Nmap is an abbreviation of Network Mapper. It is an open source safety instrument for network research, safety analyses and audits. However, the Nmap command contains many options that can make the tool more reliable and difficult to use for new users. The purpose of this manual is to familiarize the user with the Nmap command line tool that allows you to scan a host or network for potential host vulnerabilities. You will also learn how to use Nmap for both offensive and defensive purposes. Examine some common examples of Nmap commands running on Linux or Unix-like systems.

 

What is Nmap and what is it used for?

Nmap Command Examples for Linux Sys / Network Administrators nmap in action
From the manual page :

Nmap (Network Mapper) is an open source tool for network research and security audits. It is designed to quickly scan large networks, although it works well against individual hosts. Nmap uses raw IP packets in new ways to determine which hosts are available on the network, what services (application name and version) those hosts provide, what operating systems (and versions of operating systems) they run, what types of filter/package fields are used, and dozens of other functions. Although Nmap is mostly used for security audits, many system and network administrators find it useful for performing routine tasks such as network inventory, managing service update schedules, and monitoring host or service uptime.

Originally written by Gordon Lyon, it can easily answer the following questions

  1. Search for work computers in the local network
  2. Which IP addresses did you find in your local network?
  3. Discover the target computer’s operating system
  4. Find out which gates are open with the car you just scanned?
  5. Check the system for malware or viruses.
  6. Check whether there are any unauthorized servers or network services on your network.
  7. Locating and removing computers that do not meet the organization’s minimum security level

Example commands for Linux and Unix – Example configuration (LAB) for

In some jurisdictions, port scanning may be illegal. Set up the laboratory as follows:

+—————————————————————————————————————————————————————————————————————————-

True,

  • wks01 is your computer with Linux/macOS (OS X) or Unix as operating system. It is used to scan your local network. The nmap command must be installed on this computer.
  • Server1 can work with Linux / Unix / MS-Windows operating systems It is a non-branded server. You are free to install various services, such as web server, fileserver, etc.
  • server2 can work with Linux / Unix / MS-Windows operating systems. This is a fully patched server with a firewall. You can also install various services, such as a web server, a file server, etc. There you can also install various services.
  • The three systems are connected to each other by a switch.

How do I install nfolder under Linux?

Do you see that?

  1. Debian / Ubuntu Linux : Install nfolder software to scan the network
  2. Centos / RHEL : Installing the nmapp network scanner
  3. OpenBSD : Installing the nmapp network scanner

1. Scanning a node or IP address (IPv4) with nmap

### Scan an IP address ###
nfolder 192.168.1.1

### Scan hostname ###
nmap server1.cyberciti.biz

### Scan hostname with additional information ###
nmap -v server1.cyberciti.biz

### Scan a single ip address ###
nmap 192.168.1.1
## Scan a host name ###
nmap server1.cyberciti.biz
## Scan a host name with more info###
nmap -v server1.cyberciti.biz

Nmap Command Examples for Linux Sys / Network Administrators Fig.01: nma output

2. Scan multiple IP addresses or subnets (IPv4)

nfolder 192.168.1.1 192.168.1.2 192.168.1.3
## works with the same subnet, i.e. 192.168.1.0/24
nfolder 192.168.1.2.3

You can also scan a range of IP addresses:

Map 192.168.1.1-20

You can scan a range of IP addresses using a :

nfolder 192.168.1.*

Finally, you scan an entire subnet:

nfolder 192.168.1.0/24

3. Read host/network list from file (IPv4)

The -iL option reads the list of target systems using a text file. This is useful for scanning a large number of hosts / networks. Create a text file as follows:
cat > /tmp/test.txt
Add names as follows

server1.cyberciti.biz
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost

The syntax is as follows:

nmap -iL /tmp/test.txt

4. Hosts/networks (IPv4) exclusion from nfolder scan examples

If you scan a large number of hosts/networks, you can exclude hosts from the scan:

nfolder 192.168.1.0/24 — delete 192.168.1.5
nfolder 192.168.1.0/24 — delete 192.168.1.5 192.168.1.254

Or exclude the list of /tmp/exclude.txt.

