Table of Contents
In this tutorial, we will go through top 12 Nmap commands to scan remote hosts. Nmap is a free and open-source network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.
Nmap Commands
Prerequisites
You only need to have nmap tool in your system. If you don’t have this tool, It can be installed using below steps.
For RedHat/CentOS
yum install nmap
For Ubuntu
sudo apt-get install nmap
1. To Scan remote host 10.220.12.8
To scan remote host 10.220.12.8 we will use nmap 10.220.12.8 command.
[root@localhost ~]# nmap 10.220.12.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:04 EST Nmap scan report for dns.example (10.220.12.8) Host is up (0.051s latency). Not shown: 998 filtered ports PORT STATE SERVICE 53/tcp open domain 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 5.46 seconds
2. To Scan Port 80 of remote host 10.220.12.8
You can also scan port with nmap using below command.
[root@localhost ~]# nmap -p 80 10.220.12.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:30 EST Nmap scan report for dns.example (10.220.12.8) Host is up (0.043s latency). PORT STATE SERVICE 80/tcp filtered http Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
3. To Scan range of ports
This command will scan all the ports from 1 to 65535. This will take some time to display the output.
[root@localhost ~]# nmap -p 1-65535 10.220.12.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:34 EST Nmap scan report for dns.example (10.220.12.8) Host is up (0.046s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 53/tcp open domain 443/tcp open https 853/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 121.70 seconds
4. To Scan entire CIDR IP Ranges
If you want to scan entire CIDR Ranges, that also you can do by providing the subnet range.
[root@localhost ~]# nmap 10.220.12.0/28 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:36 EST Nmap done: 4 IP addresses (0 hosts up) scanned in 5.09 seconds
5. To Scan OS of remote host 10.220.12.8
If you want to find the OS of remote host, you can use -A switch along with -T4 switch for faster scan.
[root@localhost ~]# nmap -A -T4 10.220.12.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:39 EST Nmap scan report for dns.example (10.220.12.8) Host is up (0.046s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 53/tcp open tcpwrapped 443/tcp open https? |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: Google Public DNS | ssl-cert: Subject: commonName=dns.google/organizationName=Google LLC/stateOrProvinceName=California/countryName=US | Not valid before: 2019-11-05T07:47:00+00:00 |_Not valid after: 2020-01-28T07:47:00+00:00 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port443-TCP:V=6.40%I=7%D=12/6%Time=5DEA2FEE%P=x86_64-redhat-linux-gnu%r SF:(HTTPOptions,7,"\x15\x03\x01\0\x02\x02F")%r(SSLSessionReq,7,"\x15\x03\x SF:01\0\x02\x02F")%r(SSLv23SessionReq,7,"\x15\x03\x01\0\x02\x02F")%r(X11Pr SF:obe,7,"\x15\x03\x01\0\x02\x02F")%r(RTSPRequest,7,"\x15\x03\x01\0\x02\x0 SF:2F")%r(DNSVersionBindReq,7,"\x15\x03\x01\0\x02\x02F")%r(DNSStatusReques SF:t,7,"\x15\x03\x01\0\x02\x02F")%r(Help,7,"\x15\x03\x01\0\x02\x02F")%r(SM SF:BProgNeg,7,"\x15\x03\x01\0\x02\x02F")%r(LDAPBindReq,7,"\x15\x03\x01\0\x SF:02\x02F")%r(SIPOptions,7,"\x15\x03\x01\0\x02\x02F")%r(NCP,7,"\x15\x03\x SF:01\0\x02\x02F")%r(WMSRequest,7,"\x15\x03\x01\0\x02\x02F")%r(oracle-tns, SF:7,"\x15\x03\x01\0\x02\x02F")%r(kumo-server,7,"\x15\x03\x01\0\x02\x02F"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): OpenBSD 4.X (89%) OS CPE: cpe:/o:openbsd:openbsd:4.0 Aggressive OS guesses: OpenBSD 4.0 (89%), OpenBSD 4.3 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 9 hops TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 4.26 ms 192.168.0.1 2 13.36 ms 10.239.0.1 3 10.52 ms broadband.example.in (102.53.20.17) 4 10.51 ms broadband.example.in (102.53.20.18) 5 ... 6 7 48.74 ms 67.125.242.145 8 48.75 ms 114.239.47.143 9 48.80 ms dns.example (10.220.12.8) OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 49.10 seconds
6. To Scan for UDP and TCP Ports
If you want to scan udp and tcp port, you need to use -sU for UDP and -sT for TCP.
