NMAP commands with examples Introduction
In this tutorial we will discuss about NMAP commands with examples, NMAP has multiple options to use with. It is used to scan all ports in a computer, discover services and hosts on a computer in a network. Earlier NMAP tool was available only in Linux, but now this utility can be found in Windows, HP-UX, and other Linux distribution. We will also discuss about do's and dont's of NMAP commands and how some people miss-using it.
Through out this tutorial we will see many real life NMAP examples.
Also check out the Wiki on NMAP.
How does NMAP work ?
NMAP sends special packets to the destination computer and records and examine the received response from the target computer.
What is Nmap and what is it used for?
NMAP stands for Network Mapper. It is primarily used for security scanning of a computer and network. With this application one can scan all ports and discover open ports, services, hosts on the network and also detect Operating system used by the remote computer.
What is the purpose of a port scan?
The purpose of the port scan is to identify open ports of a computer in the network. Port scanning is both used by the Network administrator and a Hacker. Administrator uses port scanning to identify open ports so that the network security shouldn't be compromised.
On the other hands Hackers use it for the purpose of finding vulnerability to attack and harm the network.
Nmap commands is also used for auditing security and firewall in a network, and network mapping as well.
What NMAP commands shouldn't be used for?
Some people use NMAP commands for UN-ethical hacking to gain unauthorized access to a network. NMAP shouldn't be used for such things, rather it should be used for Network and System Administration purposes, as unauthorized scanning of ports is completely illegal in many jurisdictions.
What does Nmap filtered mean?
There are four states of any port in the network. Open, closed, filtered and unfiltered.
Filtered mean that there is a firewall which is blocking the network, thus Nmap cannot identify if the port is closed or open.
To download and install nmap from binary rpm packages for your Linux system use the following commands.
# rpm -vhU https://nmap.org/dist/nmap-7.40-1.x86_64.rpm [For 64 bit OS] # rpm -vhU https://nmap.org/dist/nmap-7.40-1.i686.rpm [For 32 bit OS]
Or you can download the latest NMAP version available from here.
To install Nmap from YUM repository or on RHEL based system do the following.
# yum install nmap
To install NMAP on Debian based system, use 'apt' tool.
# apt-get install nmap
Nmap scan all ports
To scan all ports of any IP, server host name or any website type the following.
# nmap 192.168.0.23 [IP scan] # nmap system host name [Your server host name] # nmap www.example.com [Website scan]
To see the host name of any server, use the below command
NMAP scan single port
Instead of scanning all the ports of an IP, you can scan a single port or range of ports.
To scan a single port do the following.
# nmap -p 995 192.168.0.21 Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-29 02:09 IST Nmap scan report for 192.168.0.21 Host is up (0.00017s latency). PORT STATE SERVICE 995/tcp open pop3s Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
To scan range of ports, use the below command. In the given example we will scan port in a range from 1 to 200
# nmap -p 1-200 192.168.0.21 Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-29 02:14 IST Nmap scan report for 192.168.0.21 Host is up (0.000021s latency). Not shown: 195 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap
NMAP show only open ports
The below nmap command with option '--open' is used for displaying only open ports of any IP.
# nmap --open 192.168.1.23 Nmap scan report for 192.168.1.23 Host is up (0.00076s latency). Not shown: 998 filtered ports PORT STATE SERVICE 25/tcp open smtp 80/tcp open http
Show filtered and unfiltered ports
As explained above that filtered ports are ports which are blocked by Firewall. The below command is useful to verify weather ports are filtered or unfiltered. It is also called TCP ACK scan as it arrange in detail firewall rulesets.
# nmap -sA 192.168.1.20 Nmap scan report for 192.168.1.20 Host is up (0.00073s latency). Not shown: 998 filtered ports PORT STATE SERVICE 25/tcp unfiltered smtp 80/tcp unfiltered http
Nmap Port scan from file
Create a file called 'ipscan.txt' and insert into it IP's you want to scan. Now, use the file to scan IP as given below.
# nmap -iL ipscan.txt
Exclude host from file
While doing a port scan of number of IP's from a file, you can exclude host you don't want to scan. Look at the below example.
Here we are excluding 127.0.0.1 from the list.
# cat ipscan.txt 192.168.0.21 127.0.0.1
# nmap --exclude 127.0.0.1 -iL ipscan.txt
NMAP exclude file option
Take for an example you have to exlude number of IP's for port scan from the list. In that case doing a manual exclude would be a bother.
With 'excludefile' option you can exclude number of IP's at a time from the file. Here, we have created a file called 'ipnotscan.txt' where we have specified IP's to be excluded while scanning.
