30 Helpful Nmap Commands For Pentester or System Admins
Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing. However, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users.
The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.
More about nmap
NMAP (“NETWORK MAPPER”) IS AN OPEN SOURCE TOOL FOR NETWORK EXPLORATION AND SECURITY AUDITING. IT WAS DESIGNED TO RAPIDLY SCAN LARGE NETWORKS, ALTHOUGH IT WORKS FINE AGAINST SINGLE HOSTS. NMAP USES RAW IP PACKETS IN NOVEL WAYS TO DETERMINE WHAT HOSTS ARE AVAILABLE ON THE NETWORK, WHAT SERVICES (APPLICATION NAME AND VERSION) THOSE HOSTS ARE OFFERING, WHAT OPERATING SYSTEMS (AND OS VERSIONS) THEY ARE RUNNING, WHAT TYPE OF PACKET FILTERS/FIREWALLS ARE IN USE, AND DOZENS OF OTHER CHARACTERISTICS. WHILE NMAP IS COMMONLY USED FOR SECURITY AUDITS, MANY SYSTEMS AND NETWORK ADMINISTRATORS FIND IT USEFUL FOR ROUTINE TASKS SUCH AS NETWORK INVENTORY, MANAGING SERVICE UPGRADE SCHEDULES, AND MONITORING HOST OR SERVICE UPTIME.
Sample setup (LAB)
#1: Scan a single host or an IP address (IPv4)
#3: Read list of hosts/networks from a file (IPv4)
#4: Excluding hosts/networks (IPv4)
#5: Turn on OS and version detection scanning script (IPv4)
#6: Find out if a host/network is protected by a firewall
#7: Scan a host when protected by the firewall
#8: Scan an IPv6 host/address
#9: Scan a network and find out which servers and devices are up and running
#10: How do I perform a fast scan?
#11: Display the reason a port is in a particular state
#12: Only show open (or possibly open) ports
#13: Show all packets sent and received
14#: Show host interfaces and routes
#15: How do I scan specific ports?
#16: The fastest way to scan all your devices/computers for open ports ever
#17: How do I detect remote operating system?
#18: How do I detect remote services (server / daemon) version numbers?
#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping
#20: Scan a host using IP protocol ping
#21: Scan a host using UDP ping
#22: Find out the most commonly used TCP ports using TCP SYN Scan
#23: Scan a host for UDP services (UDP scan)
#24: Scan for IP protocol
#25: Scan a firewall for security weakness
#26: Scan a firewall for packets fragments
#27: Cloak a scan with decoys
#28: Scan a firewall for MAC address spoofing
#29: How do I save output to a text file?
#30: Not a fan of command line tools?
ZENMAP IS THE OFFICIAL NMAP SECURITY SCANNER GUI. IT IS A MULTI-PLATFORM (LINUX, WINDOWS, MAC OS X, BSD, ETC.) FREE AND OPEN SOURCE APPLICATION WHICH AIMS TO MAKE NMAP EASY FOR BEGINNERS TO USE WHILE PROVIDING ADVANCED FEATURES FOR EXPERIENCED NMAP USERS. FREQUENTLY USED SCANS CAN BE SAVED AS PROFILES TO MAKE THEM EASY TO RUN REPEATEDLY. A COMMAND CREATOR ALLOWS INTERACTIVE CREATION OF NMAP COMMAND LINES. SCAN RESULTS CAN BE SAVED AND VIEWED LATER. SAVED SCAN RESULTS CAN BE COMPARED WITH ONE ANOTHER TO SEE HOW THEY DIFFER. THE RESULTS OF RECENT SCANS ARE STORED IN A SEARCHABLE DATABASE.