NMAP - Examples

To check which hosts are up in a subnet, use the `-sn` option to perform a ping sweep without port scanning:

 nmap -sn 192.168.1.0/24

If you're only interested in specific ports, you can specify them with the `-p` option:

 nmap -p 22,80,443 192.168.1.1

This command will only scan ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).

To detect service versions running on the target host, use the `-sV` flag:

 nmap -sV 192.168.1.1

This will try to detect the version of services running on open ports.

To attempt to identify the operating system of the target host, use the `-O` flag:

 nmap -O 192.168.1.1

Nmap will try to determine the OS based on various network characteristics.

An aggressive scan combines multiple Nmap features, including OS detection, version detection, and script scanning. This can be done with the `-A` option:

 nmap -A 192.168.1.1

This scan is thorough and can take longer to complete.

Nmap allows users to run custom scripts to probe services in more detail. For example, to scan for open ports and services with a specific script:

 nmap -p 80 --script=http-title 192.168.1.1

The above command uses the `http-title` script to gather information about the HTTP service on port 80.

To control the speed and stealthiness of the scan, use the `-T` option, followed by a number between 0 (slowest, most stealthy) and 5 (fastest):

 nmap -T4 192.168.1.1

This would speed up the scan, making it more aggressive but also less stealthy.

While Nmap is primarily known for TCP scanning, it can also scan UDP ports using the `-sU` option:

 nmap -sU -p 53 192.168.1.1

This will scan UDP port 53 (DNS) on the target host.

To scan a specific IP range within a subnet, use the following syntax:

 nmap 192.168.1.10-20

This will scan IP addresses from 192.168.1.10 to 192.168.1.20.

If you suspect that the target host is behind a firewall, you can try to bypass it by setting a custom source port with the `--source-port` option:

 nmap --source-port 53 192.168.1.1

The above example sends traffic from source port 53 (commonly used by DNS) to bypass firewall rules.

To use a specific network interface for the scan (useful for scanning from a different network), specify the interface with the `-e` option:

 nmap -e eth1 192.168.1.1

This will use the `eth1` network interface for the scan.

Nmap supports running external scripts with the `-sC` option, which uses the Nmap Script Engine (NSE) to perform additional checks:

 nmap -sC 192.168.1.1

This command runs a default set of scripts that can gather various information about the target.

The SYN scan (`-sS`) is one of the most popular types of port scan, as it is stealthy and fast. It sends SYN packets to the target to check if ports are open:

 nmap -sS 192.168.1.1

This command performs a SYN scan on the target.

If you want to spoof the source IP address (not recommended for legal or ethical reasons unless authorized), use the `--source-ip` option:

 nmap --source-ip 192.168.1.100 192.168.1.1

Banner grabbing is used to obtain information about the services running on open ports. To perform banner grabbing, use the `-sV` option combined with the `--script=banner` option:

 nmap -sV --script=banner 192.168.1.1

You can save the results of your scan to a file in different formats using the `-o` options. For example, to save results in XML format:

 nmap -oX scan_results.xml 192.168.1.1

To save in a text file:

 nmap -oN scan_results.txt 192.168.1.1

You can use the `http-methods` script to test the supported HTTP methods on a web server:

 nmap --script=http-methods 192.168.1.1

This will attempt to identify the allowed HTTP methods (GET, POST, PUT, DELETE, etc.) on the target server.

Nmap can also scan IPv6 hosts. To do so, simply specify the IPv6 address:

 nmap -6 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Official documentation at: [1](https://nmap.org)