Most Useful Nmap Scans and One-liners for the real world
This is my Running List of Most Useful Nmap Scans and One-Liners
- Scan a single port of a single Ip address.
nmap -p 53 8.8.8.8
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-19 19:32 EDT
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.015s latency).
PORT STATE SERVICE
53/tcp open domain
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
- Ping scan.
nmap -sP 192.168.5.0/24
- Scan ALL ports on your own machine ( e.g. localhost ).
nmap -p 1-65535 localhost
- Scan 2 ports of a remote Ip address.
nmap -p 80,443 192.168.1.1
- Scan multiple Ip addresses ( e.g. two).
nmap 192.168.1.1 8.8.8.8
- Scan consecutive Ip address.
- This would scan Ip addresses 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4
nmap 192.168.1.1,2,3,4
- Scan entire CIDR IP range.
- This would scan Ip addresses 192.168.1.0, 192.168.1.1, 192.168.1.2, 192.168.1.3
nmap 192.168.1.0/30
You can confirm the network range with sipcalc like so:
sipcalc 192.168.1.0/30
-[ipv4 : 192.168.1.0/30] - 0
[CIDR]
Host address - 192.168.1.0
Host address (decimal) - 3232235776
Host address (hex) - C0A80100
Network address - 192.168.1.0
Network mask - 255.255.255.252
Network mask (bits) - 30
Network mask (hex) - FFFFFFFC
Broadcast address - 192.168.1.3
Cisco wildcard - 0.0.0.3
Addresses in network - 4
Network range - 192.168.1.0 - 192.168.1.3
Usable range - 192.168.1.1 - 192.168.1.2
If you don't want to deal/provide a network mask you can provide the same netowrk range like with the following formart.
nmap 192.168.1.1-4
You can also use wildcards to scan a C class IP range like so. The following Nmap command would scan 256 IP addresses from 192.169.1.1 to 192.168.1.256
nmap 192.168.1.*
- You can also scan the most popular ports. For example to scan the top 5 most popular ports of a single Ip address:
nmap --top-ports 5 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-19 20:38 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0051s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp filtered ssh
23/tcp closed telnet
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds
- You can also scan a list of Ip addresses or hostnames that are in a file. So let's say you have the following in scan.txt file:
foo.com
bar.com
192.168.1.10
You can scan everything Ip and host in scan.txt like so:
nmap -iL scan.txt
- You can also save your scan results to a txt file. This is useful for audits, documentation, & compliance.
$ nmap -oN scan.txt 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-19 21:05 EDT
Nmap scan report for 192.168.1.1
Host is up (0.017s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
443/tcp open https
4567/tcp filtered tram
8022/tcp filtered oa-system
8080/tcp open http-proxy
8443/tcp open https-alt
Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds
$ cat scan.txt
# Nmap 7.80 scan initiated Fri Aug 19 21:05:24 2022 as: nmap -oN scan.txt 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up (0.017s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
443/tcp open https
4567/tcp filtered tram
8022/tcp filtered oa-system
8080/tcp open http-proxy
8443/tcp open https-alt
# Nmap done at Fri Aug 19 21:05:25 2022 -- 1 IP address (1 host up) scanned in 1.42 seconds
- You can also save your scan results to an XML file. This is useful for audits, documentation, & compliance.
nmap -oX scan.xml -sP /tmp/scan.xml 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-22 15:04 EDT
Nmap scan report for 192.168.1.1
Host is up (0.020s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
$ cat /tmp/scan.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.80 scan initiated Mon Aug 22 15:04:55 2022 as: nmap -oX /tmp/scan.xml -sP 192.168.1.1 -->
<nmaprun scanner="nmap" args="nmap -oX /tmp/scan.xml -sP 192.168.1.1" start="1661195095" startstr="Mon Aug 22 15:04:55 2022" version="7.80" xmloutputversion="1.04">
<verbose level="0"/>
<debugging level="0"/>
<host><status state="up" reason="syn-ack" reason_ttl="0"/>
<address addr="192.168.1.1" addrtype="ipv4"/>
<hostnames>
</hostnames>
<times srtt="20413" rttvar="20413" to="102065"/>
</host>
<runstats><finished time="1661195095" timestr="Mon Aug 22 15:04:55 2022" elapsed="0.11" summary="Nmap done at Mon Aug 22 15:04:55 2022; 1 IP address (1 host up) scanned in 0.11 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
- It can also be use ful to disable DNS name resolution to speed up your scan with the '-n' paramter. Note the difference in the 'Nmap scan report' line. One has an Ip & one has a hostname.
