Nmap Commands
Last updated
Last updated
| Command | Description |
|---|---|
nmap -p- --min-rate=10000 <Target IP>
Perform all port scan fast ( Ideal for CTFs not for real world targets )
nmap -p 1-65535 -T4 -A -v <Target IP>
Perform intense scan on all TCP ports
nmap -p ports <Target IP>
Run Nmap to identify IoT devices using insecure HTTP ports for transmitting data
nmap -T4 -A -v -Pn <Target IP>
Perform Intense scan with no ping
nmap -T4 -A -v -PE -PS -PA Ports URL
Footprint Web Infrastructure: Service Discovery
nmap -sn <Target IP>
Perform ping scan
nmap -sn <Target IP/Subnet>
Disable port scanning, host discovery only
nmap -sn -PR <Target IP>
ARP Ping Scan
nmap -sn -PU <Target IP>
UDP Ping Scan
nmap -sn -PE <Target IP>
ICMP ECHO Ping Scan
nmap -sn -PE <IP range>
ICMP ECHO Ping Sweep
nnmap –sn –PP <Target IP>
ICMP Timestamp Ping Scan
nmap –sn –PM <Target IP>
ICMP Address Mask Ping Scan
nmap –sn –PS <Target IP>
TCP SYN Ping Scan
nmap –sn –PA <Target IP>
TCP ACK Ping Scan
nmap –sn –PO <Target IP>
IP Protocol Ping Scan
nmap -St -v <Target IP>
TCP Connect/ Full Open Scan
namp -sS -v <Target IP>
Stealth Scan (Half-open Scan)
nmap -sX -v <Target IP>
Xmas Scan
nmap -sM -v <Target IP>
TCP Maimon Scan
nmap -sA -v <Target IP>
TCP Connect/ Full Open Scan
nmap –badsum <Target IP>
Sending Bad Checksums
nmap --script smb-os-discovery.nse <Target IP>
OS Discovery using Nmap Script Engine
nmap -sV -T4 -O -F –version-light <Target IP>
Perform quick scan plus
nmap -sV -T4 -O -F –version-light scanme.nmap.org
Perform quick scan plus
nmap -sV –O –p <Target IP> nmap -sV --script http-enum <Target IP>
NSE scripts to enumerate information about the target website/ web servers
nmap target IP address -p 80 --script http-frontpage-login
Checks whether target machines are vulnerable to anonymous Frontpage login
nmap --script http-passwd --script-args http-passwd.root
Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini
nmap -sV --script http-enum <Target domain>
Analyze Web Applications: Identify exposed Files and Directories of the target webserver
nmap -iL list-of-ips.txt
Scan targets from a text file
nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]
Command to detect NIC in promiscuous mode
nmap <Target IP> --data Oxdeadbeef
Create Custom Packets by Appending Custom Binary Data
nmap <Target IP> --data-string “ph34r my |33t skills”
Create Custom Packets by Appending Custom String
nmap <Target IP> --data-string 5
Create Custom Packets by Appending Random Data
nmap –sU –p 500 <Target IP>
Perform a check on the status of ISAKMP over port 500
nmap -sR <Target IP/network>
Identify the RPC service running on the network
nmap --script hostmap <host>
Discover virtual domains with hostmap
nmap --script http-trace -p80 localhost
Detect a vulnerable server that uses the TRACE method
nmap --script http-google-email <host>
Harvest email accounts with http-google-email
nmap -p80 --script http-userdir -enum localhost
Enumerate users with http-userdir-enum
nmap -p80 --script http-trace <host>
Detect HTTP TRACE
nmap -p80 --script http-waf-detect --script-args=”http-wafdetect. uri=/testphp. vulnweb.com/artists.php,http-wafdetect.detectBodyChanges” www.modsecurity.org
Check if web server is protected by WAF/IPS
nmap --script http-enum -p80 <host>
Enumerate common web applications
nmap -p80 --script http-robots.txt <host>
Obtain robots.txt
nmap -p80 --script http-test.txt <host>
Obtain test.txt
nmap --script=asn-query,whois,ip-geolocation-maxmind <Target IP>
IP address Information
nmap --script=http-title <Target IP/ Subnet>
Gather page titles from HTTP services
nmap --script=http-headers <Target IP/ Subnet>
Get HTTP headers of web services
nmap --script=http-enum <Target IP/ Subnet>
Find web apps from known paths
nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><Target IP>
Perform complete scan of the IoT device that checks for both TCP and UDP services and ports
nmap -sS -T4 -A -f -v <Target IP>
Packet Fragmentation/ SYN/FIN scan using Nmap
nmap -g 80 <Target IP>
Source Port Manipulation/ Use given source port number
nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,nmp-sysdescr <Target IP/ network>
Scan for UDP DDOS reflectors
nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><Target IP>
Identify the IPv6 capabilities of a device
nmap -T4 -A -v <Target IP>
Perform intense scan
nmap -T4 -A <Target IP/Subnet>
Identify vulnerable services on service port by attackers by using RPC Enumeration
nmap -p 23 <Target Domain>
Telnet Enumeration
nmap -p 23 --script telnet-ntlm-info <Target IP>
Enumerate information from remote Microsoft Telnet services with NTLM authentication enabled
nmap -p 23 –script telnet-brute.nse –script-args
Perform brute-force attack against telnet server
nmap -p 445 -A <Target IP>
Enumerate SMB service running on the target IP address/ SMB Enumeration
nmap -p 21 <Target Domain>
FTP Enumeration
nmap -p 69 <Target Domain>
Enumerate TFTP service running on the target domain
nmap -p 179 <Target IP>
BGP Enumeration
