Overview

Simple Scanning

Fastest scan ever

nmap -T5 10.0.0.1/24

Scan a single ip address

nmap 10.0.0.1

Scan a host name

nmap server.domain.com

Scan a host name with more info

nmap -v server.domain.com

Scan multiple ip addresses

nmap 10.0.0.1 10.0.0.2 10.0.0.3 nmap 10.0.0.1/24 nmap 10.0.0.1,2,3 nmap 10.0.0.1-20 nmap 10.0.0.*

Scan hosts from file

nmap -iL /tmp/test.txt

Scan and exclude networks

nmap 10.0.0.1/24 –exclude 10.0.0.5 nmap 10.0.0.1/24 –exclude 10.0.0.5,10.0.0.254 nmap -iL /tmp/scanlist.txt –excludefile /tmp/exclude.txt

With OS detection

nmap -A 10.0.0.254 nmap -v -A 10.0.0.1 nmap -A -iL /tmp/scanlist.txt

Detect OS

nmap -O 10.0.0.1 nmap -O –osscan-guess 10.0.0.1 nmap -v -O –osscan-guess 10.0.0.1

Detect remote services

nmap -sV 10.0.0.1

Scan hosts and find out if protected by firewall

nmap -sA 10.0.0.254 nmap -sA server.domain.com

Scan hosts when protected behind firewall

nmap -PN 10.0.0.1 nmap -PN server.domain.com

Scan IPv6 hosts

nmap -6 IPv6-Address-Here nmap -6 server.domain.com nmap -6 2607:f0d0:1002:51::4 nmap -v A -6 2607:f0d0:1002:51::4

Host discovery with ping scan

nmap -sP 10.0.0.1/24

Fast scan

nmap -F 10.0.0.1

Show reason the state of the port is in

nmap –reason 10.0.0.1 nmap –reason server.domain.com

Show only open ports

nmap –open 10.0.0.1 nmap –open server.domain.com

Show packet traces

nmap –packet-trace 10.0.0.1 nmap –packet-trace server.domain.com

Show the routes of all networks and interfaces

nmap –iflist

Scan specific ports

nmap -p 80 10.0.0.1 nmap -p T:80 10.0.0.1 nmap -p U:53 10.0.0.1 nmap -p 80,443 10.0.0.1 nmap -p 80-200 10.0.0.1 nmap -p U:53,111,137,T:21-25,80,139,8080 10.0.0.1 nmap -p U:53,111,137,T:21-25,80,139,8080 server.domain.com nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 10.0.0.254 nmap -p “*” 10.0.0.1 nmap –top-ports 5 10.0.0.1 nmap –top-ports 10 10.0.0.1

If firewall is blocking ICMP pings

nmap -PS 10.0.0.1 nmap -PS 80,21,443 10.0.0.1 nmap -PA 10.0.0.1 nmap -PA 80,21,200-512 10.0.0.1

Scan with protocol ping

nmap -PO 10.0.0.1

Scan for IP protocol

nmap -sO 10.0.0.1

Scan for firewall weakness

null scan

nmap -sN 10.0.0.254

fin

nmap -sF 10.0.0.254

xmas

nmap -sX 10.0.0.254

scan with frag packets

nmap -f 10.0.0.1 nmap -f firewall.domain.com nmap -f 15 firewall.domain.com nmap –mtu 32 10.0.0.1

scan with other hosts to throw off IDS

nmap -n -Dfake-ip1,fake-ip2,your-own-ip,fake-ip3,fake-ip4 target.server.com nmap -n -D10.0.0.5,10.5.1.2,172.1.2.4,3.4.2.1 10.0.0.5

scan with mac spoofing

nmap –spoof-mac MAC-ADDRESS-HERE 10.0.0.1 nmap -v -sT -PN –spoof-mac MAC-ADDRESS-HERE 10.0.0.1 nmap -v -sT -PN –spoof-mac 0 10.0.0.1

save output to file

nmap 10.0.0.1 > output.txt nmap -oN /path/to/filename 10.0.0.1 nmap -oN output.txt 10.0.0.1

comments powered by Disqus