The current world is like a technical frontier where gadgets and technologies control, process, and perform everything. The introduction of networks has given rise to networking administrators whose most important job is executing Nmap commands or mapping and port scanning. With such a massive number of monitoring tools already available in the market, Nmap is still an industry-standard preferred by many experts.
IT managers, administrators, and security professionals: every one of them faces a never-ending battle with network traffic. They have to constantly check their networks, figure out if there are any vulnerabilities or junk, and eradicate them from the system. It is their duty to use various Nmap commands for vulnerability scanning and eliminate lurking threats. The usability and versatility offered by Nmap are incomparable to the various other technologies available in the market. Nmap is a widely and extensively used software for enumeration and detection scans.
Table of Contents
Before we try and explore the various Nmap commands, we should get acquainted with the term first. It is an open-source monitoring tool that can help scan and discover networks and network problems respectively.
Linux is an integral part of the designing and digital world; many coders still use this platform to perform various tasks. Some Nmap commands can make operations easier on this platform. Here is the Nmap command in Linux that can help you in installation.
The Nmap commands for Windows are slightly different, but they are not as complex as this one because of the automated downloader that helps install Nmap within seconds.
We have established an understanding of what Nmap is and how we can use it. Here are some basic Nmap commands that administrators can use to their advantage.
If you wish to scan a port or even an entire port range on remote or local servers, you will have to execute the Nmap port scan command. Here is what the Nmap port scan command will be:
nmap -p 1-65535 localhost
Now, in this example, you scanned 65535 ports on the local host computer. You can change the values according to your need, and the number of ports getting scanned will also change completely. Nmap command to scan all ports can also help execute the process better and in an easy way.
While this is included in the Nmap basic commands, the scan against the host or IP address can come in handy. The command that can help in executing this process is:
nmap 1.1.1.1
The above example is for the host’s IP address, but you just have to replace the address with the name when you scan the hostname.
For e.g.,
nmap cloudflare.com
The Nmap command list is vast and extensive. Several examples can be listed, but if you wish to ping scan using Nmap, here is what you need to do:
nmap -sp 192.168.5.0/24
This is probably one of the most used and popular Nmap commands to help host detection on any network.
The list of Nmap commands also includes the IP address scanner. If you wish to scan one IP address, follow the code given in point number 2, but if you have multiple IP addresses to scan, you need to follow the steps listed below.
nmap 1.1.1.1 8.8.8.8
This syntax will help in scanning multiple addresses. You do have other syntaxes for consecutive IP addresses.
A Nmap scan command helps in scanning the entire IP range. This syntax will help in knowing the entire CIDR range of IP addresses. Example:
nmap -p 8.8.8.0/28
Like the other syntaxes, you will have to select the random ranges even in IP range scanning. Several syntaxes can help scan alternate IPs in the range, and some others can scan consecutive IPs.
There is a syntax for everything in Nmap, but you must use the one below for popular port scanning.
nmap –top-ports 20 192.168.1.106
Using top ports with specific numbers can help the user scan the top ‘X’ number of the common ports in the given an example. You can replace the number 20 from the above syntax, and here are the outputs that can be expected.
[root@securitytrails:~]nmap –top-ports 20 localhost
Starting Nmap 6.40 ( https://nmap.org ) at 2018-10-01 10:02 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
25/tcp closed smtp
53/tcp closed domain
80/tcp filtered http
110/tcp closed pop3
111/tcp closed rpcbind
135/tcp closed msrpc
139/tcp closed netbios-ssn
143/tcp closed imap
443/tcp filtered https
445/tcp closed microsoft-ds
993/tcp closed imaps
995/tcp closed pop3s
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5900/tcp closed vnc
8080/tcp closed http-proxy
Nmap is proficient in scanning; one can use a few syntaxes to read text files. You need to keep the only thing in mind is that it contains IPs and hosts inside. To use this Nmap command, you need first to create a list.txt file and ensure that the file contains this syntax:
192.168.1.106
cloudflare.com
microsoft.com
securitytrails.com
The iL parameter in the syntax will help you read the file and scan the host simultaneously. The syntax is:
nmap -iL list.txt
If you have a lot of scans to perform, you will need to speed up your scans. To speed your scans up, you will have to disable the reverse DNS for the scans you do. Make sure to include the “-n” parameter. Here is the syntax that can be used:
[root@securitytrails:~]nmap -p 80 -n 8.8.8.8
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03
Nmap scan report for 8.8.8.8
Host is up (0.014s latency).