nmap -sS -sU -T4 -A -v <Target IP>
Perform intense scan and scanning for UDP
nmap -sV -v -p 139,445 <Target IP/Subnet>
Detect all exposed Netbios servers on the subnet
nmap -sV -v --script nbstat.nse <Target IP>
map’s nbstat NSE script allow attackers to retrieve target’s NetBIOS names and MAC addresses
nmap -sU --script nbstat.nse -p 137 <Target IP address>
Find target Netbios name
nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 <Target IP address>
Check if Netbios servers are vulnerable to MS08-067
nmap -sV --version-intensity 0 <Target IP>
Lighter banner grabbing detection
nmap -sV --version-intensity 5 <Target IP>
More aggressive Service Detection
nmap -sV <Target IP>
Attempts to determine the version of service running/ Standard service detection/ Service Version Discovery in Zenmap
nmap --script-help=ssl-heartbleed
Get help for a script
nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain=<domain> -p53 <hosts>
Attempts to pull a zone file (AXFR) from a DNS server
nmap --script http-robots.txt <hosts>
Harvests robots.txt files from discovered web servers
nmap --script smb-brute.nse -p445 <hosts>
Attempts to determine valid username and password combinations via automated guessing
nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>
Attempts to run a series of programs on the target machine, using credentials provided as scriptargs
nmap -sV -p 443 --script=ssl-heartbleed <Target IP/Subnet>
Detect Heartbleed SSL Vulnerability
nmap <Target IP>-50 -sL --dns-server <Target IP>
Query the Internal DNS for hosts, list targets only
nmap -iR 10 -sn -traceroute
Traceroute to random targets, no port scan
nmap <Target IP>-1/24 -PR -sn -vv
Arp discovery only on local network, no port scan
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn
Discovery only on ports x, no port scan
nmap -sP <Target IP/Subnet>
Ping scans the network, listing machines that respond to ping
nmap -v -sS -A -T4 <Target IP>
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection, traceroute and scripts against target services
nmap -v -sV -O -sS -T5 <Target IP>
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection
nmap -iL ip-addresses.txt
Scans a list of IP addresses
nmap — script-args=unsafe=1 —script smb-check-vulns.nse -p 445 <Target IP>
Check if Netbios servers are vulnerable to MS08–067
nmap –Pn –p- -sI zombie target
Attack
nmap –b ftp rely host
FTP Bounce Scan :@:. is the name or IP address of a vulnerable FTP server
nmap -T0 <Target IP>
Paranoid (0) Intrusion Detection System evasion
nmap -T1 <Target IP>
Sneaky (1) Intrusion Detection System evasion
nmap -T2 <Target IP>
Polite (2) slows down the scan to use less bandwidth and use less target machine resources
nmap -T3 <Target IP>
Normal (3) default speed
nmap -T4 <Target IP>
Aggressive (4) speeds scan; assumes you are on a reasonably fast and reliable network
nmap -T5 <Target IP>
Insane (5) speeds scan; assumes you are on extraordinarily fast network
nmap --script=ftp <Target IP>
Scan with a single script
nmap --script=http* <Target IP>
Scan with a wildcard script
nmap --script=banner,http <Target IP>
Scan with two scripts
nmap --script "not intrusive" <Target IP>
Scan default, but remove intrusive scripts
nmap -Pn --script=http-sitemap-generator xyz.com
HTTP site map generator
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000
Fast search for random web servers
nmap -Pn --script=dns-brute xyz.com
Brute forces DNS hostnames guessing subdomain
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv <Target IP>
Safe SMB scripts to run
nmap --script whois*<Target Domain>
Whois query
nmap -p80 --script http-unsafe-output-escaping <Target Website>
Detect cross site scripting vulnerabilities
nmap -p80 --script http-sql-injection <Target>
Check for SQL injections
nmap --data-length x <Target IP>
Appends random data to sent packets
nmap -oN file.file --append-output <Target IP>
Append a scan to a previous scan file
nmap --iflist
Shows the host interface and routes
nmap -6 2607:f0d2:5664:51::5
Enable IPV6 scanning
nmap -T0 -b username:password@ftpserver.tld :21 victim.tld
Uses the username “username”, the password “password”, the FTP server “ftpserver.tld” and port 21 on said server to scan victim.tld.
nmap -sU -sT -p U:[ports],T:[ports] <Target IP>
Scan ports by protocol
nmap -sV –version-trace <Target IP>
Troubleshooting version scans
nmap –script [script.nse] <Target IP>
Execute individual scripts
nmap –script [expression] <Target IP>
Execute multiple scripts
nmap –script [category] <Target IP>
Execute scripts by category
nmap –script [category1,category2, etc]
Execute multiple scripts categories
nmap –script [script] –script-trace <Target IP>
Troubleshoot scripts
$ docker -H <docker host> run --network=host --rm marsmensch/nmap -ox <IP Range>
Use Nmap to scan the host’s internal network to identify running services
ndiff [scan1.xml] [scan2.xml]
Comparison using Ndiff
ndiff -v [scan1.xml] [scan2.xml]
Ndiff verbose mode
ndiff –xml [scan1.xm]
XML output mode