10 nmap Commands Every Sysadmin Should Know

Question 1

Ping Scan

Discover IP’s in a subnet (no root)

Answer 1

$ nmap -sP 192.168.0.0/24

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-24 09:37 MST

Nmap scan report for 192.168.0.1

Host is up (0.0010s latency).

Nmap scan report for 192.168.0.95

Host is up (0.0031s latency).

Nmap scan report for 192.168.0.110

Host is up (0.0018s latency).

Question 2

Scan for open ports (no root)

Answer 2

nmap 192.168.0.0/24

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-24 09:23 MST

Nmap scan report for 192.168.0.1

Host is up (0.0043s latency).

Not shown: 998 closed ports PORT STATE SERVICE

80/tcp open http

443/tcp open https

Question 3

Identify the Operating System of a host (requires root)

Answer 3

nmap -O 192.168.0.164

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-24 09:49 MST

Nmap scan report for 192.168.0.164

Host is up (0.00032s latency).

Not shown: 996 closed ports

PORT STATE SERVICE

88/tcp open kerberos-sec

139/tcp open netbios-ssn

445/tcp open microsoft-ds

631/tcp open ipp

MAC Address: 00:00:00:00:00:00 (Unknown)

Device type: general purpose

Running: Apple Mac OS X 10.5.X

OS details: Apple Mac OS X 10.5 - 10.6 (Leopard - Snow Leopard) (Darwin 9.0.0b5 - 10.0.0)

Network Distance: 1 hop

Question 4

Identify Hostnames (no root)

This is one of the most subtle commands of nmap, the -sL flag tells nmap to do a simple DNS query for the specified ip.

Answer 4

$ nmap -sL 192.168.0.0/24

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-24 09:59 MST

Nmap scan report for 192.168.0.0

Nmap scan report for router.local (192.168.0.1)

Nmap scan report for fakehost.local (192.168.0.2)

Nmap scan report for another.fakehost.local (192.168.0.3)

Question 5

TCP Syn and UDP Scan (requires root)

Answer 5

nmap -sS -sU -PN 192.168.0.164

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-24 13:25 MST

Nmap scan report for 192.168.0.164

Host is up (0.00029s latency).

Not shown: 1494 closed ports, 496 filtered ports

PORT STATE SERVICE

88/tcp open kerberos-sec

139/tcp open netbios-ssn

445/tcp open microsoft-ds

631/tcp open ipp

88/udp open|filtered kerberos-sec

123/udp open

ntp 137/udp open netbios-ns

138/udp open|filtered netbios-dgm

631/udp open|filtered ipp

5353/udp open zeroconf

Question 6

TCP Connect Scan (no root)

This command is similar to the TCP SYN scan however rather than sending a SYN packet and reviewing the headers it will ask the OS to establish a TCP connection to the 1000 common ports.

Answer 6

nmap -sT 192.168.0.164

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-24 12:48 MST

Nmap scan report for 192.168.0.164

Host is up (0.0014s latency).

Not shown: 964 closed ports, 32 filtered ports

PORT STATE SERVICE

88/tcp open kerberos-sec

139/tcp open netbios-ssn

445/tcp open microsoft-ds

631/tcp open ipp

Question 7

Aggressively Scan Hosts (no root)

Answer 7

nmap -T4 -A 192.168.0.0/24

ssh-hostkey: 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (DSA) |_2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (RSA) 80/tcp open http nginx 1.1.19

Nmap scan report for 192.168.0.95

Host is up (0.00060s latency).

Not shown: 996 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)

|_http-title: 403 Forbidden

|_http-methods: No Allow or Public header in OPTIONS response (status code 405)

111/tcp open rpcbind

| rpcinfo: | program version port/proto service | 100000 2,3,4

111/tcp rpcbind

| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs

| 100003 2,3,4 2049/udp nfs

| 100005 1,2,3 46448/tcp mountd

| 100005 1,2,3 52408/udp mountd

| 100021 1,3,4 35394/udp nlockmgr

| 100021 1,3,4 57150/tcp nlockmgr

| 100024 1 49363/tcp status

| 100024 1 51515/udp status

| 100227 2,3 2049/tcp nfs_acl

|_ 100227 2,3 2049/udp nfs_acl

2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Question 8

Fast Scan (no root)

This scan limits the scan to the most common 100 ports, if you simply want to know some potential hosts with ports open that shouldn’t be this is a quick and dirty command to use.

Answer 8

nmap -T4 -F 192.168.0.164

Starting Nmap 6.01 ( http://nmap.org ) at 2013-02-24 12:49 MST

Nmap scan report for 192.168.0.164

Host is up (0.00047s latency).

Not shown: 96 closed ports

PORT STATE SERVICE

88/tcp open kerberos-sec

139/tcp open netbios-ssn

445/tcp open microsoft-ds

631/tcp open ipp

Question 9

Verbose

By adding verbose to a majority of the commands above you get a better insight into what nmap is doing; for some scans verbosity will provide additional details that the report does not provide.

Answer 9

nmap -T4 -A -v 192.168.0.164

Question 10

TCP SYN and UDP scan for all ports (requires root)

Answer 10

nmap -sS -sU -PN -p 1-65535 192.168.0.164

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-24 10:18 MST

Nmap scan report for 192.168.0.164 Host is up (0.00029s latency).

Not shown: 131052 closed ports

PORT STATE SERVICE

88/tcp open kerberos-sec

139/tcp open netbios-ssn

445/tcp open microsoft-ds

631/tcp open ipp

17500/tcp open unknown

88/udp open|filtered kerberos-sec

123/udp open ntp

137/udp open netbios-ns

138/udp open|filtered netbios-dgm

631/udp open|filtered ipp

5353/udp open zeroconf

17500/udp open|filtered unknown

51657/udp open|filtered unknown

54658/udp open|filtered unknown

56128/udp open|filtered unknown

57798/udp open|filtered unknown

58488/udp open|filtered unknown

60027/udp open|filtered unknown