Top 40 Most Used Nmap Commands
Cybersecurity, Nmap, PentestingNmap (Network Mapper) is an essential tool for network exploration, security auditing, and troubleshooting. This powerful open-source utility is widely used by network administrators and cybersecurity professionals to discover hosts and services on a computer network.
This article will cover the 40 most used Nmap commands, complete with examples and output samples to help you understand and utilize Nmap effectively. Whether you are a beginner or an advanced user, this guide will enhance your network scanning skills.
1. Basic Scan
Command
nmap <target>
Example
nmap 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:00
Nmap scan report for 192.168.1.1
Host is up (0.00042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
Description
This command performs a basic scan on the target IP address to discover open ports and services. In the output, 22/tcp open ssh
indicates that the SSH service is running on port 22 and is open.
2. Scan Multiple IPs
Command
nmap <target1> <target2> <target3>
Example
nmap 192.168.1.1 192.168.1.2 192.168.1.3
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:05
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap scan report for 192.168.1.2
Host is up (0.00028s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
Nmap scan report for 192.168.1.3
Host is up (0.00032s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 3 IP addresses (3 hosts up) scanned in 0.15 seconds
Description
This command scans multiple IP addresses in a single command. The output shows open ports and services for each IP address scanned.
3. Scan a Range of IPs
Command
nmap <range>
Example
nmap 192.168.1.1-100
Output Sample
kotlinCopy codeStarting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:10
Nmap scan report for 192.168.1.1
Host is up (0.00036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap scan report for 192.168.1.2
Host is up (0.00030s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
... (output truncated for brevity) ...
Nmap done: 100 IP addresses (10 hosts up) scanned in 1.20 seconds
Description
This command scans a range of IP addresses from 192.168.1.1 to 192.168.1.100. The output shows which IPs are up and which ports and services are open.
4. Scan an Entire Subnet
Command
nmap <subnet>
Example
nmap 192.168.1.0/24
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:15
Nmap scan report for 192.168.1.1
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap scan report for 192.168.1.2
Host is up (0.00031s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
... (output truncated for brevity) ...
Nmap done: 256 IP addresses (15 hosts up) scanned in 1.90 seconds
Description
This command scans all IP addresses in a subnet, specified by the CIDR notation (in this case, 192.168.1.0/24). The output lists the hosts that are up and their open ports and services.
5. Scan with a Specific Port Range
Command
nmap -p <range> <target>
Example
nmap -p 20-80 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:20
Nmap scan report for 192.168.1.1
Host is up (0.00040s latency).
Not shown: 59 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Description
Scans ports 20 through 80 on the target IP address. The output shows which ports within the specified range are open and their associated services.
6. Scan Specific Ports
Command
nmap -p <port1,port2,...> <target>
Example
nmap -p 22,80,443 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:25
Nmap scan report for 192.168.1.1
Host is up (0.00034s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
Description
Scans only the specified ports (22, 80, and 443 in this case) on the target IP address. The output lists the status and services of these specific ports.
7. Service Version Detection
Command
nmap -sV <target>
Example
nmap -sV 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:30
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
443/tcp open ssl/http Apache httpd 2.4.38
Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds
Description
This command performs service version detection, identifying the version of the services running on open ports. The output provides detailed information about the services detected.
8. OS Detection
Command
nmap -O <target>
Example
nmap -O 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:35
Nmap scan report for 192.168.1.1
Host is up (0.00042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
Description
This command performs operating system detection on the target IP address. The output provides information about the operating system and kernel version running on the target.
9. Aggressive Scan
Command
nmap -A <target>
Example
nmap -A 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:40
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
443/tcp open ssl/http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-01-01T00:00:00
| Not valid after: 2024-01-01T00:00:00
|_ssl-date: TLS randomness does not represent time
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds
Description
This command performs an aggressive scan, which includes OS detection, version detection, script scanning, and traceroute. The output provides comprehensive information about the target.