# nmap --excludefile ipnotscan.txt -iL ipscan.txt
Nmap Subnet scan
To scan subnet mask, use the Nmap command as given below.
# nmap 192.168.0.21/24
Scan TCP ports
Scan ports which are using TCP to connect. The below nmap command will scan for all TCP ports
# nmap -sT 192.168.0.21 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 110/tcp open pop3
Scan specific TCP port
You can opt to scan just one specific TCP port rather than all TCP ports. Use the nmap command as given to scan port 25 (smtp)
# nmap -s T 25 192.168.1.28 Nmap scan report for 192.168.1.28 Host is up (0.00061s latency). Not shown: 998 filtered ports PORT STATE SERVICE 25/tcp open smtp 80/tcp open http
Scan UDP ports
Scan ports which are using UDP to connect.
# nmap -sU 192.168.0.21 PORT STATE SERVICE 111/udp open rpcbind 5353/udp open|filtered zeroconf
Scan specific UDP port
To scan specific UDP ports do the following. In the below example we will scan port 111 (rpcbind)
# nmap -s U 111 192.168.1.23 Nmap scan report for 192.168.1.23 Host is up (0.00066s latency). All 1000 scanned ports on 192.168.1.23 are open|filtered Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds
SCTP INIT scan
SCTP INIT scan is the combination of TCP and UDP SCAN with newly added features like multi streaming and multi homing. It's main advantage is that even in a firewall restricted network it is capable of doing fastest scan of thousand ports in a few second. The option 'Y' is used with NMAP commands for SCTP INIT scan. See the below given example.
Multi streaming = It is technique to send multiple data at the same time where each data or stream has its own unique job.
Multi homing = A single system configured with multiple interfaces and IP addresses.
# nmap -sY 192.168.1.23 Nmap scan report for 192.168.1.23 Host is up (0.000020s latency). All 778 scanned ports on 192.168.1.23 are filtered Nmap done: 1 IP address (1 host up) scanned in 1 second
NMAP commands for TCP Window scan
TCP Window scan is similar to ACK scan. However, it can identify open TCP ports.It determines the status of port by the RST response from the port of system. If the system returns positive TCP Windows size, then the packet is sent by an open port. But if the value is negative then it is sent from the closed ports.
# nmap -v -sW 192.168.1.23 Initiating Ping Scan at 13:23 Scanning 192.168.1.23 [4 ports] Completed Ping Scan at 13:23, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:23 Completed Parallel DNS resolution of 1 host. at 13:23, 0.09s elapsed Initiating Window Scan at 13:23 Scanning 192.168.1.23 [1000 ports] Completed Window Scan at 13:23, 14.04s elapsed (1000 total ports) Nmap scan report for 192.168.1.23 Host is up (0.013s latency). Not shown: 997 filtered ports PORT STATE SERVICE 25/tcp closed smtp 80/tcp closed http 443/tcp closed https Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 14.25 seconds Raw packets sent: 3008 (120.312KB) | Rcvd: 15 (604B)
NMAP scan flags
With NMAP scan flags you will be able to make your own custom TCP scan. You can choose any random TCP flags for host scanning. The option is '--scanflags'. You can either use numerical or symbolic argument with --scanflags. The list of scanflag arguments that can be used with NMAP commands are as follows.
CWR: Congestion Window Reduced
CE: Congestion Experienced
ECT: ECN-Capable Transport
NS: (Nonce Sum)
You can use the above arguments in any way you like. For example
# nmap sA --scanflags URGACK 192.168.0.6
# nmap sF --scanflags ECTECEFIN 192.168.0.6
Nmap examples of Service detection with version
The following nmap commands is used for service detection.
# nmap -sV 192.168.0.21 Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-29 03:05 IST Nmap scan report for 192.168.0.21 Host is up (0.000024s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) 110/tcp open pop3 Dovecot pop3d
Operating System detection
Look at the following Nmap example to detect what OS Your remote system is using.
# nmap -A 192.168.0.21
NMAP port scan with reason
With Nmap commands you can also find out the reason for the state of any port, do the following with '--reason' option.
# nmap --reason -p 990 192.168.0.21 Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-29 13:28 IST Nmap scan report for 192.168.0.21 Host is up, received reset (0.0059s latency). PORT STATE SERVICE REASON 990/tcp closed ftps reset
NMAP top ports scan
With the option '--top-ports' you can scan the most common top ports of any host or IP. For example, you can scan top 2 or 3 ports of any IP.