nmap -iL /tmp/scanlist.txt — exclude file /tmp/exclude.txt

5. Enable the operating system scan and version control script (IPv4) with nmap.

nfolder -A 192.168.1.254
nfolder -v -A 192.168.1.1
nfolder -A -iL /tmp/scanlist.txt

6. Use the nampcommand to find out if the host/network is protected by the firewall.

## nmap examples for your host ##
nmap -sA 192.168.1.254
nmap -sA server1.cyberciti.biz

7. Scan the host if it is protected by the firewall

In this example we are scanning the Wi-Fi router/device whose IP address is 192.168.1.1:

nfolder -PN 192.168.1.1
nfolder -PN server1.cyberciti.biz

8. Examples of IPv6 Host and address scanning

The -6 option allows you to scan IPv6 with the namp command. The syntax is as follows:

nmap -6 IPv6 address here
nmap -6 server1.cyberciti.biz
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4

9. Scan the network and find out which servers and devices are running.

It’s called host detection or ping scan:

nfolder -sP 192.168.1.0/24

That’s what it looks like:

Host 192,168,1.1 has increased (0,00035s delay).
MAC address: BC:AE:C5:C3:16:93 (Unknown)
Host 192.168.1.2 pink (latency 0.0038s).
MAC address: 74:44:01:40:57:FB (Unknown)
Host 192.168.1.5 ready.
Host nas03 (192.168.1.12) up (0.0091s delay).
MAC address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap ready: 256 IP addresses (from 4 hosts) scanned in 2.80 seconds

10. How do I perform a quick scan using a sensor?

nfolder -F 192.168.1.1
nfolder -6 -F IPv6_Address_Here

Nmap Command Examples for Linux Sys / Network Administrators

11. Indication of why the port is in a particular condition.

nmap – reason 192.168.1.1
nmap – reason server1.cyberciti.biz

Trips:

Launched Nmap 7.80 ( https://nmap.org ) in 2020-05-07 21:16 IST
Nmap scan report for router (192.168.2.254) Host
mounted, received arp response (0.00026 s delay).
Not displayed: 995 ports filtered
Cause: 995 no response
Service status
22/tcp open ssh syn-ack ttl 64
53/tcp open domain ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
443/tcp open https syn-ack ttl 64
666/tcp open doom syn-ack ttl 64 MAC address
: 00:08:A2:0D:05:41 (ADI technology)

Folder’s ready: 1 IP address (1 host) scanned in 4.85 seconds

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 21:16 IST
Nmap scan report for router (192.168.2.254)
Host is up, received arp-response (0.00026s latency).
Not shown: 995 filtered ports
Reason: 995 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
53/tcp open domain syn-ack ttl 64
80/tcp open http syn-ack ttl 64
443/tcp open https syn-ack ttl 64
666/tcp open doom syn-ack ttl 64
MAC Address: 00:08:A2:0D:05:41 (ADI Engineering)
Nmap done: 1 IP address (1 host up) scanned in 4.85 seconds

12. Show only open (or possibly open) ports using the nmap command in Linux.

Move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move, move:

nfolder –Open 192.168.1.1
nfolder –Open server1.cyberciti.biz
nfolder –Open 192.168.2.18

Scan the output of my Linux CentOS 7 server:

Start Nmap 7.80 ( https://nmap.org ) in 2020-05-07 21:17 IST
scan report Nmap for centos7 (192.168.2.18)
host up (0.00015s delay).
Not displayed: 998 filtered ports, 1 closed port
Some closed ports can be registered as filtered because of the MAC address –defeat-rst-rattle limit
PORT STATE SERVICE
22/tcp open ssh
: 00:01:C0:1B:28:7E (CompuLab)

Folder’s ready: 1 IP address (1 host) scanned in 5.07 seconds.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 21:17 IST
Nmap scan report for centos7 (192.168.2.18)
Host is up (0.00015s latency).
Not shown: 998 filtered ports, 1 closed port
Some closed ports may be reported as filtered due to –defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:01:C0:1B:28:7E (CompuLab)
Nmap done: 1 IP address (1 host up) scanned in 5.07 seconds

13. Show all parcels sent and received

nfolder – Packet Tracking 192.168.1.1
nfolder – Packet Tracking Server1.cyberciti.biz