10. UDP Scan
Command
nmap -sU <target>
``>
### Example
```bash
nmap -sU 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:45
Nmap scan report for 192.168.1.1
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds
Description
This command performs a UDP scan on the target IP address to discover open UDP ports. The output lists the open UDP ports and their associated services.
11. TCP SYN Scan (Default)
Command
nmap -sS <target>
Example
nmap -sS 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:50
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Description
This command performs a TCP SYN scan, which is the default scan type. It sends SYN packets to target ports and listens for responses to determine the port status.
12. TCP Connect Scan
Command
nmap -sT <target>
Example
nmap -sT 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 12:55
Nmap scan report for 192.168.1.1
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Description
This command performs a TCP connect scan, which uses the connect system call to open a full TCP connection to the target ports. It is useful when SYN scan requires privileges that are not available.
13. ICMP Echo Scan
Command
nmap -PE <target>
Example
nmap -PE 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:00
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
Not shown: 1000 closed ports
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Description
This command sends ICMP echo requests to the target to determine if the host is up. It is useful for basic network discovery.
14. ICMP Timestamp Scan
Command
nmap -PP <target>
Example
nmap -PP 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:05
Nmap scan report for 192.168.1.1
Host is up (0.00036s latency).
Not shown: 1000 closed ports
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
Description
This command sends ICMP timestamp requests to the target to determine if the host is up. It can be used as an alternative to the ICMP echo scan.
15. ICMP Address Mask Scan
Command
nmap -PM <target>
Example
nmap -PM 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:10
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
Not shown: 1000 closed ports
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Description
This command sends ICMP address mask requests to the target to determine if the host is up. It is another alternative to the ICMP echo scan.
16. TCP ACK Scan
Command
nmap -sA <target>
Example
nmap -sA 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:15
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Description
This command performs a TCP ACK scan to determine if a firewall is present. It sends ACK packets to target ports and listens for responses.
17. TCP Window Scan
Command
nmap -sW <target>
Example
nmap -sW 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:20
Nmap scan report for 192.168.1.1
Host is up (0.00039s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Description
This command performs a TCP window scan, which is similar to the ACK scan but also examines the TCP window field to determine the state of the port.
18. TCP Maimon Scan
Command
nmap -sM <target>
Example
nmap -sM 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:25
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Description
This command performs a TCP Maimon scan, which sends FIN/ACK packets to the target ports to determine their state.
19. IP Protocol Scan
Command
nmap -sO <target>
Example
nmap -sO 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:30
Nmap scan report for 192.168.1.1
Host is up (0.00039s latency).
PROTOCOL STATE SERVICE
1 open icmp
6 open tcp
17 open udp
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Description
This command performs an IP protocol scan to determine which IP protocols (ICMP, TCP, UDP, etc.) are supported by the target.
20. Scan with Default Scripts
Command
nmap -sC <target>
Example
nmap -sC 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:35
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
443/tcp open ssl/http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-01-01T00:00:00
| Not valid after: 2024-01-01T00:00:00
|_ssl-date: TLS randomness does not represent time
Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
Description
This command performs a scan using Nmap’s default scripts to gather additional information about the target. The output includes details from the scripts.
21. Scan All Ports
Command
nmap -p- <target>
Example
nmap -p- 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:40
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
8443/tcp open https-alt
Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds
Description
This command scans all 65,535 TCP ports on the target IP address. The output shows which ports are open and their associated services.
22. Scan Top 100 Ports
Command
nmap --top-ports 100 <target>
Example
nmap --top-ports 100 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:45
Nmap scan report for 192.168.1.1
Host is up (0.00035s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
Description
This command scans the top 100 most commonly used ports on the target IP address. The output lists the open ports and services among the top 100 ports.
23. Scan with Custom Timing Template
Command
nmap -T<0-5> <target>
Example
nmap -T4 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:50
Nmap scan report for 192.168.1.1
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Description
This command uses a custom timing template to control the speed of the scan. -T4
is a good balance between speed and accuracy.
