IT dragons tamed since 2006 (with 760 solutions and growing)


your IP[]

If you thought this solution was helpfull, please login and vote. Not a member? click here

TitleNMAP quick reference
Keywordsnmap port scan

Nmap Target Selection

Scan a single IP nmap
Scan a host nmap
Scan a range of IPs nmap
Scan a subnet nmap
Scan targets from a text file nmap -iL list-of-ips.txt

These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.

Nmap Port Selection

Scan a single Port nmap -p 22
Scan a range of ports nmap -p 1-100
Scan 100 most common ports (Fast) nmap -F
Scan all 65535 ports nmap -p-

Nmap Port Scan types

Scan using TCP connect nmap -sT
Scan using TCP SYN scan (default) nmap -sS
Scan UDP ports nmap -sU -p 123,161,162
Scan selected ports - ignore discovery nmap -Pn -F

Privileged access is required to perform the default SYN scans. If privileges are
insufficient a TCP connect scan will be used. A TCP connect requires a full TCP connection to be
established and therefore is a slower scan. Ignoring discovery is often required as many firewalls
or hosts will not respond to PING, so could be missed unless you select the
-Pn parameter. Of course this can make scan times much longer as you could end up
sending scan probes to hosts that are not there.

Service and OS Detection

Detect OS and Services nmap -A
Standard service detection nmap -sV
More aggressive Service Detection nmap -sV --version-intensity 5
Lighter banner grabbing detection nmap -sV --version-intensity 0

Service and OS detection rely on different methods to determine the operating system or service
running on a particular port. The more aggressive service detection is often helpful if there are
services running on unusual ports. On the other hand the lighter version of the service will be much
faster as it does not really attempt to detect the service simply grabbing the banner of the open

Nmap Output Formats

Save default output to file nmap -oN outputfile.txt
Save results as XML nmap -oX outputfile.xml
Save results in a format for grep nmap -oG outputfile.txt
Save in all formats nmap -oA outputfile

The default format could also be saved to a file using a simple file redirect command >
. Using the -oN option allows the results to be saved but also can be
monitored in the terminal as the scan is under way.

Digging deeper with NSE Scripts

Scan using default safe scripts nmap -sV -sC
Get help for a script nmap --script-help=ssl-heartbleed
Scan using a specific NSE script nmap -sV -p 443 –script=ssl-heartbleed.nse
Scan with a set of scripts nmap -sV --script=smb*

According to my Nmap install there are currently 471 NSE scripts. The scripts
are able to perform a wide range of security related testing and discovery functions. If you are
serious about your network scanning you really should take the time to get familiar with some of

The option --script-help=$scriptname will display help for the individual scripts.
To get an easy list of the installed scripts try locate nse | grep script.

You will notice I have used the -sV service detection parameter. Generally most NSE
scripts will be more effective and you will get better coverage by including service detection.

A scan to search for DDOS reflection UDP services

Scan for UDP DDOS reflectors nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr

UDP based DDOS reflection attacks are a common problem that network defenders come up against.
This is a handy Nmap command that will scan a target list for systems with open UDP services that
allow these attacks to take place. Full details of the command and the background can be found on
the Sans Institute
where it was first posted.

HTTP Service Information

Gather page titles from HTTP services nmap --script=http-title
Get HTTP headers of web services nmap --script=http-headers
Find web apps from known paths nmap --script=http-enum

There are many HTTP information gathering scripts, here are a few that are simple but helpful
when examining larger networks. Helps in quickly identifying what the HTTP service is that is
running on the open port. Note the http-enum script is particularly noisy. It is
similar to Nikto in that it will attempt to enumerate known paths of web applications and scripts.
This will inevitably generated hundreds of 404 HTTP responses in the web server error
and access logs.

Detect Heartbleed SSL Vulnerability

Heartbleed Testing nmap -sV -p 443 --script=ssl-heartbleed

Heartbleed detection is one of the available SSL scripts. It will detect the presence of the well
known Heartbleed vulnerability in SSL services. Specify alternative ports to test SSL on mail and
other protocols (Requires Nmap 6.46).

IP Address information

Find Information about IP address nmap --script=asn-query,whois,ip-geolocation-maxmind
SharediggDigg this solutiondel.icio.usPost to del.icio.usSlashdotSlashdot it!email to a friend
PrintPrint This Solution Print
If you thought this solution was helpfull, please login and vote. Not a member? click here

Latest News

Thanks to Dave for hosting this site!

Registered User Area

[new user]

Paying the Rent

Advanced Search:

Choose body, keywords, title, or all to include in search 
words to include in search 

Choose body, keywords, title, or all to include in search 
additional words to include in search 

Choose body, keywords, title, or all to exclude in search 
words to exclude from search 

order by

diggDigg Dracko
del.icio.usPost to
SlashdotSlashdot us!

Don't forget to vote!
Powered by John Core

Dracko by John Core


View John Core's profile on LinkedIn

security logo saber ccsa logo ccna-logo hbss veritas

solaris_logo linux-logo openstack_logo vbox_logo splunk storagetek_logo sun_logo oraclevm_logo brocade_logo bsd_logo

c-logo bash-logo php-logo

PlanetPayment Medecision AWi PennStateHershey DISA DLA cim Sun