Scanning of top 2 ports
# nmap --top-ports 2 192.168.1.31 Nmap scan report for 192.168.1.31 Host is up (0.00075s latency). PORT STATE SERVICE 23/tcp filtered telnet 80/tcp open http
Scanning of top 3 ports
# nmap --top-ports 3 192.168.1.31 Nmap scan report for 192.168.1.31 Host is up (0.00070s latency). PORT STATE SERVICE 23/tcp filtered telnet 80/tcp open http 443/tcp filtered https
Skip ports scan with (-sn)
The option '-sn' is used to skip port scan when the host is discovered during scanning. In most of the cases discovery of hosts and knowing the available active machines and servers in a network is more important than port discovery. For any System Administrator this command is very useful when they need to count the numbers of machines and servers in the network. As it doesn't scan ports, it won't show you the states of running services.
# nmap -sn 192.168.0.1 Nmap scan report for 192.168.0.1 Host is up (0.00056s latency).
Port scan with no ping (-Pn)
The '-Pn' option is also used to disable host discovery. It skips ping during scanning. The '-Pn' flag considers all hosts as online regardless if it can ping host or not. Hence, even if any of the port is filtered during scanning, it shows you up.
# nmap -Pn 192.168.0.1 Nmap scan report for 192.168.0.1 Host is up (0.00062s latency). Not shown: 998 filtered ports PORT STATE SERVICE 25/tcp open smtp 80/tcp open http
Which IP Protocol supported by Host
So, how to determine which IP protocols are supported by host. You can determine by NMAP option 'O'. See the below example of using it.
# nmap -sO 192.168.0.1 Nmap scan report for 192.168.0.1 Host is up (0.000030s latency). Not shown: 249 closed protocols PROTOCOL STATE SERVICE 1 open icmp 2 open|filtered igmp 6 open tcp 17 open udp 103 open|filtered pim 136 open|filtered udplite 255 open|filtered unknown
NMAP scan all ports using TCP SYN
# nmap -sS 192.168.1.31
When a TCP connection starts between the client and the server, then there is a exchange of messages between the two.
The client sends SYN message to the server to request for a connection. The server acknowledges it by sending SYN-ACK message back to the client.
The client again responds to the message by sending ACK and this way the client and the server connection is established.
What is SYN flood?
NMAP fastest scan of ports
You can use option 'T5' with NMAP command to do the fastest scanning of all open ports, servers, computers and other devices. For example.
# nmap -T5 192.168.1.31/24
The above command is very aggressive. There is a speed template range between 0 to 5 where 0 states very slow and 5 states very fast. So, T5 is the fastest and T0 would be very slow. when scanning.
NMAP decoy scan
With option '-D' you can do the decoy scan of any system or servers in the network. Its a technique of hiding your IP addresses while scanning any IP or host. Their IDS (Intrusion Detection System) /IPS (Intrusion Prevention System) won't be able to tell which IP was scanning them as their IDS will report scan from various IP addresses.
# nmap -n -D 192.168.1.31, 192.168.1.10, 192.168.1.33
NMAP idle scan (Zombie scan)
Idle scan or zombie scan is a TCP port scan which is used to know the services available in a computer and it is accomplished by sending fake packet to the target system. In the network the packet will appear as if they are sent from some other system (zombie system). The condition is that the zombie machine must be up and running. The option 'I' is used with NMAP.
See the below nmap example, the first IP is the zombie IP which we want to appear as the zombie host.
# nmap -sI 192.168.0.7 192.168.0.9
To avoid ping from your true IP use '-Pn' with NMAP command.
# nmap -Pn -sI 192.168.0.7 192.168.0.9 Nmap scan report for 192.168.0.9 Host is up. PORT STATE SERVICE 1/tcp unknown tcpmux 3/tcp unknown compressnet 4/tcp unknown unknown 6/tcp unknown unknown 7/tcp unknown echo 9/tcp unknown discard 13/tcp unknown daytime 17/tcp unknown qotd 19/tcp unknown chargen 20/tcp unknown ftp-data 21/tcp unknown ftp 22/tcp unknown ssh 23/tcp unknown telnet 24/tcp unknown priv-mail Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
NMAP output options (o)
There are number of ways you can save nmap command output. For example you can save the output to a text file or an XML file.
To save output to an XML file use the command as given below.
# nmap -oX outfile.xml 192.168.1.31
To save output of nmap command in a text file.
# nmap -oN outfile.txt 192.168.1.31
Similarly, to save the output in all formats, do the following.
# nmap -oA outfile 192.168.1.31
To know nmap version you have installed, type the following command.
# nmap --version
To know more about options you can use with Nmap commands, search the man page.
$ man nmap
Or you can check out this man page link of nmap.
That's it with the tutorial NMAP commands with examples to scan all ports. If you like this article, please share.