Scan for UDP Protocol
[root@localhost ~]# nmap -sU 10.220.12.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:48 EST Nmap scan report for dns.example (10.220.12.8) Host is up (0.044s latency). Not shown: 998 open|filtered ports PORT STATE SERVICE 53/udp open domain 33459/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 16.02 seconds
Scan for TCP Protocol
[root@localhost ~]# nmap -sT 10.220.12.8
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:48 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.045s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 5.30 seconds
7. To Scan multiple Hosts
If you want to scan multiple hosts in a network excluding one ip then you can use –exclude switch with nmap commands.
[root@localhost ~]# nmap 10.220.110.* --exclude 10.220.110.4 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 06:02 EST Nmap done: 255 IP addresses (0 hosts up) scanned in 205.36 seconds
8. To check if any Firewall is Enabled
You can also check if the remote host is filtering all the packets or not.
[root@localhost ~]# nmap -sA 10.220.12.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 06:04 EST Nmap scan report for dns.example (10.220.12.8) Host is up (0.052s latency). All 1000 scanned ports on dns.example (10.220.12.8) are filtered Nmap done: 1 IP address (1 host up) scanned in 53.14 seconds
9. To perform a Stealthy Scan
If you want perform a scan stealthly you need to use -sS switch with nmap commands.
[root@localhost ~]# nmap -sS 10.220.12.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 06:08 EST Nmap scan report for dns.example (10.220.12.8) Host is up (0.043s latency). Not shown: 998 filtered ports PORT STATE SERVICE 53/tcp open domain 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 5.40 seconds
10. To Launch Brute Force Attacks
WordPress brute force attack:
nmap -sV --script http-wordpress-brute --script-args 'userdb=username.txt,password=passwds.txt,http-wordpress-brute.hostname=example.com, http-wordpress-brute.threads=3,brute.firstonly=true' 10.220.12.8
Brute force attack against MS-SQL:
nmap -p 1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=password.txt 10.220.12.8
FTP brute force attack:
nmap --script ftp-brute -p 21 10.220.12.8
11. To find Vulnerability in the Remote Host
Here you can launch the vlun script for remote host 10.220.12.8 to find the vulnerability. It is one of the many unique features of nmap commands.
[root@localhost ~]# nmap -Pn --script vuln 10.220.12.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:59 EST Nmap scan report for dns.example (10.220.12.8) Host is up (0.046s latency). Not shown: 998 filtered ports PORT STATE SERVICE 53/tcp open domain 443/tcp open https | http-enum: | /flexfm/: Flex File Manager | /forum_answer.php?que_id=1: Guru JustAnswer | /pix/middlefile.gif: Middle files |_ /root/admin/file.aspx: file.NET (CMS) |_http-fileupload-exploiter: |_http-frontpage-login: false |_http-huawei-hg5xx-vuln: false |_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug ) |_http-phpmyadmin-dir-traversal: ERROR: Script execution failed (use -d to debug ) |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-vuln-cve2010-0738: false Nmap done: 1 IP address (1 host up) scanned in 822.62 seconds
12. To detect malware infection on remote hosts
Another important feature with nmap commands is that you can check malware infection on remote hosts by launching below script.
[root@localhost ~]# nmap -sV --script=http-malware-host 10.220.12.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 06:22 EST Nmap scan report for dns.example (10.220.12.8) Host is up (0.000013s latency). Other addresses for localhost (not scanned): 10.220.12.8 Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 25/tcp open smtp Postfix smtpd Service Info: Host: localhost.localdomain Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
Also Read: How to enable ssh on Ubuntu
Reference: Nmap Documentation