NMAP - Examples: Difference between revisions
Created page with "Category:Wiki == 3. Perform a Ping Sweep == To check which hosts are up in a subnet, use the `-sn` option to perform a ping sweep without port scanning: nmap -sn 192.168.1.0/24 == 4. Scan Specific Ports == If you're only interested in specific ports, you can specify them with the `-p` option: nmap -p 22,80,443 192.168.1.1 This command will only scan ports 22 (SSH), 80 (HTTP), and 443 (HTTPS). == 5. Service Version Detection == To detect service versions..." |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Category:Wiki]] | [[Category:Wiki]] | ||
== | == Perform a Ping Sweep == | ||
To check which hosts are up in a subnet, use the `-sn` option to perform a ping sweep without port scanning: | To check which hosts are up in a subnet, use the `-sn` option to perform a ping sweep without port scanning: | ||
| Line 7: | Line 7: | ||
nmap -sn 192.168.1.0/24 | nmap -sn 192.168.1.0/24 | ||
== | == Scan Specific Ports == | ||
If you're only interested in specific ports, you can specify them with the `-p` option: | If you're only interested in specific ports, you can specify them with the `-p` option: | ||
| Line 15: | Line 15: | ||
This command will only scan ports 22 (SSH), 80 (HTTP), and 443 (HTTPS). | This command will only scan ports 22 (SSH), 80 (HTTP), and 443 (HTTPS). | ||
== | == Service Version Detection == | ||
To detect service versions running on the target host, use the `-sV` flag: | To detect service versions running on the target host, use the `-sV` flag: | ||
| Line 23: | Line 23: | ||
This will try to detect the version of services running on open ports. | This will try to detect the version of services running on open ports. | ||
== | == OS Detection == | ||
To attempt to identify the operating system of the target host, use the `-O` flag: | To attempt to identify the operating system of the target host, use the `-O` flag: | ||
| Line 31: | Line 31: | ||
Nmap will try to determine the OS based on various network characteristics. | Nmap will try to determine the OS based on various network characteristics. | ||
== | == Aggressive Scan == | ||
An aggressive scan combines multiple Nmap features, including OS detection, version detection, and script scanning. This can be done with the `-A` option: | An aggressive scan combines multiple Nmap features, including OS detection, version detection, and script scanning. This can be done with the `-A` option: | ||
| Line 39: | Line 39: | ||
This scan is thorough and can take longer to complete. | This scan is thorough and can take longer to complete. | ||
== | == Scan for Open Ports and Services with a Specific Script == | ||
Nmap allows users to run custom scripts to probe services in more detail. For example, to scan for open ports and services with a specific script: | Nmap allows users to run custom scripts to probe services in more detail. For example, to scan for open ports and services with a specific script: | ||
| Line 47: | Line 47: | ||
The above command uses the `http-title` script to gather information about the HTTP service on port 80. | The above command uses the `http-title` script to gather information about the HTTP service on port 80. | ||
== | == Scan with a Custom Timing Template == | ||
To control the speed and stealthiness of the scan, use the `-T` option, followed by a number between 0 (slowest, most stealthy) and 5 (fastest): | To control the speed and stealthiness of the scan, use the `-T` option, followed by a number between 0 (slowest, most stealthy) and 5 (fastest): | ||
| Line 55: | Line 55: | ||
This would speed up the scan, making it more aggressive but also less stealthy. | This would speed up the scan, making it more aggressive but also less stealthy. | ||
== | == Use Nmap for UDP Scanning == | ||
While Nmap is primarily known for TCP scanning, it can also scan UDP ports using the `-sU` option: | While Nmap is primarily known for TCP scanning, it can also scan UDP ports using the `-sU` option: | ||
| Line 63: | Line 63: | ||
This will scan UDP port 53 (DNS) on the target host. | This will scan UDP port 53 (DNS) on the target host. | ||
== | == Scan for Specific IP Range in a Subnet == | ||
To scan a specific IP range within a subnet, use the following syntax: | To scan a specific IP range within a subnet, use the following syntax: | ||
| Line 71: | Line 71: | ||
This will scan IP addresses from 192.168.1.10 to 192.168.1.20. | This will scan IP addresses from 192.168.1.10 to 192.168.1.20. | ||
== | == Scan a Host Behind a Firewall (Using the `--source-port` Option) == | ||
