nmap

 

Nmap Examples

Basic Nmap scanning examples, often used at the first stage of enumeration.

COMMAND	DESCRIPTION
nmap -sP 10.0.0.0/24	Ping scans the network, listing machines that respond to ping.
nmap -p 1-65535 -sV -sS -T4 target	Full TCP port scan using with service version detection - usually my first scan, I find T4 more accurate than T5 and still "pretty quick".
nmap -v -sS -A -T4 target	Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.
nmap -v -sS -A -T5 target	Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.
nmap -v -sV -O -sS -T5 target	Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.
nmap -v -p 1-65535 -sV -O -sS -T4 target	Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.
nmap -v -p 1-65535 -sV -O -sS -T5 target	Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan.

Nmap scan from file

COMMAND	DESCRIPTION
nmap -iL ip-addresses.txt	Scans a list of IP addresses, you can add options before / after.

Nmap output formats

COMMAND	DESCRIPTION
nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24	Outputs "grepable" output to a file, in this example Netbios servers. E.g, The output file could be grepped for "Open".
nmap -sS -sV -T5 10.0.1.99 --webxml -oX - | xsltproc --output file.html -	Export nmap output to HTML report.

Nmap Netbios Examples

COMMAND	DESCRIPTION
nmap -sV -v -p 139,445 10.0.0.1/24	Find all Netbios servers on subnet
nmap -sU --script nbstat.nse -p 137 target	Nmap display Netbios name
nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 target	Nmap check if Netbios servers are vulnerable to MS08-067