Nmap Commands
Command | Description |
---|---|
| Perform all port scan fast ( Ideal for CTFs not for real world targets ) |
| Perform intense scan on all TCP ports |
| Run Nmap to identify IoT devices using insecure HTTP ports for transmitting data |
| Perform Intense scan with no ping |
| Footprint Web Infrastructure: Service Discovery |
| Perform ping scan |
| Disable port scanning, host discovery only |
| ARP Ping Scan |
| UDP Ping Scan |
| ICMP ECHO Ping Scan |
| ICMP ECHO Ping Sweep |
| ICMP Timestamp Ping Scan |
| ICMP Address Mask Ping Scan |
| TCP SYN Ping Scan |
| TCP ACK Ping Scan |
| IP Protocol Ping Scan |
| TCP Connect/ Full Open Scan |
| Stealth Scan (Half-open Scan) |
| Xmas Scan |
| TCP Maimon Scan |
| TCP Connect/ Full Open Scan |
| Sending Bad Checksums |
| OS Discovery using Nmap Script Engine |
| Perform quick scan plus |
| Perform quick scan plus |
| NSE scripts to enumerate information about the target website/ web servers |
| Checks whether target machines are vulnerable to anonymous Frontpage login |
| Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini |
| Analyze Web Applications: Identify exposed Files and Directories of the target webserver |
| Scan targets from a text file |
| Command to detect NIC in promiscuous mode |
| Create Custom Packets by Appending Custom Binary Data |
| Create Custom Packets by Appending Custom String |
| Create Custom Packets by Appending Random Data |
| Perform a check on the status of ISAKMP over port 500 |
| Identify the RPC service running on the network |
| Discover virtual domains with hostmap |
| Detect a vulnerable server that uses the TRACE method |
| Harvest email accounts with http-google-email |
| Enumerate users with http-userdir-enum |
| Detect HTTP TRACE |
| Check if web server is protected by WAF/IPS |
| Enumerate common web applications |
| Obtain robots.txt |
| Obtain test.txt |
| IP address Information |
| Gather page titles from HTTP services |
| Get HTTP headers of web services |
| Find web apps from known paths |
| Perform complete scan of the IoT device that checks for both TCP and UDP services and ports |
| Packet Fragmentation/ SYN/FIN scan using Nmap |
| Source Port Manipulation/ Use given source port number |
| Scan for UDP DDOS reflectors |
| Identify the IPv6 capabilities of a device |
| Perform intense scan |
| Identify vulnerable services on service port by attackers by using RPC Enumeration |
| Telnet Enumeration |
| Enumerate information from remote Microsoft Telnet services with NTLM authentication enabled |
| Perform brute-force attack against telnet server |
| Enumerate SMB service running on the target IP address/ SMB Enumeration |
| FTP Enumeration |
| Enumerate TFTP service running on the target domain |
| BGP Enumeration |
| Perform intense scan and scanning for UDP |
| Detect all exposed Netbios servers on the subnet |
| map’s nbstat NSE script allow attackers to retrieve target’s NetBIOS names and MAC addresses |
| Find target Netbios name |
| Check if Netbios servers are vulnerable to MS08-067 |
| Lighter banner grabbing detection |
| More aggressive Service Detection |
| Attempts to determine the version of service running/ Standard service detection/ Service Version Discovery in Zenmap |
| Get help for a script |
| Attempts to pull a zone file (AXFR) from a DNS server |
| Harvests robots.txt files from discovered web servers |
| Attempts to determine valid username and password combinations via automated guessing |
| Attempts to run a series of programs on the target machine, using credentials provided as scriptargs |
| Detect Heartbleed SSL Vulnerability |
| Query the Internal DNS for hosts, list targets only |
| Traceroute to random targets, no port scan |
| Arp discovery only on local network, no port scan |
| Discovery only on ports x, no port scan |
| Ping scans the network, listing machines that respond to ping |
| Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection, traceroute and scripts against target services |
| Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection |
| Scans a list of IP addresses |
| Check if Netbios servers are vulnerable to MS08–067 |
| Attack |
| FTP Bounce Scan :@:. is the name or IP address of a vulnerable FTP server |
| Paranoid (0) Intrusion Detection System evasion |
| Sneaky (1) Intrusion Detection System evasion |
| Polite (2) slows down the scan to use less bandwidth and use less target machine resources |
| Normal (3) default speed |
| Aggressive (4) speeds scan; assumes you are on a reasonably fast and reliable network |
| Insane (5) speeds scan; assumes you are on extraordinarily fast network |
| Scan with a single script |
| Scan with a wildcard script |
| Scan with two scripts |
| Scan default, but remove intrusive scripts |
| HTTP site map generator |
| Fast search for random web servers |
| Brute forces DNS hostnames guessing subdomain |
| Safe SMB scripts to run |
| Whois query |
| Detect cross site scripting vulnerabilities |
| Check for SQL injections |
| Appends random data to sent packets |
| Append a scan to a previous scan file |
| Shows the host interface and routes |
| Enable IPV6 scanning |
| Uses the username “username”, the password “password”, the FTP server “ftpserver.tld” and port 21 on said server to scan victim.tld. |
| Scan ports by protocol |
| Troubleshooting version scans |
| Execute individual scripts |
| Execute multiple scripts |
| Execute scripts by category |
| Execute multiple scripts categories |
| Troubleshoot scripts |
| Use Nmap to scan the host’s internal network to identify running services |
| Comparison using Ndiff |
| Ndiff verbose mode |
| XML output mode |
Last updated