If you suspect that the target host is behind a firewall, you can try to bypass it by setting a custom source port with the `--source-port` option: | If you suspect that the target host is behind a firewall, you can try to bypass it by setting a custom source port with the `--source-port` option: | ||
| Line 79: | Line 79: | ||
The above example sends traffic from source port 53 (commonly used by DNS) to bypass firewall rules. | The above example sends traffic from source port 53 (commonly used by DNS) to bypass firewall rules. | ||
== | == Scan Using a Specific Network Interface == | ||
To use a specific network interface for the scan (useful for scanning from a different network), specify the interface with the `-e` option: | To use a specific network interface for the scan (useful for scanning from a different network), specify the interface with the `-e` option: | ||
| Line 87: | Line 87: | ||
This will use the `eth1` network interface for the scan. | This will use the `eth1` network interface for the scan. | ||
== | == Scan Using an External Script Database == | ||
Nmap supports running external scripts with the `-sC` option, which uses the Nmap Script Engine (NSE) to perform additional checks: | Nmap supports running external scripts with the `-sC` option, which uses the Nmap Script Engine (NSE) to perform additional checks: | ||
| Line 95: | Line 95: | ||
This command runs a default set of scripts that can gather various information about the target. | This command runs a default set of scripts that can gather various information about the target. | ||
== | == Run a Stealth Scan (SYN Scan) == | ||
The SYN scan (`-sS`) is one of the most popular types of port scan, as it is stealthy and fast. It sends SYN packets to the target to check if ports are open: | The SYN scan (`-sS`) is one of the most popular types of port scan, as it is stealthy and fast. It sends SYN packets to the target to check if ports are open: | ||
| Line 103: | Line 103: | ||
This command performs a SYN scan on the target. | This command performs a SYN scan on the target. | ||
== | == Scan Using a Specific Source IP Address == | ||
If you want to spoof the source IP address (not recommended for legal or ethical reasons unless authorized), use the `--source-ip` option: | If you want to spoof the source IP address (not recommended for legal or ethical reasons unless authorized), use the `--source-ip` option: | ||
| Line 109: | Line 109: | ||
nmap --source-ip 192.168.1.100 192.168.1.1 | nmap --source-ip 192.168.1.100 192.168.1.1 | ||
== | == Perform a Banner Grabbing Scan == | ||
Banner grabbing is used to obtain information about the services running on open ports. To perform banner grabbing, use the `-sV` option combined with the `--script=banner` option: | Banner grabbing is used to obtain information about the services running on open ports. To perform banner grabbing, use the `-sV` option combined with the `--script=banner` option: | ||
| Line 115: | Line 115: | ||
nmap -sV --script=banner 192.168.1.1 | nmap -sV --script=banner 192.168.1.1 | ||
== | == Save Scan Results to a File == | ||
You can save the results of your scan to a file in different formats using the `-o` options. For example, to save results in XML format: | You can save the results of your scan to a file in different formats using the `-o` options. For example, to save results in XML format: | ||
| Line 125: | Line 125: | ||
nmap -oN scan_results.txt 192.168.1.1 | nmap -oN scan_results.txt 192.168.1.1 | ||
== | == Scan a Website with HTTP Methods == | ||
You can use the `http-methods` script to test the supported HTTP methods on a web server: | You can use the `http-methods` script to test the supported HTTP methods on a web server: | ||
| Line 133: | Line 133: | ||
This will attempt to identify the allowed HTTP methods (GET, POST, PUT, DELETE, etc.) on the target server. | This will attempt to identify the allowed HTTP methods (GET, POST, PUT, DELETE, etc.) on the target server. | ||
== | == Scan for IPv6 Hosts == | ||
Nmap can also scan IPv6 hosts. To do so, simply specify the IPv6 address: | Nmap can also scan IPv6 hosts. To do so, simply specify the IPv6 address: | ||
Revision as of 13:55, 13 December 2025
Perform a Ping Sweep
To check which hosts are up in a subnet, use the `-sn` option to perform a ping sweep without port scanning:
nmap -sn 192.168.1.0/24
Scan Specific Ports
If you're only interested in specific ports, you can specify them with the `-p` option:
nmap -p 22,80,443 192.168.1.1
This command will only scan ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).
