nmap : 10 useful commands to use

Nmap, short for Network Mapper, is a powerful tool for network discovery and security auditing. It can be used to scan networks, hosts, and ports to find out what services are running, what operating systems are being used, and what type of firewalls are in place.

In this article, we’ll go over 10 useful Nmap commands that you can use to scan your network and gather information about your systems.

I already wrote an article on nmap in French, click here if you want to take a look at

Installation

if nmap is not installed, you can install it by the command bellow :

On CentOS / RHEL :

[root@Centos8 ~]# yum install nmap
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                                                                                                       |  56 kB  00:00:00
 * base: mirror.airenetworks.es
 * epel: mirrors.ptisp.pt
 * extras: mirror.airenetworks.es
 * updates: mirror.airenetworks.es
base                                                                                                                                                                                       | 3.6 kB  00:00:00
docker-ce-stable                                                                                                                                                                           | 3.5 kB  00:00:00
epel                                                                                                                                                                                       | 4.7 kB  00:00:00
extras                                                                                                                                                                                     | 2.9 kB  00:00:00
updates                                                                                                                                                                                    | 2.9 kB  00:00:00
(1/2): epel/x86_64/updateinfo                                                                                                                                                              | 1.0 MB  00:00:00
(2/2): epel/x86_64/primary_db                                                                                                                                                              | 7.0 MB  00:00:02
Resolving Dependencies
--> Running transaction check
---> Package nmap.x86_64 2:6.40-19.el7 will be installed
--> Processing Dependency: nmap-ncat = 2:6.40-19.el7 for package: 2:nmap-6.40-19.el7.x86_64
--> Processing Dependency: libpcap.so.1()(64bit) for package: 2:nmap-6.40-19.el7.x86_64
--> Running transaction check
---> Package libpcap.x86_64 14:1.5.3-13.el7_9 will be installed
---> Package nmap-ncat.x86_64 2:6.40-19.el7 will be installed
--> Finished Dependency Resolution

On Ubuntu/Debian :

# apt-get install nmap

nmap commands

1- Basic nmap syntax and options

# nmap <target>

The basic syntax for using nmap is simply nmap <target> , where <target> is either a hostname or an IP address. for example, you can use nmap 192.168.0.1 to scan a single host, or nmap 192.168.0.* to scan a range of hosts.

# nmap 192.168.0.1
# nmap 192.168.0.*

2- Advanced nmap scan options :

# nmap -sS <target>

The -sS option stands for « SYN scan » which is a stealthy scan that can be used to probe network hosts without actually establishing a connection. This can be useful for evading detection by firewalls or intrusion detection systems.

3- Scanning specific ports and ranges

# nmap -sU <target>

The -sU option stands for « UDP scan » which is used to scan for open UDP ports. This can be useful for discovering services that may not be running on well-known TCP ports.

4- Scanning a range of ports :

# nmap -p 22,80,443 192.168.0.1

The -p option is used to specify a range of ports to scan

5- Detecting operating systems and version information

# nmap -O 192.168.20.5

The -O option stands for « OS detection » and it allows to try and determine the operating system of the target host. This can be useful for identifying vulnerabilities that are specific to certain operating systems.

6- Conducting stealthy and aggressive scans

# nmap -A 192.168.20.5

The -A option stands for « aggressive scan » and it enables a number of advanced scan options, including OS detection, version detection, and script scanning. This option can be very useful for thoroughly probing a target host, but it can also increase the likelihood of being detected.

7- Scanning the most commonly used ports

# nmap --top-ports 100 192.168.20.5

The –top-ports option allows you to specify a number of the most commonly used ports to scan. For example, nmap –top-ports 100 will scan the 100 most commonly used ports.

8- Outputting verbose scan information

# nmap -v 192.168.20.25

The -v option stands for « verbose » and it causes nmap to print out more detailed information about the scan progress and results. This can be useful for troubleshooting or for gathering more detailed information about a target host.

9- Scanning targets from a list

# nmap -iL targets.txt

The -iL option stands for « input from list, » and it allows you to specify a text file containing a list of targets to scan. This can be useful for scanning large networks or for automating regular scans.

10- Using Nmap scripts for additional functionality

# nmap --script=smb-enum-shares.nse 192.168.15.2

nmap includes a number of built-in scripts that can be used to perform a variety of tasks, such as enumerating users, discovering vulnerabilities, or detecting malware. The –script option allows you to specify which scripts to run during a scan.