$ nmap -p 80 8.8.8.8
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-19 21:13 EDT
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.016s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
$ nmap -p 80 -n 8.8.8.8
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-19 21:13 EDT
Nmap scan report for 8.8.8.8
Host is up (0.021s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
- Detect OS & service names and versions with the '-A' flag & we can add the '-T4' flag to speed up the scan.
nmap -A -T4 192.168.1.1
- Detect service and/or daemon versions. This is crucial when looking to expl0it or finding services needing upgraded.
nmap -sV 192.168.10.12
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-19 21:33 EDT
Nmap scan report for 192.168.1.1
Host is up (0.013s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain ISC BIND 8.10.25
- Scan a specific protocol such as TCP for example:
nmap -sT 192.168.10.45
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-19 21:45 EDT
Nmap scan report for 192.168.10.23
Host is up (0.012s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
- Scan only UDP. Note: This typically requires root privileges.
$ nmap -sU 192.168.10.34
You requested a scan type which requires root privileges.
QUITTING!
$ sudo nmap -sU 192.168.10.34
- CVE detection using nmap. You can execute a full vulnerability scan against a single Ip address.
nmap -Pn --script vuln 192.168.10.45
- Launch a Wordpress brute force attack.
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.10.10
- Launch a MSSQL Server brute force attack.
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105
- Launch an FTP server brute force attack.
nmap --script ftp-brute -p 21 192.168.1.105
- Detect remote hosts infected with malware.
nmap -sV --script=http-malware-host 192.168.10.10
- Detect remote hosts infected with malware using Google's malware check.
nmap -p80 --script http-google-malware foo.com
- Exclude a single Ip/Host from a network scan.
nmap 172.16.121.1/24 — exclude 172.16.121.10
- Scan only TCP ports.
$ nmap -sT 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-22 15:19 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0087s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
- Scan only UDP ports. Note: UDP scans require elevated privileges.
$ nmap -sU 192.168.1.1
You requested a scan type which requires root privileges.
QUITTING!
$ sudo nmap -sU 192.168.10.10
[sudo] password for yoda:
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-22 15:22 EDT
- Only run vulernability scans considered SAFE ( e.g. won't result in instability ).
nmap -sV -sT -p445 --script "vuln and safe" 192.168.10.10
- Perform a fast scan using the -F flag. Note: This is NOT a very thorough scan.
nmap -F 192.168.10.10
- Exclude Ip address from a scan based on a txt file. You can see from the output below that Ip address 192.168.1.1 was skipped & only 192.168.1.2 was scanned.
$ nmap 192.168.1.1 192.168.1.2 -v --excludefile /tmp/do_not_scan.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-22 15:45 EDT
Initiating Ping Scan at 15:45
Scanning 192.168.1.2 [2 ports]
Completed Ping Scan at 15:45, 3.00s elapsed (1 total hosts)
Nmap scan report for 192.168.1.2 [host down]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
$ cat /tmp/do_not_scan.txt
192.168.1.1
- Scan to discover OS ( e.g. operating system ) information.
nmap -A 192.168.10.10
- Enable OS detection to gather even more information about the host operating system. Note: this scan requires elevated privileges.
$ sudo nmap -O 192.168.1.1
[sudo] password for yoda:
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-22 16:08 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0043s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: 21:B0:48:1D:08:5C (Verizon)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
- Performing an ACK scan can help identify if a host is running a firewall. Note: this scan requires elevated privileges.
