A quick reference guide for Nmap (Network Mapper) β the powerful open-source tool for network discovery and security auditing. π
Nmap is a powerful, open-source command-line tool used for network exploration and security auditing, enabling users to scan networks, discover hosts, identify open ports, and detect operating systems and services.
Hereβs a breakdown of common Nmap command usage:
-
Basic Usage:
nmap <target>: Scans a single host or network, resolving hostnames to IP addresses.nmap -sS <target>: Performs a TCP SYN scan (stealth scan).nmap -p <port_range> <target>: Scans specific ports.nmap -O <target>: Performs operating system detection.nmap -v <target>: Enables verbose output.
-
Host Discovery:
nmap -sn <target>: Performs a ping scan (host discovery).nmap -sL <target>: Lists hosts in a network range.
-
Port Scanning:
nmap -p <port_number> <target>: Scans a specific port.nmap -p <port_range> <target>: Scans a range of ports.nmap -sV <target>: Attempts to determine service and version information.
-
OS Detection:
nmap -O <target>: Attempts to identify the operating system of the target.
-
Vulnerability Scanning:
nmap --script <script_name> <target>: Executes a specific Nmap script for vulnerability scanning.
-
Example Scenarios:
- Scan a single host for open ports:
nmap 192.168.1.100 - Scan a network range for live hosts:
nmap -sn 192.168.1.0/24 - Scan a host for open ports and service versions:
nmap -p 22,80,443 -sV 192.168.1.100 - Scan a host for known vulnerabilities:
nmap --script vuln <target> - Scan a host and detect the OS:
nmap -O 192.168.1.100
- Scan a single host for open ports:
-
Nmap Scripting Engine (NSE):
- Nmap has a powerful scripting engine (NSE) that allows users to write and execute custom scripts for various network tasks.
- You can find and use scripts from the Nmap repository or write your own using the Lua programming language.
- Nmap has a powerful scripting engine (NSE) that allows users to write and execute custom scripts for various network tasks.
π Basic Scans
| Command | Description |
|---|---|
nmap <target> |
Basic scan to detect open ports and services. |
nmap -sP <target> |
Ping scan to check if hosts are online. |
nmap -sS <target> |
Stealth SYN scan (most popular, less detectable). |
nmap -sT <target> |
Full TCP Connect scan (more reliable, noisier). |
nmap -A <target> |
Aggressive scan (OS detection, version detection, script scanning, traceroute). |
nmap -v <target> |
Enable verbose mode for detailed output. |
π‘ Scanning Specific Ports
| Command | Description |
|---|---|
nmap -p 80 <target> |
Scan only port 80. |
nmap -p 1-65535 <target> |
Scan all ports (1-65535). |
nmap -p- <target> |
Scan all possible ports automatically. |
nmap --top-ports 10 <target> |
Scan the top 10 commonly used ports. |
π Service & Version Detection
| Command | Description |
|---|---|
nmap -sV <target> |
Detect running services and versions. |
nmap -sV --version-all <target> |
Try all available version detection methods. |
π΅οΈ OS & Firewall Detection
| Command | Description |
|---|---|
nmap -O <target> |
Detect operating system. |
nmap -Pn <target> |
Disable ping (useful if ICMP is blocked). |
nmap --script firewall-bypass <target> |
Check for firewall bypass techniques. |
π― Evading Firewalls & IDS
| Command | Description |
|---|---|
nmap -f <target> |
Use fragmentation to bypass firewalls. |
nmap --data-length 50 <target> |
Append random data to confuse IDS. |
nmap --randomize-hosts -T2 <target> |
Randomize scan order and slow down for stealth. |
nmap --badsum <target> |
Send packets with bad checksums (IDS evasion). |
π Advanced Scanning Techniques
| Command | Description |
|---|---|
nmap -sU <target> |
UDP scan. |
nmap -sN <target> |
NULL scan (no flags set). |
nmap -sX <target> |
Xmas scan (FIN, PSH, URG flags set). |
nmap -sF <target> |
FIN scan (sends only FIN flag). |
π Saving Scan Results
| Command | Description |
|---|---|
nmap -oN output.txt <target> |
Save results in normal text format. |
nmap -oX output.xml <target> |
Save results in XML format. |
nmap -oG output.gnmap <target> |
Save results in grepable format. |
nmap -oA fullscan <target> |
Save results in all formats. |
π₯οΈ Scanning Multiple Targets
| Command | Description |
|---|---|
nmap 192.168.1.1 192.168.1.2 |
Scan multiple IPs. |
nmap 192.168.1.1-10 |
Scan a range of IPs. |
nmap -iL targets.txt |
Scan targets from a file. |
π Nmap Scripting Engine (NSE)
| Command | Description |
|---|---|
nmap --script=vuln <target> |
Run vulnerability detection scripts. |
nmap --script=http-enum <target> |
Enumerate web server directories. |
nmap --script=smb-os-discovery <target> |
Detect OS via SMB. |
nmap --script ssl-heartbleed <target> |
Check for Heartbleed vulnerability. |