Top 12 Nmap Commands to Scan
In this article, we are going to learn about the top 12 Nmap commands. Nmap is one of the most popular network mappers in the infosec world. It’s utilized by cybersecurity professionals and newbies alike to audit and discover local and remote open ports, as well as hosts and network information. 

Nmap can be used to:

  • Create a complete computer network map.
  • Find remote IP addresses of any hosts.
  • Get the OS system and software details.
  • Detect open ports on local and remote systems.
  • Audit server security standards.
  • Find vulnerabilities on remote and local hosts.

How To Use Nmap

Nmap is pretty easy to use if you’re familiar with command-line interfaces. As it’s already installed on most Linux/Unix-based distributions, you just have to execute the ‘nmap’ command from any terminal, and that’s it. It will display several options for you. Advanced users will also be able to use Nmap along with other system scripts and automated tasks in order to maximize the powers of this tool. Nmap port scan command One of the most basic Nmap commands for a scan is the Nmap port scan command:
nmap -p 80 X.X.X.X
That’s how you use Nmap.

Top 12 Nmap Commands

1. Basic Nmap Scan against IP or host

nmap 1.1.1.1
Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:
nmap kalilinuxtutorial.com
This kind of scan, such as the Nmap scan host is perfect for your first steps when starting with Nmap.

2. Nmap Ping Scan

nmap -sp 192.168.5.0/24
The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps), and it’s the easiest way to detect hosts on any network. The drawback of this ICMP-only type of scan is that remote hosts often block IP-based ping packets, so if you’re unable to get solid results, we recommend switching to ARP-based requests for your scan.

3. Scan specific ports

nmap -p 1-65535 localhost
In this example, we scanned all 65535 ports for our localhost computer. Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below: nmap -p 80,443 8.8.8.8

4. Scan multiple IP addresses

Let’s try to scan multiple IP addresses. For this you need to use this syntax:
nmap 1.1.1.1 8.8.8.8
You can also scan consecutive IP addresses:
nmap 1.1.1.1,2,3,4
This will scan 1.1.1.1, 1.1.1.2, 1.1.1.3, and 1.1.1.4.

5. Scan IP ranges

You can also use Nmap to scan entire CIDR IP ranges, for example:
nmap 8.8.8.0/28
This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14. An alternative is to simply use this kind of range:
nmap 8.8.8.1-14
You can even use wildcards to scan the entire C class IP range, for example:
nmap 8.8.8.*
This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256. If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below: nmap -p 8.8.8.* –exclude 8.8.8.1

6. Scan the most popular ports

Using “–top-ports” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:
nmap --top-ports 20 192.168.1.106

7. Scan hosts and IP addresses reading from a text file

In this case, Nmap is also useful to read files that contain hosts and IPs inside. Let’s suppose you create a list.txt file that contains these lines inside:
192.168.1.106
cloudflare.com
microsoft.com
kalilinuxtutorial.com
The “-iL” parameter lets you read from that file, and scan all those hosts for you:
nmap -iL list.txt

8. Save your Nmap scan results to a file

On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file:
nmap -oN output.txt kalilinuxtutorial.com
Nmap has the ability to export files into XML format as well, see the next example:
nmap -oX output.xml kalilinuxtutorial.com

9. Disabling DNS name resolution

If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter. [[email protected]:~]nmap -p 80 -n 8.8.8.8

10. Scan + OS and service detection with fast execution

Using the “-A” parameter enables you to perform OS and service detection, and at the same time we are combining this with “-T4” for faster execution. See the example below: nmap -A -T4 cloudflare.com

11. Detect service/daemon versions

This can be done by using -sV parameters nmap -sV localhost

12. Scan using TCP or UDP protocols

One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services.
  • TCP scanning results using “-sT” parameter
[[email protected]:~]nmap -sT 192.168.1.1
  • UDP scanning results using “-sU” parameter:
[[email protected]:~]nmap -sU localhost

Conclusion

In this article, we covered the top 12 Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy.

IMPORTANT THINGS TO REMEMBER

  • This article was written only for educational purposes.
  • The author can not be held any responsibility for damage caused by the use of these resources.
  • You will not use this information to gain unauthorized access or any other legal activity.
Read also Disclaimer If you are using any illegal activities using these techniques kalilinuxtutorial.com can’t hold any responsibility for your action. This blog only for educational purposes where you will learn about Kali Linux how it works and how you can install any tools in Kali Linux.

Finally

If you have any questions about this article, any feedback, suggestions, or if you want to share your thoughts, please feel free to comment below. If you want to speak with us directly you can Contact Us. Related Topics:

About The Author

Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *