine) scripts, you can automate the process and collect valuable data.
Explanation:
The -sC
option enables the default NSE script scan, -sV
enables version detection, and -oN
specifies the output file for the scan results. The top 1000 ports are scanned by default. The address_or_addresses
can be a single IP address or a range of addresses.
Example Output (top-1000-ports.txt):
# Nmap 7.91 scan initiated Thu Sep 30 12:00:00 2021 as: nmap -sC -sV -oN top-1000-ports.txt example.com
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.43 ((Unix))
443/tcp closed https
8080/tcp open http Apache httpd 2.4.43 ((Unix))
# Nmap done at Thu Sep 30 12:00:02 2021 -- 1 IP address (1 host up) scanned in 2.23 seconds
6: Scan Target(s) Carefully Using ‘Default and Safe’ NSE Scripts
Code:
nmap --script "default and safe" address_or_addresses
Motivation: When performing scans with Nmap, you may want to ensure that the scripts used are carefully chosen and safe. This use case allows you to execute default and safe NSE scripts that are known to be less intrusive and less likely to cause adverse effects.
Explanation:
The --script
option enables script scanning, and the argument "default and safe"
specifies to use only the default and safe NSE scripts. The address_or_addresses
can be a single IP address or a range of addresses.
Example Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
8080/tcp open http-proxy
Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
7: Scan Web Server Running on Standard Ports 80 and 443 Using All Available ‘http-*’ NSE Scripts
Code:
nmap --script "http-*" address_or_addresses -p 80,443
Motivation: When conducting a specialized scan for web servers running on standard ports 80 and 443, you can utilize Nmap’s ‘http-*’ NSE scripts. This use case enables you to perform targeted web server scanning and collect specific information related to HTTP services.
Explanation:
The --script
option with the argument "http-*"
specifies to execute all available ‘http-*’ NSE scripts. Additionally, the -p
option restricts the scan to ports 80 and 443. The address_or_addresses
can be a single IP address or a range of addresses.
Example Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
| http-methods: GET HEAD OPTIONS TRACE
|_http-server-header: Apache/2.4.43 (Unix)
|_http-title: My Website
Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
| http-methods: GET HEAD OPTIONS TRACE
|_http-server-header: Apache/2.4.43 (Unix)
|_http-title: Secure Website
8: Perform a Stealthy Very Slow Scan (’-T0’) Trying to Avoid Detection by IDS/IPS and Use Decoy (’-D’) Source IP Addresses
Code:
nmap -T0 -D decoy1_ipaddress,decoy2_ipaddress,...,decoyN_ipaddress address_or_addresses
Motivation: In certain scenarios, you may want to perform a stealthy scan to avoid detection by Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). By using decoy source IP addresses, you can make it harder for network security systems to detect and block the scanning activities.
Explanation:
The -T0
option sets the scan speed to the slowest and most covert timing mode. The -D
option specifies multiple decoy source IP addresses to confuse network security systems. The address_or_addresses
can be a single IP address or a range of addresses.
Example Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 12:00 PM
Nmap scan report for example.com (192.168.0.1)
Host is up (0.05s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
8080/tcp open http-proxy
Nmap scan report for another-host (192.168.0.2)
Host is up (0.02s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
By exploring these different use cases of the nmap
command, you can effectively leverage its features to perform various types of network scanning and exploration. From checking the availability of hosts to gathering detailed information about services and operating systems, Nmap proves to be an invaluable tool for network administrators, security analysts, and penetration testers.