14. Display of host interfaces and routes

This is useful for debugging (ip command or route command or netstat command, e.g. exit with the nmap command under Linux).

nfolder –iflist

Detailed report drawn up by the Namp team :

5/24 Ethernet up B8:AC:6F:65:31:E5vmnet1 (vmnet1) 192.168.121.1/24 Ethernet up 00:50:56:C0:00:01vmnet8 (vmnet8) 192.168.179.1/24 Ethernet up 00:50:56:C0:00:08ppp0 (ppp0) 10.1.19.69/32 Point2 up

********************************************************************************** The Commission considers that it is not possible to force Member States to call on Commission services, but that it should be possible to call on Commission services.2192.168.1.0/0 and 0192.168.121.0/0 vmnet1192.168.179.0/0 vmnet8169.254.0.0/0 and 010.0.0/0 ppp00.0.0/0 and 0 192.168.1.2.

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 02:01 IST
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
lo (lo) 127.0.0.1/8 loopback up
eth0 (eth0) 192.168.1.5/24 ethernet up B8:AC:6F:65:31:E5
vmnet1 (vmnet1) 192.168.121.1/24 ethernet up 00:50:56:C0:00:01
vmnet8 (vmnet8) 192.168.179.1/24 ethernet up 00:50:56:C0:00:08
ppp0 (ppp0) 10.1.19.69/32 point2point up
**************************ROUTES**************************
DST/MASK DEV GATEWAY
10.0.31.178/32 ppp0
209.133.67.35/32 eth0 192.168.1.2
192.168.1.0/0 eth0
192.168.121.0/0 vmnet1
192.168.179.0/0 vmnet8
169.254.0.0/0 eth0
10.0.0.0/0 ppp0
0.0.0.0/0 eth0 192.168.1.2

15. How can I scan certain ports with nmap?

nfolder -p [port] hostName
## Scan port 80
nfolder -p 80 192.168.1.1

## Scan TCP port 80
nmap -p T:80 192.168.1.1

## Scan UDP port 53
nmap -p U:53 192.168.1.1

## Scan two ports ##
nmap -p 80.443 192.168.1.1

## Scan port ranges ##
nmap -p 80-200 192.168.1.1

## Combination of all options ##
nmap -p U:53.111.137.T:21-25.80.139.8080 192.168.1.1
nmap -p U:53.111.137.T:21-25.80.139.8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53.111.137.T:21-25.8080 192.168.1.254

## Scan all ports with * wildcard ##
nmap -p * 192.168.1.1.

## Scan top ports, i.e. scan the $ number of most common ports ##
nmap –top ports 5 192.168.1.1 1
nmap –top ports 10 192.168.1.1

nmap -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
## Scan TCP port 80
nmap -p T:80 192.168.1.1
## Scan UDP port 53
nmap -p U:53 192.168.1.1
## Scan two ports ##
nmap -p 80,443 192.168.1.1
## Scan port ranges ##
nmap -p 80-200 192.168.1.1
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
## Scan all ports with * wildcard ##
nmap -p “*” 192.168.1.1
## Scan top ports i.e. scan $number most common ports ##
nmap –top-ports 5 192.168.1.1
nmap –top-ports 10 192.168.1.1

Test Outputs :

Launching map 5.00 ( http://nmap.org ) on 2012-11-27 01:23 IST
Ports of interest on 192.168.1.1 :
SERVICE
21/closed tape ftp
22/closed tape ssh
23/closed tape telnet
25/closed tape smtp
80/open tape http
110/closed tape pop3
139/closed tape netbios-ssn
443/closed bus https
445/closed bus microsoftds
3389/closed bus ms Server
MAC address : BC:AE:C5:C3:16:93 (Unknown)

Folder’s ready: 1 IP address (1 host) scanned in 0.51 seconds

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:23 IST
Interesting ports on 192.168.1.1:
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
3389/tcp closed ms-term-serv
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

