Nmap Commands Flashcards
Basic Scans, Service and Version Detection, Stealth and Evasion Scans, Timing and Performance, Output Options, Advanced Scanning, Vulnerability and Script Scanning, Firewall Detection and Bypass
Ping Scan
Check which hosts are online.
nmap -sP 192.168.1.0/24
This sends ICMP echo requests to determine if hosts are online within the 192.168.1.0/24 subnet.
Scan a Range of IPs
nmap 192.168.1.1-20
This scans the IP range from 192.168.1.1 to 192.168.1.20.
Scan an Entire Subnet
nmap 192.168.1.0/24
Scans all hosts in the subnet.
Scan Multiple IP Addresses or Hostnames
nmap 192.168.1.1 192.168.1.2 google.com
Scan Specific Ports
nmap -p 22 192.168.1.1
This scans only port 22 (SSH) on the target.
Scan a Range of Ports
nmap -p 1-100 192.168.1.1
This scans ports 1 through 100 on the target.
Scan All Ports
nmap -p- 192.168.1.1
Scans all 65535 ports on the target host.
Detect Service Versions
nmap -sV 192.168.1.1
This attempts to determine the version of services running on open ports.
Aggressive Scan (Includes Service Detection, OS Detection, and More)
nmap -A 192.168.1.1
This performs an aggressive scan that includes service version detection, OS detection, and traceroute.
Operating System Detection
nmap -O 192.168.1.1
This attempts to identify the operating system running on the target machine.
Script Scan (Using NSE Scripts
nmap -sC 192.168.1.1
This uses default NSE (Nmap Scripting Engine) scripts to scan for vulnerabilities or gather additional information.
TCP SYN Scan (Stealth Scan)
nmap -sS 192.168.1.1
This performs a TCP SYN scan, often referred to as a “half-open” scan, which can avoid detection by some firewalls or IDS systems.
TCP Connect Scan
nmap -sT 192.168.1.1
This scan completes the full TCP connection and is less stealthy than the SYN scan.
UDP Scan
nmap -sU 192.168.1.1
This scans UDP ports, which is useful for discovering services like DNS (port 53) and SNMP (port 161).
Fragmented Packets Scan
nmap -f 192.168.1.1
Sends fragmented packets, which might help evade firewalls or intrusion detection systems.
Spoofed IP Address Scan
nmap -S 192.168.1.100 192.168.1.1
Spoofs the source IP address (use with caution, as it may cause network issues).
Scan Through a Proxy
nmap -sT -p 80 –proxy http://proxy.server.com:8080 192.168.1.1
Set Timing Templates (0-5)
Control the speed and stealthiness of scans.
nmap -T4 192.168.1.1
T0 is the slowest (for stealth), and T5 is the fastest (less stealthy, but quicker results).
Set Maximum Parallel Scans
nmap –min-parallelism 10 192.168.1.1
This controls the number of parallel scans Nmap can run.
Set Scan Delay Between Probes
nmap –scan-delay 1s 192.168.1.1
This inserts a 1-second delay between scan probes, making it slower but possibly stealthier.
Normal Output
nmap 192.168.1.1 -oN output.txt
Saves the normal output of the scan to output.txt.
Scan Specific IP Protocols
map -sO 192.168.1.1
This scans for IP protocols (like ICMP, TCP, and UDP
Scan Hosts with Decoy IPs
nmap -D RND:10 192.168.1.1
Launches a decoy scan with 10 random IP addresses, hiding the real source of the scan.
Scan Using TCP ACK Scan
nmap -sA 192.168.1.1
This helps determine if a firewall is present by sending TCP ACK packets.