Service Version Detection
To detect service versions running on the target host, use the `-sV` flag:
nmap -sV 192.168.1.1
This will try to detect the version of services running on open ports.
OS Detection
To attempt to identify the operating system of the target host, use the `-O` flag:
nmap -O 192.168.1.1
Nmap will try to determine the OS based on various network characteristics.
Aggressive Scan
An aggressive scan combines multiple Nmap features, including OS detection, version detection, and script scanning. This can be done with the `-A` option:
nmap -A 192.168.1.1
This scan is thorough and can take longer to complete.
Scan for Open Ports and Services with a Specific Script
Nmap allows users to run custom scripts to probe services in more detail. For example, to scan for open ports and services with a specific script:
nmap -p 80 --script=http-title 192.168.1.1
The above command uses the `http-title` script to gather information about the HTTP service on port 80.
Scan with a Custom Timing Template
To control the speed and stealthiness of the scan, use the `-T` option, followed by a number between 0 (slowest, most stealthy) and 5 (fastest):
nmap -T4 192.168.1.1
This would speed up the scan, making it more aggressive but also less stealthy.
Use Nmap for UDP Scanning
While Nmap is primarily known for TCP scanning, it can also scan UDP ports using the `-sU` option:
nmap -sU -p 53 192.168.1.1
This will scan UDP port 53 (DNS) on the target host.
Scan for Specific IP Range in a Subnet
To scan a specific IP range within a subnet, use the following syntax:
nmap 192.168.1.10-20
This will scan IP addresses from 192.168.1.10 to 192.168.1.20.
Scan a Host Behind a Firewall (Using the `--source-port` Option)
If you suspect that the target host is behind a firewall, you can try to bypass it by setting a custom source port with the `--source-port` option:
nmap --source-port 53 192.168.1.1
The above example sends traffic from source port 53 (commonly used by DNS) to bypass firewall rules.
Scan Using a Specific Network Interface
To use a specific network interface for the scan (useful for scanning from a different network), specify the interface with the `-e` option:
nmap -e eth1 192.168.1.1
This will use the `eth1` network interface for the scan.
Scan Using an External Script Database
Nmap supports running external scripts with the `-sC` option, which uses the Nmap Script Engine (NSE) to perform additional checks:
nmap -sC 192.168.1.1
This command runs a default set of scripts that can gather various information about the target.
Run a Stealth Scan (SYN Scan)
The SYN scan (`-sS`) is one of the most popular types of port scan, as it is stealthy and fast. It sends SYN packets to the target to check if ports are open:
nmap -sS 192.168.1.1
This command performs a SYN scan on the target.
Scan Using a Specific Source IP Address
If you want to spoof the source IP address (not recommended for legal or ethical reasons unless authorized), use the `--source-ip` option:
nmap --source-ip 192.168.1.100 192.168.1.1
Perform a Banner Grabbing Scan
Banner grabbing is used to obtain information about the services running on open ports. To perform banner grabbing, use the `-sV` option combined with the `--script=banner` option:
nmap -sV --script=banner 192.168.1.1
Save Scan Results to a File
You can save the results of your scan to a file in different formats using the `-o` options. For example, to save results in XML format:
nmap -oX scan_results.xml 192.168.1.1
To save in a text file:
nmap -oN scan_results.txt 192.168.1.1
Scan a Website with HTTP Methods
You can use the `http-methods` script to test the supported HTTP methods on a web server:
nmap --script=http-methods 192.168.1.1
This will attempt to identify the allowed HTTP methods (GET, POST, PUT, DELETE, etc.) on the target server.
Scan for IPv6 Hosts
Nmap can also scan IPv6 hosts. To do so, simply specify the IPv6 address:
nmap -6 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Useful Link
Official documentation at: [1](https://nmap.org)