16: Fastest way to scan all your devices / computers to open ports

nfolder -T5 192.168.1.0/24
nfolder -T5 {sub/net}

17. How do I recognize an external operating system with nmap?

The -O option allows you to define external host applications and the operating system:

nfolder -O 192.168.1.1 1
nfolder -O -osscan estimate 192.168.1.1 1
nfolder -v -O -osscan estimate 192.168.1.1

nmap -O 192.168.1.1
nmap -O –osscan-guess 192.168.1.1
nmap -v -O –osscan-guess 192.168.1.1

Test Outputs :

Launch Nmap 5.00 ( http://nmap.org ) in the year 2012-11-27 01:29 IST
NSE: 0 scripts downloaded for scanning.
Start ARP-ping scan at 01:29Scan 192.168.1.1 [1 port]ARP-ping scan completed at 01:29, 0.01s elapsed (1 host total)Start parallel DNS resolution of a host at 01:29 Full parallel DNS resolution of a host. At 01:29 the SYN scan initialization passed at 01:29Scan 192.168.1.1 [1000 Ports] Open port 80/tcp at 192.168.1.1 Open port 22/tcp at 192.168.1.1 was detected.1 1 SYN stealth scan completed at 01:29, 0.16s elapsed (1000 Ports Total)Start control system detection (attempt #1) vs. 192.168.1.1 Detection of swapped control system (attempt #2) vs. 192.168.1.1Edit Retry Detection (Attempt #3) vs. 192.168.1.1Edit Retry Detection (Attempt #4) vs. 192.168.1.1Edit Retry Detection (Attempt #5) vs. 192.168.1.1Host 192.168.1.1 Increases (0.00049s delay)
Ports of interest on 192.168.1.1 :
Not displayed: 998 ports closed
PORT
SERVICE 22/tcp open ssh
80/tcp open http
MAC address : BC:AE:C5:C3:16:93 (Unknown)
Type of device : WAP|general purpose|router|printer|wideband router run
(APPRIATE EVALUATE) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
Aggressive resolution of the OpenWrt White Russian 0.9 (Linux 2.4.30) operating system puzzle (95%), OpenWrt 0.9 – 7.09 (Linux 2.4.30 – 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (94%), Linux 2.4.21 – 2.4.31 (probably built-in) (92%), Linux 2.6.15 – 2.6.23 (probably built-in) (92%).24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)
No operating system exactly matches the host (if you know which operating system is installed on the host, see http://nmap.org/submit/ ).
TCP/IP fingerprint :
OS: SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CA
OS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7
OS :)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5
OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%W
OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Estimated operating time: 12.990 days (from 14 November this year 01:44:40 2012)
Distance from grid : 1 Jump
TCP sequence prediction : Difficulty=200 (Good luck!)
Generation of the IP-ID sequence : Read all zeros
Read data files: /usr/share/nmap
Operating System is set. Report any false results to http://nmap.org/submit/.
Folder’s ready: 1 IP address (1 host up) scanned in 12.38 seconds
Raw packets sent : 1126 (53,832KB) | Rcvd : 1066 (46,100KB)

For more information, see Printing Fingerprints from Command Line Tools on a Web server and DNS server.

18. How do you determine the version numbers of remote services (server / daemon)?

Open the terminal and enter the following folder command:

nfolder -sV 192.168.1.1

Test Outputs :

Start Nmap 5.00 ( http://nmap.org ) on November 27, 2012 01:34 ISTPorts interested at 192.168.1.1:Not specified: 998 ports closedSERVICE SERVICE22/tcp open ssh Dropbear sshd 0.52 (protocol 2.0)80/tcp open http?1 the service will not be detected despite the returned data.

19. Scan the host with TCP ACK (PA) and TCP Syn (PS) ping

If the firewall blocks IMP pings by default, try the following host discovery methods:

n card -PS 192.168.1.1
n card -PS 80.21.443 192.168.1.
n card -PA 192.168.1.1
n card -PA 80.21.200-512 192.168.1.1

20. Scanning a node with IP Ping

nfolder -PO 192.168.1.1

21. Scan the host with UDP-ping

This scan bypasses firewalls and filters that only display TCP:

n Card -PU 192.168.1.1
n Card -PU 2000.2001 192.168.1.1.