24. Scan for Specific Service
Command
nmap -p <port> -sV --version-intensity <0-9> <target>
Example
nmap -p 80 -sV --version-intensity 5 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 13:55
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Description
This command scans for a specific service on a given port, with version detection intensity set to 5.
25. Scan with NSE Scripts
Command
nmap --script <script> <target>
Example
nmap --script http-title 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 14:00
Nmap scan report for 192.168.1.1
Host is up (0.00039s latency).
PORT STATE SERVICE
80/tcp open http
|_http-title: Apache2 Debian Default Page: It works
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Description
This command runs a specific NSE (Nmap Scripting Engine) script against the target. The http-title
script retrieves the title of a webpage.
26. Scan with Multiple NSE Scripts
Command
nmap --script <script1>,<script2>,<script3> <target>
Example
nmap --script http-title,ssl-cert 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 14:05
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp open http
|_http-title: Apache2 Debian Default Page: It works
443/tcp open ssl/http
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-01-01T00:00:00
| Not valid after: 2024-01-01T00:00:00
|_ssl-date: TLS randomness does not represent time
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
Description
This command runs multiple NSE scripts against the target, providing detailed information about the services running.
27. Scan with All Default Scripts
Command
nmap -sC <target>
Example
nmap -sC 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 14:10
Nmap scan report for 192.168.1.1
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
443/tcp open ssl/http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-01-01T00:00:00
| Not valid after: 2024-01-01T00:00:00
|_ssl-date: TLS randomness does not represent time
Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
Description
This command performs a scan using all default NSE scripts to gather comprehensive information about the target.
28. Scan with Timing and Performance Options
Command
nmap -T4 --min-rate 1000 --max-rate 10000 <target>
Example
nmap -T4 --min-rate 1000 --max-rate 10000 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 14:15
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Description
This command adjusts the timing and performance of the scan using custom rate options. --min-rate
sets the minimum scan rate, and --max-rate
sets the maximum scan rate.
29. Scan for Vulnerabilities
Command
nmap --script vuln <target>
``>
### Example
```bash
nmap --script vuln 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 14:20
Nmap scan report for 192.168.1.1
Host is up (0.00039s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
|_vuln: No vulnerabilities found
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Description
This command runs the vuln
script to scan for known vulnerabilities on the target. The output indicates whether any vulnerabilities were found.
30. Scan with Output to File
Command
nmap -oN <output-file> <target>
``>
### Example
```bash
nmap -oN scan_results.txt 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 14:25
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Description
This command saves the scan results to a file in normal format. The output file contains the same information as the terminal output.
31. Scan for SMB Vulnerabilities
Command
nmap --script smb-vuln* <target>
Example
nmap --script smb-vuln* 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:00
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| Description:
| This script checks for the presence of the vulnerability, which allows remote code execution.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
Description
This command runs scripts to check for various SMB vulnerabilities. The example shows a scan for MS17-010 (EternalBlue) vulnerability.
32. Scan for HTTP Security Headers
Command
nmap --script http-security-headers <target>
Example
nmap --script http-security-headers 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:05
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp open http
| http-security-headers:
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Strict-Transport-Security: max-age=31536000; includeSubDomains
|_ Content-Security-Policy: default-src 'self'
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
Description
This command checks the HTTP security headers of a web server. These headers help in securing the web application against common attacks.
33. Scan for SSL/TLS Information
Command
nmap --script ssl-enum-ciphers <target>
``>
### Example
```bash
nmap --script ssl-enum-ciphers 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:10
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
PORT STATE SERVICE
443/tcp open ssl/http
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
Description
This command enumerates SSL/TLS ciphers supported by the target server. It provides details on the strength and type of ciphers used.
34. Scan for Open Proxy Servers
Command
nmap --script http-open-proxy <target>
Example
--script http-open-proxy 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:15
Nmap scan report for 192.168.1.1
Host is up (0.00039s latency).
