How to Use Nmap Command to Network Scan Guide
What is Nmap?
At its core, Nmap is a network scanning tool that uses IP packets to identify all network devices and provide information about the services and operating systems they use.
The system is widely used with a command line interface (although earlier GUI conclusions are available) and is available on many operating systems such as Linux, Free BSD, and Gentoo. Its reputation has also been strengthened by an active and enthusiastic user support community.
The rise of IoT, in particular, now means that the networks used by these companies have become more complex and therefore difficult to protect.
This means that Nmap is now used in many website monitoring tools to test traffic between web servers and IoT devices. The recent emergence of IoT bots, like Mirai, has also aroused interest in Nmap because of its ability to detect devices connected to the UPnP protocol and highlight any potentially malicious devices.
How to use Nmap
Nmap is straightforward to use, and many of the tools it provides are familiar to system administrators from other applications. The advantage of Nmap is that it brings a lot of these tools into one system, rather than forcing you to skip between different and different network monitoring tools.
To use Nmap, you need to familiarize yourself with the command line links. Most advanced users are able to write scripts to perform normal tasks automatically, but this is not required for basic network monitoring.
How To Install Nmap
The process of installing Nmap is simple but varies depending on your operating system. Windows, Mac, and Linux versions of the program can be downloaded here.
Install Linux & Termux :
Nmap Command List
1. Normal Scanning
1. Scanning System with hostname and IP address. First, Scan using Hostname
Now let’s scan using the IP Address
The nmap command allows you to scan the system in various ways. For this we do scanning using the hostname such as “onlinehacking.in” and the web address “192.168.0.101“, to find all openings, services, and MAC addresses in the system.
2. Advanced option scan
To use the scan “-v” option. Advanced option scan. show all scan live
3. Multiple Ip Address Scan
The list of Nmap commands also includes an IP address scanner. If you want to scan a single IP address, follow the code given in point 3, but if you want to scan multiple IP addresses, you must follow the steps below.
We can scan multiple hosts by typing IP addresses or nmap host names. This syntax will help when scanning multiple addresses. You have different syntaxes for consecutive IP addresses.
4. Display open ports
Finding open ports (destination ports that respond to UDP/TCP/SCTP requests) can be the first step to protecting and hacking any network. And if you want to find only the ports you can connect to, then this command can really come in handy.
Command: nmap — open<IP address/domain name>
In the example above, we use the “–open” parameter with the IP address 192.168.0.101, so the Nmap command shows us only ports with open status.
5. Nmap All Port Scan Command
If you want to scan a port or even a whole range of ports on remote or local servers, you’ll need to run the Nmap port scan command. Here is the Nmap port scan command:
You have now scanned 65535 ports on the local host in this example. You can change the values according to your needs and the number of scanned ports will also change completely. The Nmap command to scan all ports can also help make the process better and easier.
6. Most Popular Ports Scanning
Goal: Scan a fixed number of the most popular ports.
To use this command, you must use the “–top-ports” option with a specific numeric value. This option gives you the ability to scan upstream ports. However, in Nmap, you also have the option to select the number of master ports to scan. This command allows users to get better and faster results.
Command: nmap –top-ports <numeric value> <IP address/domain>
In our example, we used the “–top-ports” option to specify that we need to scan the top 20 ports of the IP address 192.168.0.101
7. Ping Scan Using Nmap
The list of Nmap commands is extensive and extensive. Several examples could be given, but if you want to ping scan with Nmap, you need to do this:
This command sends an Internet Control Message Protocol (ICMP) echo request to all IP addresses on the network. But the main disadvantage of this type of scanning is that some remote hosts block IP-based ping packets. His favorite example is – Windows Firewall with ICMP Advanced Security Blocks echoes request packets by default. This command offers host details and is less aggressive compared to other scans.
This is probably one of the most used and popular Nmap commands to help detect hosts on any network.
8. Scanning IP Range
The Nmap scan command helps in scanning the entire range of IP addresses. This syntax will help you know the full range of CIDR IP addresses. Example:
Like the other syntaxes, you will need to select random ranges when scanning the IP range as well. Several syntaxes can help scan alternate IP addresses in a range, and some others can scan consecutive IP addresses.
9. Scanning the entire subnet
We can scan the entire subnet or IP range with a nmap by providing a “*” for it. It will scan the entire subnet and provide information about the Top Network hosts.