22. Determine the most commonly used TCP ports with TCP SYN scan

### Hidden scan ###
nmap -sS 192.168.1.1

#### Identify the most commonly used TCP ports when scanning TCP connections (note: no stealth scans)
#### Fingerprints of the operating system ###
nmap -sT 192.168.1.1

### Find the most commonly used TCP ports with TCP ACK scan
nmap -sA 192.168.1.1.

### Identify the most commonly used TCP ports with TCP window scan
nmap -sW 192.168.1.1.

### Identify the most commonly used TCP ports with Maimon scan
nmap -sM 192.168.1.1.

### Stealthy scan ###
nmap -sS 192.168.1.1
### Find out the most commonly used TCP ports using TCP connect scan (warning: no stealth scan)
### OS Fingerprinting ###
nmap -sT 192.168.1.1
### Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1
### Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1
### Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1

23. Host scan for UDP services (UDP scan)

Most popular services on the Internet use the TCP protocol. DNS, SNMP and DHCP are the three most common UDP services. Use the following syntax to get information about UDP services:

n card -sU nas03
n card -sU 192.168.1.1

Test Outputs :

Start Nmap 5.00 ( http://nmap.org ) in 2012-11-27 00:52 IST
Statistics: 0:05:29 elapsed; 0 hosts completed (1 above), 1 passed
UDP scan time : Approximately 32.49% was reached; ETC: 01:09 (0:11:26 left)
Interested ports at nas03 (192.168.1.12) :
Not pictured: 995 closed ports
SERVICE
111/udp open|filtered rpcbind
123/udp open|filtered ntp
161/udp open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC address : 00:11:32:11:15:FC (Synology Incorporated)

Folder’s ready: 1 IP address (1 host node) scanned in 1099.55 seconds.

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 00:52 IST
Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)
Interesting ports on nas03 (192.168.1.12):
Not shown: 995 closed ports
PORT STATE SERVICE
111/udp open|filtered rpcbind
123/udp open|filtered ntp
161/udp open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds

24. Scan to IPprotocol

This type of scan can be used to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by the target computers:

nfolder -sO 192.168.1.1

25. Checking the presence of security holes in the firewall

The following types of scanners make use of a thin TCP gap and are very suitable for testing the security of common attacks:

## TCP zero scan to fool a firewall and generate a response ##
## does not set bits (TCP flag header 0) ##
nmap -sN 192.168.1.254

## TCP Fin-Scan to check firewall ##
## Sets only TCP FIN bit in ##
nmap -sF 192.168.1.254

## TCP Xmas scan for firewall ##
## Sets FIN, PSH and URG flags and highlights the packet as a Christmas tree ##
nmap -sX 192.168.1.254

## TCP Null Scan to fool a firewall to generate a response ##
## Does not set any bits (TCP flag header is 0) ##
nmap -sN 192.168.1.254
## TCP Fin scan to check firewall ##
## Sets just the TCP FIN bit ##
nmap -sF 192.168.1.254
## TCP Xmas scan to check firewall ##
## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##
nmap -sX 192.168.1.254

Learn how to block Christmas hampers, synchronized floors and other fraudulent attacks with iptables.

26. Searching for packet fragmentsin the firewall

The -f option forces the requested scan (including ping scans) to use small fragmented IP packets. The idea is to split the TCP header into several
packets, so that packet filters, intrusion detection systems and other stimuli can hardly detect what you are doing.

ncard -f 192.168.1.1
ncard -f fw2.nixcraft.net.in
ncard -f 15 fw2.nixcraft.net.in

## Set your own offset size with –mtu option ##
nmap –mtu 32 192.168.1.1

27. Mask sweeper

The -D option appears on the remote host where the host(s) you specify as bait also scans the target network. So your IDS can report 5-10 port scans of unique IP addresses, but it will not know which IP they scanned or which were innocent bait:

nmap -n -Decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5

28. Scan the firewall for MACaddress spoofing

### Wrong MAC address ##
nmap –spoof-mac MAC ADDRESS HERE 192.168.1.1.

#### Add more options ####
nmap -v -sT -PN –spoof-mac MAC ADDRESS – HERE 192.168.1.1

### Use any MAC address ###
### Number 0, means nmap selects a completely random MAC address ###
nmap -v -sT -PN –spoof-mac 0 192.168.1.1.

