Nmap Top 20
UDP port scan port 135
Generate
1. List all hosts on a network
nmap -sL <target>
This type of scan (list scan) is a version of host discovery that only lists each host on the selected network (s) and doesn’t send any packets to the target hosts. By default, Nmap does a reverse DNS lookup to get host names.
List all hosts on a network
2. Disable port scanning and only discover active hosts
nmap -sn <target>
nmap -sP <target>
With this option, Nmap will only print the names of hosts that have responded to the host discovery probes without any port scan. By default, this option is slightly more intrusive than the list scan. Use this option as a “ping sweep” to count available machines on a network or monitor server availability.
(2) Disable port scanning and only discover active hosts - 1
Disable port scanning and only discover active hosts - 2
3. Discover the network path to a host
nmap --traceroute <target>
A packet may traverse several hosts before reaching its destination. This option allows you to trace this packet’s journey from host to host.
Discover the network path to a host
4. Scan for open ports and version information of services
nmap -sV <target>
When preparing for and doing pentesting, the command above helps you find open ports and determine the versions of running processes. Having accurate version numbers enables you to assess a device’s vulnerabilities.
Scan for open ports and version information of services
5. Scan the ports specified
nmap -p <port number or numbers> <target>
Use this option to tell Nmap which ports you want to scan. It admits individual port numbers and ranges separated by a hyphen (e.g., 1-1023). Nmap can also scan port zero, but you must specify it explicitly.
When scanning a combination of protocols (e.g., TCP and UDP), you can specify a particular protocol by preceding the port numbers using a single-letter qualifier:
T: for TCP,
U: for UDP,
S: for SCTP, and
P: for IP Protocol.
The qualifier lasts until you specify another qualifier. For example, the argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111, and 137, and the listed TCP ports.
Scan the ports specified
6. Scan all ports on a target
nmap -p- <target>
This command will scan ports numbered 1 through 65535.
Scan all ports on a target
7. Scan for open ports on the target
nmap --open <target>
Only show hosts with open or likely open ports, and list those ports. Here, “open ports” refer to any ports that may be open, which includes the port states “open,” “open|filtered (open or filtered),” and “unfiltered.” The Nmap official documentation has more on port states.
Scan for open ports on the target
8. Scan for the specified number of most common ports
nmap --top-ports <number> <target>
Specify an arbitrary number of the most commonly open ports for Nmap to scan. Nmap scans the <number> highest-ratio ports found in nmap-services file after excluding all ports specified by --exclude-ports. <number> must be at least 1.
Scan for the specified number of most common ports
9. Perform a TCP connect scan
nmap -sT <target>
A TCP connect scan is where Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the “connect” system call. The “connect” system call is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection.
Perform a TCP connect scan
10. Scan for UDP ports
nmap -sU <target>
In a UDP scan, Nmap sends a UDP packet to every targeted port, usually without extra data, except for ports where a payload would increase the response rate, such as 53 and 161. If Nmap receives an error message, the port is unavailable. Avoid rushing UDP scans, as operating systems such as Linux and Solaris impose strict rate limits.
Scan for UDP ports
11. Enable OS detection, version detection, script scanning, and traceroute
nmap -A <target>
This option turns on operating system detection and the advanced and aggressive functions mentioned above.
Enable OS detection, version detection, script scanning, and traceroute
12. Scan for remote operating system
nmap -O <target>
Perform remote operating system detection using TCP/IP stack fingerprinting: Nmap sends a series of TCP and UDP packets to the remote host, examines every bit in the responses, compares its nmap-os-db database of more than 2,600 known operating system fingerprints, and prints out the operating system details if there is a match.
(12) Scan for remote operating system
13. Scan a target with a specific timing template
nmap -T<timing template: 0-5> <target>
Timing templates allow users to specify how aggressive they wish to be, leaving Nmap to pick the exact timing values. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). Polite mode slows the scan to use less bandwidth and target machine resources to evade intrusion detection systems.
(13) Scan a target with a specific timing template
14. Increase the verbosity of the output (second level)
nmap -vv <target>
A single -v flag increases the verbosity level, causing Nmap to print more information about the scan in progress, such as open ports found in real-time and completion time estimates for scans that may take considerable time. Use it twice or more for even greater verbosity: -vv, or give a verbosity level directly, for example -v3.
Increase the verbosity of the output (second level)
Grab Your FREE Nmap Cheat Sheet Now!
Want to keep all Nmap commands at your fingertips? Just enter your email address, and we’ll send the cheat sheet to your inbox.
First name
Email Address
DOWNLOAD →
15. Scan for commonly used ports and services
nmap -sC <target>
This command is equivalent to nmap --script=default <target>. It uses Nmap’s default Nmap Scripting Engine (NSE) scripts to scan for individual ports and protocols, including HTML and POP3. The scripts are mostly safe but contain intrusive processes. For example, the default script “jdwp-info” tries to exploit Java’s remote debugging port.
Scan for commonly used ports and services
16. Run a script on the target
nmap --script <script type> <target>
Nmap runs a script scan using the comma-separated list of filenames, script categories, and directories.
Run a script on the target
17. Run all vulnerability scans on the target
nmap --script vuln <target>
The vuln scripts check for specific known vulnerabilities, and Nmap generally only reports results when it finds any. Examples include realvnc-auth-bypass and afp-path-vuln.
(17) Run all vulnerability scans on the target
18. Read targets from a text file
nmap -iL <file>
Nmap reads a list of targets from a file as input. Entries can be in any format Nmap accepts on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must have spaces, tabs, or newlines as delimiters. The input file may contain comments that start with # and extend to the end of the line.
Read targets from a text file
19. Save scan results in normal, XML, and grepable formats at once
nmap -oA <file>
Store Nmap scan results as three separate files, with <file> as the base file name and file extensions .nmap (normal), .xml (XML), and .gnmap (grepable). Like most programs, <file> may include a directory path, such as ~/folder1/foo/ on Unix or c:\folder2\bar on Windows.
Save scan results in normal, XML, and grepable formats at once
20. Save the scan results to a normal format
nmap -oN <file>
Write the Nmap scan results to the given file name. Only use this command together with a valid Nmap scan command containing some <target> as shown in the example below (nmap --top-ports 10 192.168.1.1-10 -oN tenports.txt):
Save the scan results to a normal format
No comments:
Post a Comment