Nmap Commands

CommandDescription

nmap -p- --min-rate=10000 <Target IP>

Perform all port scan fast ( Ideal for CTFs not for real world targets )

nmap -p 1-65535 -T4 -A -v <Target IP>

Perform intense scan on all TCP ports

nmap -p ports <Target IP>

Run Nmap to identify IoT devices using insecure HTTP ports for transmitting data

nmap -T4 -A -v -Pn <Target IP>

Perform Intense scan with no ping

nmap -T4 -A -v -PE -PS -PA Ports URL

Footprint Web Infrastructure: Service Discovery

nmap -sn <Target IP>

Perform ping scan

nmap -sn <Target IP/Subnet>

Disable port scanning, host discovery only

nmap -sn -PR <Target IP>

ARP Ping Scan

nmap -sn -PU <Target IP>

UDP Ping Scan

nmap -sn -PE <Target IP>

ICMP ECHO Ping Scan

nmap -sn -PE <IP range>

ICMP ECHO Ping Sweep

nnmap –sn –PP <Target IP>

ICMP Timestamp Ping Scan

nmap –sn –PM <Target IP>

ICMP Address Mask Ping Scan

nmap –sn –PS <Target IP>

TCP SYN Ping Scan

nmap –sn –PA <Target IP>

TCP ACK Ping Scan

nmap –sn –PO <Target IP>

IP Protocol Ping Scan

nmap -St -v <Target IP>

TCP Connect/ Full Open Scan

namp -sS -v <Target IP>

Stealth Scan (Half-open Scan)

nmap -sX -v <Target IP>

Xmas Scan

nmap -sM -v <Target IP>

TCP Maimon Scan

nmap -sA -v <Target IP>

TCP Connect/ Full Open Scan

nmap –badsum <Target IP>

Sending Bad Checksums

nmap --script smb-os-discovery.nse <Target IP>

OS Discovery using Nmap Script Engine

nmap -sV -T4 -O -F –version-light <Target IP>

Perform quick scan plus

nmap -sV -T4 -O -F –version-light scanme.nmap.org

Perform quick scan plus

nmap -sV –O –p <Target IP> nmap -sV --script http-enum <Target IP>

NSE scripts to enumerate information about the target website/ web servers

nmap target IP address -p 80 --script http-frontpage-login

Checks whether target machines are vulnerable to anonymous Frontpage login

nmap --script http-passwd --script-args http-passwd.root

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini

nmap -sV --script http-enum <Target domain>

Analyze Web Applications: Identify exposed Files and Directories of the target webserver

nmap -iL list-of-ips.txt

Scan targets from a text file

nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]

Command to detect NIC in promiscuous mode

nmap <Target IP> --data Oxdeadbeef

Create Custom Packets by Appending Custom Binary Data

nmap <Target IP> --data-string “ph34r my |33t skills”

Create Custom Packets by Appending Custom String

nmap <Target IP> --data-string 5

Create Custom Packets by Appending Random Data

nmap –sU –p 500 <Target IP>

Perform a check on the status of ISAKMP over port 500

nmap -sR <Target IP/network>

Identify the RPC service running on the network

nmap --script hostmap <host>

Discover virtual domains with hostmap

nmap --script http-trace -p80 localhost

Detect a vulnerable server that uses the TRACE method

nmap --script http-google-email <host>

Harvest email accounts with http-google-email

nmap -p80 --script http-userdir -enum localhost

Enumerate users with http-userdir-enum

nmap -p80 --script http-trace <host>

Detect HTTP TRACE

nmap -p80 --script http-waf-detect --script-args=”http-wafdetect. uri=/testphp. vulnweb.com/artists.php,http-wafdetect.detectBodyChanges” www.modsecurity.org

Check if web server is protected by WAF/IPS

nmap --script http-enum -p80 <host>

Enumerate common web applications

nmap -p80 --script http-robots.txt <host>

Obtain robots.txt

nmap -p80 --script http-test.txt <host>

Obtain test.txt

nmap --script=asn-query,whois,ip-geolocation-maxmind <Target IP>

IP address Information

nmap --script=http-title <Target IP/ Subnet>

Gather page titles from HTTP services

nmap --script=http-headers <Target IP/ Subnet>

Get HTTP headers of web services

nmap --script=http-enum <Target IP/ Subnet>

Find web apps from known paths

nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><Target IP>

Perform complete scan of the IoT device that checks for both TCP and UDP services and ports

nmap -sS -T4 -A -f -v <Target IP>

Packet Fragmentation/ SYN/FIN scan using Nmap

nmap -g 80 <Target IP>

Source Port Manipulation/ Use given source port number

nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,nmp-sysdescr <Target IP/ network>