10. Service Version Detection
Nmap has a database of more than 2000 services and related ports, for example – SSH (port 22) and HTTP (port 80). So if you want to know which versions are running, you can use the Nmap version detection (-sV) command when doing network inventories. Knowing the exact version number can be really helpful when looking for exploits on your server.
In the example above, we are doing a version check using the “sV” command and it will give us a list of services with their versions.
11. Scanning IP and Scan Host from a File
If we have a long list of addresses that we need to scan, we can import the file directly through the command line. It will generate a scan of the given IP addresses. Nmap can scan; several syntaxes can be used to read text files. The only thing you need to keep in mind is that it contains IP addresses and hosts inside. To use this Nmap command, you must first create a list.txt file and ensure that the file contains this syntax:
12. Get OS Information
Nmap is an ideal choice for many regarding remote OS acquisition. Flag -A tells Nmap to find and display OS information about the hosts you are testing.
So you can add a v flag for more information on your search result. It is a great way to execute Nmap commands for beginners. The command below is to show you how to get the OS information of the hosts who live on file.
13. Information about the Host
8. Here -A Shows Offer will Information such as OS ( -O ) detection, translation detection, text scan (-sC), and traceroute even provide a lot of important information about the Host.
14. Operating System Scan
Here It Will Show The Application When The Domain Or IP Address Is Active But Will Not Show The Real Operating System Available On The Computer. Will Only Display the Operating System Online. This will automatically guess the operating system (OS) in the home.
15. Saving the result to a file
Using Nmap commands has become a key part of the coding world. If you want to save the results, you can do it like this:
This command helps you export or save the result from a file without reading it.
16. Nmap UDP Scan
Description: Nmap scans a target computer by sending a UDP packet to each target port. This command requires root/admin privileges.
Although most popular services on the Internet run over TCP, some services such as DNS [port 53], DHCP [ports 161/162], and SNMP [ports 67/68] still use UTP.
A common mistake is to forget to harden UDP ports on your system/network, making them vulnerable to UDP exploits, which are quite common. UDP Scan -sU can be used in tandem with SYN Scan -sS to check both protocols in the same scan, as seen in Figure 1.7.
17. Nmap TCP Scan
One of the best things is the Nmap command for checking open ports, and the second best thing about Nmap is its ability to work with TCP and UDP without any hiccups. A few services are limited to TCP only, but people understand the benefit of scanning UDP-based services. Here are examples of both of these services that Nmap allows.
The output you get when you scan using standard TCP:
18. Nmap TCP SYN Scan
Nmap TCP SYN scan sends an SYN packet to the 1000 most used ports on the target computer and waits for a response.
Because the TCP SYN Scan method does not attempt to open a full-fledged connection to the target, it prevents the target system from logging connection attempts; therefore this scanning method is supposed to be secret. However, keep in mind that scanning secrecy is not guaranteed in many cases, as modern firewalls can detect it.
The output of the -sS flag output command for scanme.nmap.org is shown in Figure 1.1.
19. Namp TCP ACK Scan
Firewall Information Scanning to find security system settings.
Finding firewall settings can be helpful during login testing and risk scanning. To view it we use the “-sA” option. This will provide you with information about the active firewalls on the host. Uses ACK scanning for information.
20. Using Nmap to Detect CVE
Many system administrators are not aware of this feature that Nmap offers – CVE detection. It is one of the best features that people rarely use. There is a predefined script in the Nmap command that allows users to run this process. One can use these predefined scripts or own their Lua programming language to derive specific functionality that can help in CVE detection. Below is the command you need to use:
21. How to run Dos with Nmap
One thing Nmap will never be short on is the number of features. From Nmap command cheats to Nmap termux commands, there are several cross-platform features available on Nmap. In addition to all the other commands that run on Nmap, you have the ability to run DOS files on this platform. This can be done against network testing.
The command you will need to follow to do this is:
22. Detection of remote host malware infection
Nmap commands in kali Linux, Nmap commands in termux or even Nmap commands for vulnerability scanning are essential for system administrators, but remote host malware detection is more important.
You can simply use the Google Malware Checker with the command:
23. No Ping Scan | Firewall Bypass
A non-ping check prevents Nmap from finding the host. It is entered using the -Pn option. By default, Nmap only tests active computers found using host discovery. With this option, Nmap will perform the required scanning functions against each specified target IP as if each were active. This is done when it is important to find every possible active computer, including those that may not respond to host discovery.
24. Consult Nmap Documentation
As Nmap has grown so much over time, it is very difficult to remember all its beginnings. Fortunately, Nmap documents provide excellent information to help get users started on this issue.
