{"id":4620,"date":"2021-02-18T09:04:38","date_gmt":"2021-02-18T09:04:38","guid":{"rendered":"https:\/\/linuxways.net\/?p=4620"},"modified":"2021-02-18T09:07:13","modified_gmt":"2021-02-18T09:07:13","slug":"15-mostly-used-nmap-commands-for-scanning-remote-hosts","status":"publish","type":"post","link":"https:\/\/linuxways.net\/de\/centos\/15-mostly-used-nmap-commands-for-scanning-remote-hosts\/","title":{"rendered":"15 Mostly Used Nmap Commands for Scanning Remote Hosts"},"content":{"rendered":"

Network mapper, abbreviated as Nmap, is an open-source network scanning tool that scans remote hosts and probes for a wealth of information such as open ports, OS versions, and versions of services listening on the open ports. Depending on the arguments used, Nmap also reveals underlying system vulnerabilities associated with outdated vulnerabilities based on CVSS (Common Vulnerability Scanning System). For this reason, Nmap is a valuable reconnaissance tool for penetration testing and revealing loopholes that can be exploited by hackers. In fact, it comes pre-installed in Kali and Parrot OS which are operating systems dedicated to penetration testing and digital forensics.<\/p>\n

In this article, we highlight some of the useful Nmap commands that help you gather useful information about remote hosts.<\/p>\n

Basic Nmap syntax<\/strong><\/h2>\n

The most basic Nmap command involves scanning a single host and requires only the IP address or the hostname of the remote target as the argument.<\/p>\n