Scan for UDP DDOS reflectors

nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><Target IP>

Identify the IPv6 capabilities of a device

nmap -T4 -A -v <Target IP>

Perform intense scan

nmap -T4 -A <Target IP/Subnet>

Identify vulnerable services on service port by attackers by using RPC Enumeration

nmap -p 23 <Target Domain>

Telnet Enumeration

nmap -p 23 --script telnet-ntlm-info <Target IP>

Enumerate information from remote Microsoft Telnet services with NTLM authentication enabled

nmap -p 23 –script telnet-brute.nse –script-args

Perform brute-force attack against telnet server

nmap -p 445 -A <Target IP>

Enumerate SMB service running on the target IP address/ SMB Enumeration

nmap -p 21 <Target Domain>

FTP Enumeration

nmap -p 69 <Target Domain>

Enumerate TFTP service running on the target domain

nmap -p 179 <Target IP>

BGP Enumeration

nmap -sS -sU -T4 -A -v <Target IP>

Perform intense scan and scanning for UDP

nmap -sV -v -p 139,445 <Target IP/Subnet>

Detect all exposed Netbios servers on the subnet

nmap -sV -v --script nbstat.nse <Target IP>

map’s nbstat NSE script allow attackers to retrieve target’s NetBIOS names and MAC addresses

nmap -sU --script nbstat.nse -p 137 <Target IP address>

Find target Netbios name

nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 <Target IP address>

Check if Netbios servers are vulnerable to MS08-067

nmap -sV --version-intensity 0 <Target IP>

Lighter banner grabbing detection

nmap -sV --version-intensity 5 <Target IP>

More aggressive Service Detection

nmap -sV <Target IP>

Attempts to determine the version of service running/ Standard service detection/ Service Version Discovery in Zenmap

nmap --script-help=ssl-heartbleed

Get help for a script

nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain=<domain> -p53 <hosts>

Attempts to pull a zone file (AXFR) from a DNS server

nmap --script http-robots.txt <hosts>

Harvests robots.txt files from discovered web servers

nmap --script smb-brute.nse -p445 <hosts>

Attempts to determine valid username and password combinations via automated guessing

nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>

Attempts to run a series of programs on the target machine, using credentials provided as scriptargs

nmap -sV -p 443 --script=ssl-heartbleed <Target IP/Subnet>

Detect Heartbleed SSL Vulnerability

nmap <Target IP>-50 -sL --dns-server <Target IP>

Query the Internal DNS for hosts, list targets only

nmap -iR 10 -sn -traceroute

Traceroute to random targets, no port scan

nmap <Target IP>-1/24 -PR -sn -vv

Arp discovery only on local network, no port scan

nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn

Discovery only on ports x, no port scan

nmap -sP <Target IP/Subnet>

Ping scans the network, listing machines that respond to ping

nmap -v -sS -A -T4 <Target IP>

Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection, traceroute and scripts against target services

nmap -v -sV -O -sS -T5 <Target IP>

Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection

nmap -iL ip-addresses.txt

Scans a list of IP addresses

nmap — script-args=unsafe=1 —script smb-check-vulns.nse -p 445 <Target IP>

Check if Netbios servers are vulnerable to MS08–067

nmap –Pn –p- -sI zombie target

Attack

nmap –b ftp rely host

FTP Bounce Scan :@:. is the name or IP address of a vulnerable FTP server

nmap -T0 <Target IP>

Paranoid (0) Intrusion Detection System evasion

nmap -T1 <Target IP>

Sneaky (1) Intrusion Detection System evasion

nmap -T2 <Target IP>

Polite (2) slows down the scan to use less bandwidth and use less target machine resources

nmap -T3 <Target IP>

Normal (3) default speed

nmap -T4 <Target IP>

Aggressive (4) speeds scan; assumes you are on a reasonably fast and reliable network

nmap -T5 <Target IP>

Insane (5) speeds scan; assumes you are on extraordinarily fast network

nmap --script=ftp <Target IP>

Scan with a single script

nmap --script=http* <Target IP>

Scan with a wildcard script

nmap --script=banner,http <Target IP>

Scan with two scripts

nmap --script "not intrusive" <Target IP>

Scan default, but remove intrusive scripts

nmap -Pn --script=http-sitemap-generator xyz.com

HTTP site map generator

nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000

Fast search for random web servers

nmap -Pn --script=dns-brute xyz.com

Brute forces DNS hostnames guessing subdomain

nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv <Target IP>

Safe SMB scripts to run

nmap --script whois*<Target Domain>

Whois query

nmap -p80 --script http-unsafe-output-escaping <Target Website>

Detect cross site scripting vulnerabilities

nmap -p80 --script http-sql-injection <Target>

Check for SQL injections

nmap --data-length x <Target IP>

Appends random data to sent packets

nmap -oN file.file --append-output <Target IP>

Append a scan to a previous scan file

nmap --iflist

Shows the host interface and routes

nmap -6 2607:f0d2:5664:51::5

Enable IPV6 scanning

nmap -T0 -b username:password@ftpserver.tld :21 victim.tld

Uses the username “username”, the password “password”, the FTP server “ftpserver.tld” and port 21 on said server to scan victim.tld.

nmap -sU -sT -p U:[ports],T:[ports] <Target IP>

Scan ports by protocol

nmap -sV –version-trace <Target IP>

Troubleshooting version scans

nmap –script [script.nse] <Target IP>

Execute individual scripts

nmap –script [expression] <Target IP>

Execute multiple scripts

nmap –script [category] <Target IP>

Execute scripts by category

nmap –script [category1,category2, etc]

Execute multiple scripts categories

nmap –script [script] –script-trace <Target IP>

Troubleshoot scripts

$ docker -H <docker host> run --network=host --rm marsmensch/nmap -ox <IP Range>

Use Nmap to scan the host’s internal network to identify running services

ndiff [scan1.xml] [scan2.xml]

Comparison using Ndiff

ndiff -v [scan1.xml] [scan2.xml]

Ndiff verbose mode

ndiff –xml [scan1.xm]

XML output mode

Last updated