The first command will give you all the available Nmap options. You can check the manual for more details using the last one.
Target Specification :
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| nmap 192.168.0.101 | Scan single IP | |
| nmap 192.168.0.1 192.168.0.102 | Scan specific IP | |
| nmap 192.168.0.1-254 | Scan range | |
| nmap scanme.nmap.org | Scan domain | |
| nmap 192.168.0.1/24 | Scan using CIDR notation | |
| -iL | nmap -iL target.txt | Scan target from file |
| -iR | nmap -iR 50 | Scan 50 random hosts |
| –exclude | nmap –exclude 192.168.0.101 | Exclude listed hosts |
Nmap Scan Techniques :
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sS | nmap 192.168.0.101 -sS | TCP SYN port scan (Default) |
| -sT | nmap 192.168.0.101 -sT | TCP connect port scan (Default) |
| -sU | nmap 192.168.0.101 -sU | UDP port scan |
| -sA | nmap 192.168.0.101 -sA | TCP ACK port scan |
| -sW | nmap 192.168.0.101 -sW | TCP Window port scan |
| -sM | nmap 192.168.0.101 -sM | TCP Maimon port scan |
Host Discovery :
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sL | nmap 192.168.0.1-3 -sL | No Scan. List targets only |
| -sn | nmap 192.168.0.1/24 -sn | Disable port scanning. Host discovery only. |
| -Pn | nmap 192.168.0.1-5 -Pn | Disable host discovery. Port scan only. |
| -PS | nmap 192.168.0.1-5 -PS22-25,80 | TCP SYN discovery on port x. Port 80 by default |
| -PA | nmap 192.168.0.1-5 -PA22-25,80 | TCP ACK discovery on port x. Port 80 by default |
| -PU | nmap 192.168.0.1-5 -PU53 | UDP discovery on port x. Port 40125 by default |
| -PR | nmap 192.168.0.1-1/24 -PR | ARP discovery on the local network |
| -n | nmap 192.168.0.101 -n | Never do DNS resolution |
Port Specification :
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -p | nmap 192.168.0.101 -p 21 | Port scan for port x |
| -p | nmap 192.168.0.101 -p 21-100 | Port range |
| -p | nmap 192.168.0.101 -p U:53,T:21-25,80 | Port scan multiple TCP and UDP ports |
| -p | nmap 192.168.0.101 -p- | Port scan all ports |
| -p | nmap 192.168.0.101 -p http,https | Port scan from service name |
| -F | nmap 192.168.0.101 -F | Fast port scan (100 ports) |
| –top-ports | nmap 192.168.0.101 –top-ports 2000 | Port scan the top x ports |
| -p-65535 | nmap 192.168.0.101 -p-65535 | Leaving off the initial port in range makes the scan start at port 1 |
| -p0- | nmap 192.168.0.101 -p0- | Leaving off-end port in the range makes the scan go through to port 65535 |
Output :
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -oN | nmap 192.168.0.101 -oN normal.file | Normal output to the file normal.file |
| -oX | nmap 192.168.0.101 -oX xml.file | XML output to the file xml.file |
| -oG | nmap 192.168.0.101 -oG grep.file | Grepable output to the file grep.file |
| -oA | nmap 192.168.0.101 -oA results | Output in the three major formats at once |
| -oG – | nmap 192.168.0.101 -oG – | Grepable output to the screen. -oN -, -oX – also usable |
| -v | nmap 192.168.0.101 -v | Increase the verbosity level (use -vv or more for greater effect) |
| -d | nmap 192.168.0.101 -d | Increase debugging level (use -dd or more for greater effect) |
| –reason | nmap 192.168.0.101 –reason | Display the reason a port is in a particular state, the same output as -vv |
| –open | nmap 192.168.0.101 –open | Only show open (or possibly open) ports |
| –packet-trace | nmap 192.168.0.101 -T4 –packet-trace | Show all packets sent and received |
| –iflist | nmap –iflist | Shows the host interfaces and routes |
| –resume | nmap –resume results.file | Resume a scan |
Conclusion :
There are various ways you can improve your Nmap with abilities. These commands and examples can help you understand and explore the Nmap monitoring tool. Check out the entire blog and keep in mind the commands that are useful for your systems. There are several specific sets of commands for each platform and user interface, but on the other hand, a few are common and can be used across all of them.
So you’ve decided to pursue a career in cyber security? Visit our onlinehacking.org website in Cyber Security and experience the best opportunity to launch a successful career in Cyber Security.