### Spoof your MAC address ##
nmap –spoof-mac MAC-ADDRESS-HERE 192.168.1.1
### Add other options ###
nmap -v -sT -PN –spoof-mac MAC-ADDRESS-HERE 192.168.1.1
### Use a random MAC address ###
### The number 0, means nmap chooses a completely random MAC address ###
nmap -v -sT -PN –spoof-mac 0 192.168.1.1

29. How do I save the output to a text file?

The syntax is as follows:

nfolder 192.168.1.1 > output.txt
nfolder -oN /pad/pad/file name 192.168.1.1
nfolder -oN output.txt 192.168.1.1

30. Web server and pipe scanning in Nikto forscanning

nmap -p80 192.168.1.2/24 -oG – | /path/to/nikto.pl -h –
nmap -p80 443 192.168.1.2/24 -oG – | /path/to/nikto.pl -h -.

31. Gear nmap

Pass the option -T to the nmap command:
nmap -v -sS -A -T4 192.168.2.5
Output selection

Start Nmap 7.40 ( https://nmap.org ) at 2017-05-15 01:52 IST
NSE: 143 scripts downloaded.
NSE: Scan the scenario beforehand.
NSE started at 01:52
NSE ended at 01:52, 0.00s expired
NSE ended at 01:52
NSE ended at 01:52, 0.00s expired
ARP ping scan started at 01:52
Scan 192.168.2.15 [1 port]
Scan ping ARP ended at 01:52, 0.01s expired (1 shared host)
Scan SYN Stealth scan started at 01:52
Scan dellm6700 (192.168.2.15) [1000 ports]
Port open 5900/tcp to 192.168.2.15
Port open 80/tcp to 192 detected.168.2.15
Port open 22/tcp at 192.168.2.15
scan SYN completed at 01:53, expire 4.62s (total 1000 ports)
scan services started at 01:53
scan 3 services at dellm6700 (192.168.2).15)
scan services completed at 01:53, expire 6.01s (3 services on one host)
operating system discovery response (attempt #1) against dellm6700 (192.168.2.15)
operating system discovery repeated (attempt #2) against dellm6700 (192.168.2.15)
NSE : Scan scenario 192.168.2.15.
NSE started at 01:53
NSE ended at 01:53, 30.02s expired
NSE ended at 01:53
NSE ended at 01:53, 0.00s expired
Nmap scan report for dellm6700 (192.168.2.15)
host enabled (0.00044s delay).
Not pictured: 996 filtered ports
PORT
SERVICE 22/tcp open ssh (2.0 protocol)
:
|ZERO:
|_ SSH-2.0-OpenSSH_7.4p1 Ubuntu-10
| ssh hostkey:
| 2048 1d:14:84:f0:c7:21:10:0e:30:d9:f9:59:6b:c3:95:97 (RSA)
|_ 256 dc:59:c6:6e:33:f2:d2:5d:9b:fd:b4:9c:52:c1:0a (ECDSA)
80/tcp open http nginx 1.10.0 (Ubuntu)
| http methods :
|Supported methods : Main
|_http-title server: nginx/1.10.0 (Ubuntu)
|_http-title : Ubuntu Apache2 default page:
443/tcp closed https
5900/tcp open vnc VNC (protocol 3.7)
1 the service is not recognized despite the returned data If you know the service / version, please enter the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP: V=7,40%I=7%D=5/15%Time=5918BCAA%P=x86_64 apple-darwin16,3,0%
SF:r(NULL,20,SSH-2,0-OpenSSH_7,4p1x20Ubuntu-10n);
MAC address : F0:1F:AF:1F:2C:60 (Dell)
Device Type :
General Purpose Drum (RIGHT) : Linux 3.X|4.X|2.6.X (95%), OpenBSD 4.X (85%)
CPE OS: cpe:/o:linux:linux_kernel:3 cpe:/o:linux_kernel:3 cpe:/o:linux_kernel:4 cpe:/o:linux_kernel:2.6,32 cpe:/o:openbsd:4,0
Aggressive OS Assumptions : Linux 3.11 – 4.1 (95%), Linux 4.4 (95%), Linux 3.13 (92%), Linux 4.0 (90%), Linux 2.6.32 or 3.10 (89%), Linux 3.2 – 3.8 (89%), Linux 3.10 – 3.12 (88%), Linux 2.6.32 – 2.6.33 (87%), Linux 2.6.32 – 2.6.35 (87%)
There is no exact match between the host operating systems (the test conditions are not perfect).
Estimated time: 0,000 days (from month 15 May 01:53:08 2017)
Distance from network : 1 Jump
TCP sequence prediction : Difficulty level = 252 (Good luck!)
Generation of the IP-ID sequence : All zeros are service information
: Linux; CPE: cpe:/o:linux:linux_kernel

