NMAP Guide

1) Basic scan to see what ports have a valid service running on them:

nmap {host}
nmap -v {host}

Pass the -v flag to print a little more information.

2) Basic scan to just see what ports are open/closed/filtered, but will not actually test the port for a service running:

nmap --top-ports {number of ports} {host}

3) Scanning a range of IP addresses or a subnet:

nmap {host}
nmap {host},2,3     # multiple
nmap {host}-20  # range
nmap 192.168.1.*        # range
nmap     # subnet

4) Scanning and reading from a list of hosts

nmap -iL input.txt

5) Exclusions:

nmap --exclude
nmap --exclude,

OR exclude list from a file called exclude.txt

nmap -iL /tmp/scanlist.txt --excludefile exclude.txt

6) OS Detection of services:

nmap -A -v {host}

7) Firewall protection of the host:

nmap -sA -v {host}

8) Scanning a host protected by a firewall (very useful):

nmap -PN -v {host}

9) Scanning a IPv6 host:

nmap -6 IPv6-Address-Here
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4

10) Scan a network and find out which servers and devices are up and running

nmap -sP

11) Scanning a host quickly:

nmap -F {host}

ONLY show open ports

nmap -F --open {host}

12) Print packet trace on a scan:

nmap --packet-trace {host}

13) Doing a full nmap scan of the host requires root privelages. To invoke run this:

sudo nmap -v -sV -sC -O {host}

This will generate a full report of services and attempt to identify OS. Good for finding admin panels and such running on hidden ports.

14) Show host interfaces and routes:

nmap --iflist {host}

15) Scanning specific ports:

nmap -p 80 {host}
# Scan TCP port 80
nmap -p T:80 {host}
# Scan UDP port 53
nmap -p U:53 {host}
# Scan two ports
nmap -p 80,443 {host}
# Scan port range
nmap -p 80-200 {host}   
# Combination port scan
nmap -p U:53,111,137,T:21-25,80,139,8080 {host}
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 {host}
# Scan all ports with * wildcard 
nmap -p "*" {host}
# Scan top ports
nmap --top-ports {number of ports} {host}
nmap --top-ports {number of ports} {host}

16) Scanning for a remote operating system:

nmap -O -v {host}

17) Scanning for remote services (server/daemon):

nmap -sV -v {host}

18) Scanning a host using TCP ACK (PA) and TCP Syn (PS) ping. Use this when a firewall is blocking standard ICMP pings:

nmap -PS {host}

19) Scanning a host using IP protocol ping:

nmap -PO {host}

20) Scanning a host using UDP ping. This scan bypasses firewalls and filters that only screen TCP:

nmap -PU {host}

21) Scanning a host for the most commonly used TCP ports using TCP SYN Scan:

# Stealth scan
nmap -sS {host}
# Find the most commonly used TCP ports using TCP connect scan (warning: no stealth scan)
nmap -sT {host}
# Find the most commonly used TCP ports using TCP ACK scan
nmap -sA {host}
# Find the most commonly used TCP ports using TCP Window scan
nmap -sW {host}
# Find the most commonly used TCP ports using TCP Maimon scan
nmap -sM {host}

22) Scanning a host for UDP services (UDP scan):

nmap -sU {host}

23) Scanning a host for IP protocol, this allows you to determine which IP protocols are supported by the host:

nmap -sO {host}

24) Scanning a firewall for security weaknesses:

# TCP Null Scan to trigger firewall to generate a response
nmap -sN {host}
# TCP Fin scan to check firewall
nmap -sF {host}
# TCP Xmas scan to check firewall
nmap -sX {host}

25) Cloaking a scan with decoys

nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 {host}

26) Scanning a firewall for MAC address spoofing:

### Spoof your MAC address ##
nmap --spoof-mac {your-mac-address} {host}

You can pass any other flags here as well -v -O etc…