Nmap

by

Nmap

Common Nmap Commands & Examples

Nmap (Network Mapper) is a powerful tool used for network discovery and security auditing. Below are the most common Nmap commands, along with practical examples.

Basic Host Discovery

Scan that I start with

nmap 10.10.10.10 -sC -sV -p- -T 3
  • This will scan all port -p-
  • Performs a script scan -sC
  • Speed to scan at 0 paranoid|1 sneaky|2 polite|3 normal|4 aggressive|5 insane -T <Number>
  • Version detection -sV

Scan a Range of IPs

nmap 10.10.102.1-50
  • Scans multiple hosts in the range 10.10.102.1 to 10.10.102.50.

Scan an Entire Subnet

nmap 10.10.102.0/24
  • Scans all devices in the 10.10.102.x network.

Port Scanning

Scan Specific Ports

nmap -p 22,80,443 10.10.102.93

Scans only ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).

Scan All 65,535 Ports

nmap -p- 10.10.102.93
  • Checks every port on the target.

Detect Open, Closed, and Filtered Ports

nmap --reason 10.10.102.93
  • Shows why a port is open, closed, or filtered.

Service & Version Detection

Detect Running Services & Versions

nmap -sV 10.10.102.93
  • Identifies running services and their versions.

Aggressive Scan (OS Detection, Services, and More)

nmap -A 10.10.102.93
  • Performs OS detection, version detection, and script scanning.

Detect the Target OS

nmap -O 10.10.102.93
  • Tries to determine the operating system of the target.

Stealth & Evasion Scans

SYN Scan (Stealthy Scan)

nmap -sS 10.10.102.93
  • Sends SYN packets to avoid full TCP connections (stealth mode).

Scan Without DNS Resolution

nmap -n 10.10.102.93
  • Prevents Nmap from resolving hostnames.

Evade Firewalls Using Fragmentation

nmap -f 10.10.102.93
  • Sends fragmented packets to bypass firewalls.

Use a Decoy to Mask Your Scan

nmap -D RND:10 10.10.102.93
  • Spoofs random decoy IPs to obfuscate your scan.

Script-Based Scanning (NSE)

Scan for Vulnerabilities

nmap --script=vuln 10.10.102.93
  • Uses Nmap Scripting Engine (NSE) to check for vulnerabilities.

Scan for SMB Shares

nmap --script=smb-enum-shares -p 445 10.10.102.93
  • Checks for Windows SMB file shares.

Brute-Force FTP Login

nmap --script=ftp-brute -p 21 10.10.102.93
  • Attempts to brute-force FTP credentials.

Saving Scan Results

Save Output in Normal Format

nmap -oN scan_results.txt 10.10.102.93
  • Saves the scan results in a readable text file.

Save Output in Grepable Format

nmap -oG scan_results.txt 10.10.102.93
  • Saves results in a grep-friendly format for further analysis.

Save Output in XML Format

nmap -oX scan_results.xml 10.10.102.93
  • Saves results in XML format (useful for automation tools).

Comprehensive Scan Example

nmap -A -p- --script=vuln -oN full_scan.txt 10.10.102.93
  • Scans all ports (-p-).
  • Enables aggressive mode (-A).
  • Runs vulnerability detection scripts (--script=vuln).
  • Saves results to full_scan.txt (-oN).