If you want to see the difference between the scan speeds of disabled and enabled DNS resolution, then here it is:
[root@securitytrails:~]nmap -p 80 8.8.8.8
Nmap scan report for google-public-dns-a.google.com (8.8.8.8)
Nmap command use has become a crucial part of the coding world. If you want to save the results, here is how you can do it:
nmap -oN output.txt securitytrails.com
This command will help you export or save the result from a file without reading it.
From the Nmap full scan command to the Nmap help command, there is something for everything you want. Similarly, the detection of services is also a command that people extensively use. You can easily execute the detecting services by using the -sV parameters. The syntax for the same is:
nmap -sV localhost
A good and expressive example of this syntax is given below:
[root@securitytrails:~]nmap -sV localhost
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03
Host is up (0.000020s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
631/tcp open ipp CUPS 2.2
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds.
You can use this code as a Nmap os detection command.
One of the best things is the Nmap command to check open ports, and the second-best thing about Nmap is its power to work with TCP and UDP without any hiccups. Several services are limited to just TCP, but people understand the advantage of scanning UDP-based services. Here are examples of both these services that are allowed by Nmap.
The output you get when you scan using standard TCP:
[root@securitytrails:~]nmap -sT 192.168.1.1
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03
Nmap scan report for 192.168.1.1
Host is up (0.58s latency).
Not shown: 995 closed ports
80/tcp open http
1900/tcp open upnp
20005/tcp open btx
49152/tcp open unknown
49153/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds.
Now, when you do the same process using UDP:
[root@securitytrails:~]nmap -sU localhost
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03
Host is up (0.000021s latency).
68/udp open|filtered dhcpc
111/udp open rpcbind
5353/udp open|filtered zeroconf
Many system administrators are unaware of this feature offered by Nmap — detection of CVE. It is one of the best features that is under-utilized by people. There is a predefined script present in the command in Nmap that allows users to execute this process. One can use these predefined scripts or own their Lua programming language to derive a specific functionality that can help in CVE detection. Listed below is the command that you need to use:
nmap -Pn –script vuln 192.168.1.105
The best example to understand the command is listed below:
[root@securitytrails:~]nmap -Pn –script vuln 192.168.1.105
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.105
Host is up (0.00032s latency).
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server’s resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
One thing that Nmap will never have a shortage of is the number of features. From Nmap commands cheat sheet to termux Nmap commands, there are several features on all the platforms available on Nmap. Apart from every other command that is executed on Nmap, you get a chance to launch DOS files on this platform. This can be done against network testing.
The command that you will have to follow to get this done is:
nmap 192.168.1.105 -max-parallelism 800 -Pn –script http-slowloris –script-args http-slowloris.runforever=true
You can also use Nmap to launch a brute-force attack. Its command is different on different browsers.
To do this process on WordPress, you will have to use the command:
nmap -sV –script http-wordpress-brute –script-args ‘userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true’ 192.168.1.105
Brute force attack against MS-SQL:
nmap -p 1433 –script ms-sql-brute –script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105
Brute force attack against FTP:
nmap –script ftp-brute -p 21 192.168.1.105
Nmap commands in kali Linux, Nmap commands in termux, or even Nmap commands for vulnerability scanning are essential for system administrators, but detecting remote host malware is more critical.
You can simply use the Google malware checker by the command:
nmap -p80 –script http-google-malware infectedsite.com
There are various ways you can improve your Nmap using capabilities. These commands and examples can help you to understand and explore the Nmap monitoring tool. Have a look at the entire blog keeping in mind the commands that are useful for your systems. There are some specific sets of commands for every platform and UI, but on the flip side, several of them are common and can be used in all of them.
So, have you made up your mind to make a career in Cyber Security? Visit our Postgraduate Certificate Program in Cybersecurity to check out your best option for kickstarting a successful career in Cybersecurity.
Fill in the details to know more
What Are SOC and NOC In Cyber Security? What’s the Difference?
February 27, 2023
Fundamentals of Confidence Interval in Statistics!
February 26, 2023
A Brief Introduction to Cyber Security Analytics
Cyber Safe Behaviour In Banking Systems
February 17, 2023
Everything Best Of Analytics for 2023: 7 Must Read Articles!
December 26, 2022
Best of 2022: 5 Most Popular Cybersecurity Blogs Of The Year
December 22, 2022
What Is Asset Classification?
March 20, 2023
Masquerade Attack – Everything You Need To Know!
Best Infosys Information Security Engineer Interview Questions and Answers