$ nmap hostname <\/strong><\/pre>\n
Or<\/strong><\/p>\n
$ nmap remote-host-ip<\/strong><\/pre>\n
Let\u2019s now delve into some Nmap use cases. In this guide, we will scan remote hosts using Kali Linux.<\/p>\n
Scan a single remote host<\/strong><\/h2>\n
Scanning a single host is pretty straightforward. All you need is to pass the remote host IP address or domain name as the argument. For example,<\/p>\n
$ nmap 192.168.2.103<\/strong><\/pre>\n
<\/strong><\/p>\n
The Nmap scan report includes details such as the open ports, state of the port, and the services listening on the ports.<\/p>\n
Scan multiple remote hosts<\/strong><\/h2>\n
In a scenario where you have multiple remote hosts, simply pass their IP addresses on a single line as shown.<\/p>\n
$ nmap 192.168.2.103 192.168.2.1<\/strong><\/pre>\n
<\/p>\n
If you wish to scan consecutive remote host IP address, simply suffix the address as follows:<\/p>\n
$ nmap 192.168.2.1,2,3,4<\/strong><\/pre>\n
The command above scans the remote hosts 192.168.2.1, 192.168.2.2, 192.168.2.3, <\/strong>and 192.168.2.4<\/strong><\/p>\n
Scan a range of remote hosts<\/strong><\/h2>\n
If you have remote hosts in a range of IP addresses, you can specify the range separated by a hyphen.<\/p>\n
$ nmap 192.168.2.100-105 <\/strong><\/pre>\n
This will scan all the remote hosts from 192.168.2.100 <\/strong>to 192.168.2.105 <\/strong>range.<\/p>\n
Scan a subnet<\/strong><\/h2>\n
You can scan an entire subnet by making use of the CIDR notation. For instance, the command below scans all the remote hosts in the 192.168.2.0<\/strong> subnet.<\/p>\n
$ nmap 192.168.2.0\/24<\/strong><\/pre>\n
<\/strong><\/p>\n
Port scanning using Nmap<\/strong><\/h2>\n
You can instruct Nmap to explicitly scan open ports on a target host using the -p <\/strong>flag followed by the port number. In the example below, we are scanning for port 80 on the remote host.<\/p>\n
$ nmap -p 80 192.168.2.100<\/strong><\/pre>\n
<\/strong><\/p>\n
To specify multiple ports, you can list them using commas as shown below.<\/p>\n
$ nmap -p 80,135,139 192.168.2.100<\/strong><\/pre>\n
<\/strong><\/p>\n
To scan all open ports on a target, use the –open <\/strong>flag. Here, we are scanning Metasploitable Linux which is an intentionally vulnerable virtual instance for penetration testing.<\/p>\n
$ nmap --open 192.168.2.107<\/strong><\/pre>\n
Scan for active remote hosts<\/strong><\/h2>\n
If you just want to know which remote hosts are alive in your subnet, pass the -sn<\/strong> flag as shown. The output will be nothing fancy, just a brief summary of the active hosts.<\/p>\n
$ nmap -sn 192.168.2.0\/24<\/strong><\/pre>\n
<\/strong><\/p>\n
OS fingerprinting<\/strong><\/h2>\n
The -O flag enables you to even detect the host\u2019s operating system to a certain degree. However, this does not give you the exact version of the target\u2019s OS. In the example below, we are scanning a host that runs on Windows 10, but the OS guesses suggest that the remote host is likely to be Windows XP SP2 or Windows Server 2008 \/ 2008 R2.<\/p>\n
# nmap -O 192.168.2.103<\/strong><\/pre>\n
<\/strong><\/p>\n
Service detection<\/strong><\/h2>\n
You can get down to the nitty-gritty of the services listening on associated ports using the -sV <\/strong>flag. Common services include SSH ( port 22), HTTP ( port 80), and DNS ( port 53 ). Service detection is one of the most critical scanning tasks. It helps in pointing out outdated service versions that may leave the system prone to exploits and attacks.<\/p>\n
$ nmap -sV 192.168.2.107<\/strong><\/pre>\n
<\/strong><\/p>\n
Perform a stealth scan using Nmap<\/strong><\/h2>\n
A stealth scan, also abbreviated as SYN scan, is an unobtrusive kind of scan that quickly scans multiple ports within the shortest time possible. A SYN packet is sent to the remote target and when the response is received, Nmap is able to report on whether the port is open, filtered, or closed.<\/p>\n
$ nmap -sS 192.168.2.107<\/strong><\/pre>\n
<\/strong><\/p>\n
Perform a detailed scan<\/strong><\/h2>\n
The -A <\/strong>flag performs a deep inspection of the remote target\u2019s ports and gives finer details about the version of running services and also points out any vulnerabilities with the service.<\/p>\n
$ nmap -A 192.168.2.107<\/strong><\/pre>\n
<\/strong><\/p>\n
Perform firewall identification<\/strong><\/h2>\n
The Nmap can also perform firewall identification to check if the ports are filtered or not. The -sA <\/strong>option checks whether the firewall is enabled and needs to be combined with the -p flag and port number. \u2018Unfiltered\u2019 implies that the port is not behind a firewall while \u2018filtered\u2019 means it\u2019s opened on a firewall that is enabled.<\/p>\n
$ nmap -sA 192.168.2.107 -p 21 <\/strong><\/pre>\n
<\/strong><\/p>\n
Scan TCP or UDP protocols <\/strong><\/h2>\n
If you want to scan TCP ports only, use the -sT <\/strong>flag as shown.<\/p>\n
$ nmap -sT 192.168.2.107<\/strong><\/pre>\n
If you choose to scan to reveal UDP protocols only, use the -sT <\/strong>option.<\/p>\n
# nmap -sU 192.168.2.107<\/strong><\/pre>\n
Using Nmap scripts to scan vulnerabilities<\/strong><\/h2>\n
Nmap Scripting Engine, abbreviated as NSE, provides Nmap scripts that extend Nmap\u2019s functionalities. Nmap scripts are mostly used in probing vulnerability and malware detection. These scripts come preinstalled on Kali Linux and are located in the \/usr\/share\/nmap\/scripts <\/strong>path. They have a unique .nse file extension.<\/p>\n
For example, to check if a remote host can be brute-forced using SSH use the Nmap script below.<\/p>\n
$ nmap --script=ssh-brute.nse 192.168.2.107<\/strong><\/pre>\n
<\/strong><\/p>\n
Save Nmap scan results <\/strong><\/h2>\n
If you are in a hurry and want to save the results of a Nmap scan for later review, you can use the redirection greater than sign > as shown.<\/p>\n
$ nmap -sT 192.168.2.103 > myscans.txt<\/strong><\/pre>\n
<\/strong><\/p>\n
Scan hosts from a text file<\/strong><\/h2>\n
Alternatively, you can scan your remote hosts which are defined in a text file. To read the file, use the –iL<\/strong> option.<\/p>\n
$ nmap -A iL hosts.txt<\/strong><\/pre>\n
<\/strong><\/p>\n
Conclusion<\/h3>\n
We have listed 15 Nmap commands that you can use to get started with scanning your remote hosts. There are hundreds upon hundreds of Nmap commands and Nmap scripts<\/a> that are used for scanning hosts and probing for any vulnerabilities. We hope you now have the basics of Nmap and running commands to reveal information about remote targets. If you are considering scanning an organization\u2019s assets, ensure that you seek permission from the management lest you get into trouble.<\/p>","protected":false},"excerpt":{"rendered":"
Network mapper, abbreviated as Nmap, is an open-source network scanning tool that scans remote hosts and probes for a wealth of information such as open ports, OS versions,…<\/p>","protected":false},"author":36,"featured_media":4636,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,4,5,83,165,2],"tags":[203,201,202],"class_list":["post-4620","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-centos","category-debian","category-mint","category-opensuse","category-red-hat","category-ubuntu","tag-host-scanning","tag-nmap","tag-port-scanning"],"_links":{"self":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts\/4620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/users\/36"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/comments?post=4620"}],"version-history":[{"count":0,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts\/4620\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/media\/4636"}],"wp:attachment":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/media?parent=4620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/categories?post=4620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/tags?post=4620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}