TRAIKERUT
ADDRESS OF HOPE RT
1 0.44 ms dellm6700 (192.168.2.15)

NSE: Scenario.
NSE commissioning at 01:53NSE ended at 01:53, 0.00s expiredNSE commissioning at 01:53NSE ended at 01:53, 0.00s expired Reading data files from: /usr/local/bin/…/share/nmapDiscovering the operating system and services is complete. Report any erroneous results on https://nmap.org/submit/.
Folder’s ready: 1 IP address (1 host up) scanned in 46.02 seconds
Raw packets sent : 2075 (95.016KB) | Rcvd : 50 (3,084KB)

32. Not a fan of Namp’s command line tools?

So far we have seen examples of Nmap commands with Linux and Unix command line options. However, not everyone feels very comfortable with CLI. So we can use a graphical application called Zenmap, which is the official tool for mapping the network in a graphical user interface:

Zenmap is the official GUI for the Nmap security scanner. This free, open-source, platform-independent application (Linux, Windows, Mac OS X, BSD, etc.) is designed to make Nmap easy to use for beginners while providing advanced features for advanced Nmap users. Frequently used scanners can be stored as profiles so that they can easily be run multiple times. The command maker makes it possible to interactively create the command line of the Nfolder. You can save the results of your scans and view them later. The results of the saved scans can be compared to see how they differ. The latest scan results are stored in a searchable database.

You can install zenmap with the following command apt-get or apt:
$ sudo apt-get install zenmap
sample output :

Password for Vivek :
Reading package lists… Ready
Build Dependency Tree
Ready
The following NEW packages will be installed:
broadcast folder
0 updated, 1 newly installed, 0 to uninstall and 11 not updated.
We need 616 kB of archives.
After this operation, 1827 kB of extra disk space will be used.
Get:1 http://debian.osuosl.org/debian/ squeeze/main zenmap amd64 5.00-3 [616 kB]
Receive 616 kB in 3 s (199 kB/s)
Select the zenmap package not previously selected.
(Read the database … 281105 files and folders currently installed)
Unpack Zen folder (from …/zenmap_5.00-3_amd64.deb) …
Trigger processing for desktop files …
Processing trigger for dwarf menu …
Initiate treatment for the man-db…
Zen Card Setting (5.00-3) …
Triggering processing for Central Python…

Type the following command to start the Zen folder:
$ sudo Zen folder
Example of output
Nmap Command Examples for Linux Sys / Network Administrators Figure 02 : Zenmap in action

How do you detect and block port scans on Linux and Unix/BSD servers?

Try the following means:

  1. How to use the psad tool to detect and block port scan attacks in real time.
  2. Debian / Ubuntu Linux : Install and configure the Shoreline firewall.
  3. CentOS / Redhat Iptables firewall configuration tutorial.
  4. Linux: 20 examples of insertion tables for new system administrators.
  5. 20 tips to strengthen the security of Linux servers.

Conclusion

In this tutorial you will learn about the Nmap team with many examples for Linux and how to use them with different examples. For more information, see the following sources:

The Nmap team has many other options. For more information, see the homepage or the documentation. What are your favorite Nmap command line tricks? Share your favourite tips, tricks and advice in the following comments.

RECOMMENDATIONS

Published: Vivek gears

The author is the creator of nixCraft and an experienced system administrator, DevOps engineer and Linux/Unix shell script trainer. Receive the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly by email.nmap commands linux,nmap commands in kali linux,nmap for linux,linux port scan command,nmap –script example,nmap cheat sheet,nmap commands for windows,nmap command that could probe a firewalled network in a stealthy manner