network_nmap
Table of Contents
If you want to send us your comments, please do so. Thanks
More on comments
nmap
Based on nmap 6.00 The reference guide can be found at the nmap reference guide page
ndiff: compare two nmap output files
GeoIP databases
Used Options
Run
nmap
to see a list with the most common options. For the up to date list of the latest nmap version see the nmap.usage.txt file
More information can be found in the manpage
man nmap
Runtime options
d | Increase debugging level | Handy during portscan to see which ports are being scanned |
D | Decrease debugging level | |
v | Increase verbosity | |
V | Decrease verbosity | |
p | Turn on packet tracing | |
P | Turn off packet tracing | |
? | Print out a status message | Valid for any other key. ? is just an example (and meaning every single character) |
any other key | Show, update, the status |
Option | Function | Remark |
---|---|---|
-dx | Debugging / verbosity level | x 0-9. If -v (verbose) is not enough. The higher the number the more output |
-A | Aggressive scan options | Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute).. More features may be added in the future |
-n | No DNS resolution | |
-O | Enable OS detection | |
-O -v | Now it gets visible if a forged TCP connection attack is possible | |
-p | Only scan specified ports / port ranges | Examples: -p 1,2,3,4,5 -p 0-65535 |
-Pn | No ping | Skips host up discovery. Scans with the requested scanning functions against every target IP address specified |
-PY | SCTP INIT Ping | SCTP: Stream Control Transmission Protocol. There can be no space between -PY and the port list. Example: -PY22,80,179,5060 |
-sF | FIN scan. Sets just the TCP FIN bit | To close a TCP connection the FIN and ACK bits have to be set |
-sL | Lists each host on the network(s) | |
-sn | No port scan | List the hosts that respond to the scan |
-sN | Null scan | Does not set any bits (TCP flag header is 0) |
-sO | IP protocol scan | Determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. It cycles through IP protocol numbers rather than TCP or UDP port numbers |
-sS | TCP SYN scan | Performs quick scanning of thousands of ports per second on a fast network not hampered by restrictive firewalls |
-sT | TCP connect scan | The default TCP scan type when SYN scan is not an option |
-T4 | Set a timing template, the scan agressiveness. -T[0-5] | Or with words -T paranoid (= -T0), sneaky (= -T1), polite (= -T2), normal (= -T3), aggressive (= -T4), insane (= -T5) |
--traceroute | Traceroute | Can omit some hosts compared to the traceroute command (which can omit hosts after a certain point) |
--scan-delay 2 | Take action every 2 seconds | |
--stats-every 2 | Show an update on the progress every 2 seconds | Hitting the spacebar also gives an progress update |
Command examples
Output example
Nmap scan report for 192.168.1.102 Host is up (0.0072s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: TheMACaddress (The name of the manufacturer of the equipment. If not available: Unknown)
Command | Function | Remark |
---|---|---|
nmap 192.168.1.102 | Scan IP adress 192.168.1.102 | It is not clear to us which implicit options are used |
nmap 192.168.1.100 192.168.1.101 192.168.1.102 | Scan the given IP addresses | |
nmap 192.168.1.100-102 | Scan the 192.168.1.10[0-2] IP addresses. This is the same as the previous example | |
nmap 192.168.1.0/24 | Scan the 192.168.1.[0-255] network | |
nmap -A -T4 192.168.1.10 | ||
nmap -A -T4 192.168.1.0/24 | ||
nmap -n -p 1080 192.168.1.0 | ||
nmap -n -p1-65535 192.168.1.0 | ||
nmap -n -Pn -p 22 192.168.1.0 | ||
nmap -O 192.168.1.10 | ||
nmap -v -PE 192.168.0.0/24 | Ping scan with extra information about fonund hosts | |
nmap -PY 192.168.1.10 | ||
nmap -PY22,23 192.168.1.10 | ||
nmap -sF -p 22 -O 192.168.1.0-255 | ||
nmap -sF -p22 -O 192.168.1.0-255 | ||
nmap -sL 192.168.1.0/24 | ||
nmap -sL 192.168.1.10 | ||
nmap -sL -O 192.168.1.0-255 | ||
nmap -sL -p 22 192.168.1.0-255 | ||
nmap -sL -sN -O 192.168.1.0-255 | ||
nmap -sn 192.168.1.0/24 | ||
nmap -sN 192.168.1.0/24 | ||
nmap -sn 192.168.1.0/28 | ||
nmap -sN 192.168.1.0/28 | ||
nmap -sn -O 192.168.1.0-255 | ||
nmap -sn -O -p 22 192.168.1.0-255 | ||
nmap -sn -v 192.168.1.0/24 grep -v down | ||
nmap -v -sn 192.168.0.0/27 | grep -v "host down" | grep "scan report" | Shows al list of hosts that are probably up | |
nmap -sO -p22 192.168.1.0-255 | ||
nmap -sO -p22 -O 192.168.1.0-255 | ||
nmap -sO -v 192.168.1.0/24 | ||
nmap -sS 192.168.1.0/2 | ||
nmap -sS 192.168.1.0/24 | ||
nmap -sS 192.168.1.0-255 | ||
nmap -sS -O 192.168.1.0/24 | ||
nmap -sS -O -v 192.168.1.0/24 | ||
nmap -sS -p 1-65535 192.168.1.0/24 | ||
nmap -sS -v 192.168.1.0/24 | ||
nmap -sT -Pn 192.168.1.0-255 | ||
nmap -sT -Pn -O 192.168.1.0-255 | ||
nmap -v --stats-every 10s -Pn -sT -p 0-65535 192.168.1.1 | Scan all ports on IP address 192.168.1.1 and show the status of the scan every 10 seconds | |
nmap -v –stats-every 30s -sS -p 0-65535 192.168.1.1 | Scan all ports on IP address 192.168.1.1 and show the status of the scan every 10 seconds | |
nmap --scan-delay 0.5 -vv --stats-every 10s -Pn -sT -p 15000-65535 xxx.xxx.xxx.xxx | Probe every 0,5 seconds, very verbose, stats every 10 seconds, skip host discovery, TCP connect scan (use -sS if posible) Scan given ports on given IPnumber | |
nmap -sL -vv --stats-every 1s 192.168.0.0/24 | Check out which hosts are on the network | This is fast |
nmap -v -PR -sn 192.168.1.0/24 | grep -v “host down” | grep 'MAC Address:\ |
Useful links
Alternative and fast portscanner using parallel and some nice output coloring (syntax)
Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy
RSS
Disclaimer
Privacy statement
Bugs statement
Cookies
Copyright © : 2014 - 2024 Webevaluation.nl and the authors
Changes reserved.
network_nmap.txt · Last modified: 22-02-2024 22:38 by wim