30 Helpful Nmap Commands For Pentester or System Admins

Helpful Nmap Commands For Pentester - picateshackz.com

Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing. However, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users.

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.

Helpful Nmap Commands For Pentester - picateshackz.com

More about nmap

From the man page:

NMAP (“NETWORK MAPPER”) IS AN OPEN SOURCE TOOL FOR NETWORK EXPLORATION AND SECURITY AUDITING. IT WAS DESIGNED TO RAPIDLY SCAN LARGE NETWORKS, ALTHOUGH IT WORKS FINE AGAINST SINGLE HOSTS. NMAP USES RAW IP PACKETS IN NOVEL WAYS TO DETERMINE WHAT HOSTS ARE AVAILABLE ON THE NETWORK, WHAT SERVICES (APPLICATION NAME AND VERSION) THOSE HOSTS ARE OFFERING, WHAT OPERATING SYSTEMS (AND OS VERSIONS) THEY ARE RUNNING, WHAT TYPE OF PACKET FILTERS/FIREWALLS ARE IN USE, AND DOZENS OF OTHER CHARACTERISTICS. WHILE NMAP IS COMMONLY USED FOR SECURITY AUDITS, MANY SYSTEMS AND NETWORK ADMINISTRATORS FIND IT USEFUL FOR ROUTINE TASKS SUCH AS NETWORK INVENTORY, MANAGING SERVICE UPGRADE SCHEDULES, AND MONITORING HOST OR SERVICE UPTIME.

Recommended: Nmap Tutorial: How To Hack ADSL Router Using NMAP Tool

It was originally written by Gordon Lyon and it can answer the following questions easily:
  1. What computers did you find running on the local network?
  2. What IP addresses did you find running on the local network?
  3. What is the operating system of your target machine?
  4. Find out what ports are open on the machine that you just scanned?
  5. Find out if the system is infected with malware or virus.
  6. Search for unauthorized servers or network service on your network.
  7. Find and remove computers which don’t meet the organization’s minimum level of security.

Sample setup (LAB)

Port scanning may be illegal in some jurisdictions. So setup a lab as follows:
Where,
  • wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.
  • server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.
  • server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server with firewall. Again, feel free to install few services such as a web-server, file server and so on.
  • All three systems are connected via switch.

#1: Scan a single host or an IP address (IPv4)

Sample outputs:

Helpful Nmap Commands For Pentester - picateshackz.com

Fig.01: nmap output
#2: Scan multiple IP address or subnet (IPv4)
You can scan a range of IP address too:
You can scan a range of IP address using a wildcard:
Finally, you scan an entire subnet:

#3: Read list of hosts/networks from a file (IPv4)

The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt
Sample outputs:
The syntax is:

#4: Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts from a scan:
OR exclude list from a file called /tmp/exclude.txt

#5: Turn on OS and version detection scanning script (IPv4)

#6: Find out if a host/network is protected by a firewall

#7: Scan a host when protected by the firewall

#8: Scan an IPv6 host/address

The -6 option enable IPv6 scanning. The syntax is:

#9: Scan a network and find out which servers and devices are up and running

This is known as host discovery or ping scan:
Sample outputs:

#10: How do I perform a fast scan?

#11: Display the reason a port is in a particular state

#12: Only show open (or possibly open) ports

#13: Show all packets sent and received

14#: Show host interfaces and routes

This is useful for debugging (ip command or route command or netstat command like output using nmap)
Sample outputs:

#15: How do I scan specific ports?

Sample outputs:

#16: The fastest way to scan all your devices/computers for open ports ever

#17: How do I detect remote operating system?

You can identify a remote host apps and OS using the -O option:
Sample outputs:
See also: Fingerprinting a web-server and a dns server command line tools for more information.

#18: How do I detect remote services (server / daemon) version numbers?

Sample outputs:

#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

If firewall is blocking standard ICMP pings, try the following host discovery methods:

#20: Scan a host using IP protocol ping

#21: Scan a host using UDP ping

This scan bypasses firewalls and filters that only screen TCP:

#22: Find out the most commonly used TCP ports using TCP SYN Scan

#23: Scan a host for UDP services (UDP scan)

Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:
Sample outputs:

#24: Scan for IP protocol

This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:

#25: Scan a firewall for security weakness

The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:
See how to block Xmas packkets, syn-floods and other conman attacks with iptables.

#26: Scan a firewall for packets fragments

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

#27: Cloak a scan with decoys

The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:

#28: Scan a firewall for MAC address spoofing

#29: How do I save output to a text file?

The syntax is:

#30: Not a fan of command line tools?

ZENMAP IS THE OFFICIAL NMAP SECURITY SCANNER GUI. IT IS A MULTI-PLATFORM (LINUX, WINDOWS, MAC OS X, BSD, ETC.) FREE AND OPEN SOURCE APPLICATION WHICH AIMS TO MAKE NMAP EASY FOR BEGINNERS TO USE WHILE PROVIDING ADVANCED FEATURES FOR EXPERIENCED NMAP USERS. FREQUENTLY USED SCANS CAN BE SAVED AS PROFILES TO MAKE THEM EASY TO RUN REPEATEDLY. A COMMAND CREATOR ALLOWS INTERACTIVE CREATION OF NMAP COMMAND LINES. SCAN RESULTS CAN BE SAVED AND VIEWED LATER. SAVED SCAN RESULTS CAN BE COMPARED WITH ONE ANOTHER TO SEE HOW THEY DIFFER. THE RESULTS OF RECENT SCANS ARE STORED IN A SEARCHABLE DATABASE.

You can install zenmap using the following apt-get command:
$ sudo apt-get install zenmap
Sample outputs:
Type the following command to start zenmap:
$ sudo zenmap
Sample outputs
Helpful Nmap Commands For Pentester - picateshackz.com

Source: http://www.cyberciti.biz/

Recommended Articles To Become Hacker:

Sharing is caring!

One thought on “30 Helpful Nmap Commands For Pentester or System Admins

  1. SAFE AND TRUSTED
    Here is a team of hackers who can hack someone’s account and track the person down in a short period of time. They also have spywares that can help monitor who you want to monitor. If you are interested, you can contact them via mail at westernunionhackers2011@gmail.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search above and press enter to search. Press ESC to cancel.

Back To Top

So glad to see you sticking around!

Want to be the first one to receive the new stuff?

Enter your email address below and we'll send you the goodies straight to your inbox.

Thank You For Subscribing

This means the world to us!

Spamming is not included! Pinky promise.