$ sudo nmap -sA 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-22 16:14 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0091s latency).
Not shown: 997 unfiltered ports
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 21:B0:48:1D:08:5C (Verizon)
Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds
- Use Nmap to conduct a scan in stealth mode ( TCP SYN ) using the -sS flag. Note: this scan requies elevated privileges.
$ sudo nmap -sS 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-22 16:27 EDT
Nmap scan report for 192.168.1.1
Host is up (0.011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
MAC Address: 21:B0:48:1D:08:5C (Verizon)
Nmap done: 1 IP address (1 host up) scanned in 1.71 seconds
- Find the hostname for a single Ip address.
nmap -sL 192.168.0.1
- Increase the information ( e.g verbosity ) of your scan results.
$ nmap -v 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 19:12 EDT
Initiating Ping Scan at 19:12
Scanning 192.168.1.1 [2 ports]
Completed Ping Scan at 19:12, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:12
Completed Parallel DNS resolution of 1 host. at 19:12, 0.03s elapsed
Initiating Connect Scan at 19:12
Scanning 192.168.1.1 [1000 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Completed Connect Scan at 19:12, 1.31s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.012s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.41 seconds
- Increase the verbosity even MORE by adding more -v flags.
$ nmap -vvv 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 19:14 EDT
Initiating Ping Scan at 19:14
Scanning 192.168.1.1 [2 ports]
Completed Ping Scan at 19:14, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:14
Completed Parallel DNS resolution of 1 host. at 19:14, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:14
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Completed Connect Scan at 19:14, 1.20s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up, received syn-ack (0.011s latency).
Scanned at 2022-08-23 19:14:30 EDT for 1s
Not shown: 992 closed ports
Reason: 992 conn-refused
PORT STATE SERVICE REASON
22/tcp filtered ssh no-response
53/tcp open domain syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
- Find Host Interfaces, Routes, and Packet information about your own host/network.
$ nmap --iflist
- Use timing templates with agressvie scans.
nmap -T5 192.168.1.1
More details from the nmap MAN page below on timing templates:
-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template) While the fine-grained timing controls discussed in the previous section are powerful and effective, some people find them confusing. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize. Fortunately, Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0–5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.
These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick the exact timing values. The templates also make some minor speed adjustments for which fine-grained control options do not currently exist. For example, -T4 prohibits the dynamic scan delay from exceeding 10 ms for TCP ports and -T5 caps that value at 5 ms. Templates can be used in combination with fine-grained controls, and the fine-grained controls that you specify will take precedence over the timing template default for that parameter. I recommend using -T4 when scanning reasonably modern and reliable networks. Keep that option even when you add fine-grained controls so that you benefit from those extra minor optimizations that it enables.
If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow -T polite really is. Their scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options (-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more effective than playing with timing values at reducing these problems.
While -T0 and -T1 may be useful for avoiding IDS alerts, they will take an extraordinarily long time to scan thousands of machines or ports. For such a long scan, you may prefer to set the exact timing values you need rather than rely on the canned -T0 and -T1 values.
The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting five minutes between sending each probe. T1 and T2 are similar but they only wait 15 seconds and 0.4 seconds, respectively, between probes. T3 is Nmap's default behavior, which includes parallelization. -T4 does the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds. T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --script-timeout 10m as well as setting the maximum TCP scan delay to 5 ms.
- Use decoys to make it harder to figure out which Ip address is really yours if your scan ends up in a log ( probably will ;).
$ nmap -D 192.168.1.5,192.168.1.6,192.168.1.7,192.168.1.8,192.168.1.9 192.168.1.1
- Enumerate SSL ciphers. Note: I personally find this useful when disabling weak SSL/TLS cipher suites on AWS load balancers.
$ nmap -sV --script ssl-enum-ciphers -p 443 192.168.10.10
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 19:37 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0042s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.65 seconds