PORT STATE SERVICE
8080/tcp open http-proxy
| http-open-proxy:
|_ Potentially OPEN proxy.
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
Description
This command checks if the target server is running an open HTTP proxy, which can be misused for anonymous web browsing and malicious activities.
35. Scan for MySQL Vulnerabilities
Command
nmap --script mysql-vuln-cve2012-2122 <target>
Example
nmap --script mysql-vuln-cve2012-2122 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:20
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-vuln-cve2012-2122:
| VULNERABLE:
| MySQL authentication bypass vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-2122
| Risk factor: HIGH
| Description:
| This script checks for a vulnerability in MySQL servers where it is possible to log in with incorrect credentials.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
Description
This command checks for a specific MySQL authentication bypass vulnerability (CVE-2012-2122), which allows attackers to log in without correct credentials.
36. Scan for HTTP Methods
Command
nmap --script http-methods <target>
``>
### Example
```bash
nmap --script http-methods 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:25
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp open http
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS
|_ Potentially risky methods: TRACE
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
Description
This command checks which HTTP methods are supported by the target web server. The output includes potentially risky methods like TRACE.
37. Scan for FTP Anonymous Login
Command
nmap --script ftp-anon <target>
``>
### Example
```bash
nmap --script ftp-anon 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:30
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x 1 ftp ftp 4096 Jan 01 2024 pub
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
Description
This command checks if the target FTP server allows anonymous login. The output indicates whether anonymous access is permitted and lists accessible directories.
38. Scan for HTTP Slowloris DoS Vulnerability
Command
nmap --script http-slowloris-check <target>
``>
### Example
```bash
nmap --script http-slowloris-check 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:35
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| Description:
| This web server seems to be vulnerable to Slowloris DoS attack.
|
| References:
| http://ha.ckers.org/slowloris/
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
Description
This command checks if the target web server is vulnerable to the Slowloris DoS attack, which can cause a denial of service by exhausting the server’s connection pool.
39. Scan for DNS Zone Transfer
Command
nmap --script dns-zone-transfer <target>
``>
### Example
```bash
nmap --script dns-zone-transfer example.com
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:40
Nmap scan report for example.com (93.184.216.34)
Host is up (0.00037s latency).
| dns-zone-transfer:
| DNS Zone Transfer:
| example.com. 3600 IN SOA ns1.example.com. admin.example.com. 2024010101 3600 900 1209600 86400
| example.com. 3600 IN NS ns1.example.com.
| example.com. 3600 IN NS ns2.example.com.
| ns1.example.com. 3600 IN A 192.0.2.1
| ns2.example.com. 3600 IN A 192.0.2.2
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
Description
This command attempts to perform a DNS zone transfer, which can reveal all DNS records for a domain if the server is misconfigured.
40. Scan for Heartbleed Vulnerability
Command
nmap --script ssl-heartbleed <target>
``>
### Example
```bash
nmap --script ssl-heartbleed 192.168.1.1
Output Sample
Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-25 15:45
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
PORT STATE SERVICE
443/tcp open ssl/http
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.
| State: VULNERABLE
| Risk factor: HIGH
| Description:
| This script checks if the target is vulnerable to Heartbleed.
|
| References:
| http://cvedetails.com/cve/CVE-2014-0160/
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
Description
This command checks if the target is vulnerable to the Heartbleed bug, a serious vulnerability in the OpenSSL library that allows attackers to read sensitive data from the memory of affected servers.
Nmap Official Site: https://nmap.org/
Conclusion
This guide provides an overview of 30 useful Nmap commands for various types of network scanning and information gathering. Nmap is a powerful tool for network administrators and security professionals, offering a wide range of options to explore and analyze networks.
By using these commands, you can effectively perform network scanning, discover services and vulnerabilities, and gather detailed information about your targets. Make sure to use Nmap responsibly and only scan networks and devices you have permission to test.
For information on Nmap NSE scripts development, please read this document.