Nmap Commands

  1. Nmap Online
  2. Nmap Commands
Membership level: Free member

Fast Scan

Cyber security experts, network administrators using Nmap (“Network Mapper”) open source tool for network exploration and security auditing. If you want to scan your target with nmap tool without any additional installations, skills, or it is lazy to configure or open terminal and enter this commands then nmap.online for you.

nmap command

nmap -F [hostname]

[hostname] - is your host name or IP address

This command scan just the most popular 100 ports with the -F (fast scan) option.

Nmap Scan

nmap command

nmap [hostname]

[hostname] - is your domain name or IP address

Scan Nmap ports on a remote system.

Port scan

nmap command

nmap -sV -p 21,22,25,80,110,143,443,445 [hostname]

[hostname] - is your domain name or IP address

TCP scan for FTP(21), SSH(22), SMTP(25), HTTP(80), POP(110), IMAP(143), HTTPS(443), SMB(445). Service detection (-sV) is also enabled in this port scanning configuration and you will get the version of the running services.

Ping Scan

nmap command

nmap -sP [hostname]

[hostname] - is your domain name or IP address

This option tells Nmap to only perform a ping scan, then print out the available hosts that responded to the scan. No further testing (such as port scanning or OS detection) is performed. This is one step more intrusive than a list scan, and can often be used for the same purposes. It performs light reconnaissance of a target network quickly and without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list of every single IP and host name.

Scan OS information and Traceroute

nmap command

nmap -A [hostname]

[hostname] - is your host name or IP address

To identify operating system (OS) on target, which is useful for an inventory sweep of your network. 
Use the -A switch to determine the OS for a remote system.

HTTP Headers Script

The http-headers script performs a HEAD request for the root folder ("/") of a web server and displays the HTTP headers returned.

nmap command

nmap --script http-headers [hostname]

[hostname] - is your host name or IP address
 

Banner grabbing

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

The banner will be truncated to fit into a single line, but an extra line may be printed for every increase in the level of verbosity requested on the command line.

nmap command

nmap --script banner [hostname]

[hostname] - is your host name or IP address
 

Forward-confirmed Reverse DNS

nmap command

nmap -sn -Pn --script fcrdns  [hostname]

[hostname] - is your domain name or IP address

Performs a Forward-confirmed Reverse DNS lookup and reports anomalous results.

OS Detection

nmap command

nmap -O [hostname]

[hostname] - is your domain name or IP address

One of Nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. 
Command with -O Enables OS detection on nmap scan.
 

HTTP Vulnerabilities

Check all HTTP Vulnerabilities

nmap command

nmap --script "http-vuln*" [hostname]

[hostname] - is your host name or IP address

log4shell

Nmap NSE scripts to check against log4shell or LogJam vulnerabilities (CVE-2021-44228). 

CVE-2021-41773 Path Traversal

Check CVE-2021-41773 Path Traversal vulnerability affecting Apache Web Server version 2.4.49.

nmap command

nmap --script=http-vuln-cve-2021-41773 [hostname]

[hostname] - is your host name or IP address

Determining Firewall Rules

nmap command

nmap -sA [hostname]

[hostname] - is your host name or IP address

-sA (TCP ACK scan)

When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back, are labeled filtered. 

Nmap responses to ACK scan
TCP RST response - unfiltered
No response received (even after retransmissions) - filtered
ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) - filtered

Scan most popular ports

nmap command

nmap --top-ports [x] [hostname]

[x] - a number to find the most common ports

[hostname] - is your domain name or IP address

Scan the top [x] most common ports.

Scan All Ports

To specify all ports in nmap is a dash. We can use -p- which is more practical then port range specification.

Use -sU for UDP protocol specification.


nmap commands

TCP scanning:
nmap -p- [hostname]

UDP scanning:
nmap -sU -p- [hostname]

[hostname] - is your domain name or IP address

Scan TCP or UDP protocols

nmap command

TCP scanning:
nmap -sT [hostname]

UDP scanning:
nmap -sU [hostname]

[hostname] - is your domain name or IP address

Scan TCP or UDP-based services

Detecting malware infections

nmap command

nmap -sV --script=http-malware-host [hostname]

[hostname] - is your domain name or IP address

Detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP.