Nmap Purpose Nmap Commands

Nmap TCP scan nmap -sT -p 80,443 target_IP

Nmap Syn Scan nmap -sS -p 80,443 target_IP
Nmap Null Scan nmap -sN -p 80,443 target_IP
Nmap UDP scan (UDP ports) nmap -sU -p 80,443 target_ip
Nmap FIN scan nmap -sF target_IP
Nmap XMAS scan nmap -sX target_IP
Nmap ACK Scan nmap -sA
target_IP/CIDR_value
target_IP
Nmap Zombie Scan Nmap -sI zombieIP -vv Target_IP
or
Nmap Normal Scan Nmap target_IP
nmap Range Scan nmap
Nmap -sn Target_subnet/24
target_IP-255
netdiscover -r target_subnet/24 -I eth0
Nmap Fast Scan nmap -F -ltarget_IP
arpscan
Nmap Host Discovery scan nmap -sP target_subnet/24
Nmap scan through List nmap -iL target_ip_list.txt
Nmap random IP scanning nmap -iR 20 -vv
Nmap exclude IP Scan nmap -F target_subnet/24 --exclude IP_you_wanna_exclude
Nmap exclude the List of IP nmap -F target_subnet/24 --excludefile file.txt
nmap target_IP -p ssh,ftp
Nmap NO Host Discovery Scan nmap -Pn target_subnet/24 -vv
Nmap Scan using the port name & port Numbers nmap target_IP -p 22,23
Nmap scan only for open ports nmap target_ip
-sV target_IP -vv
-vv --open
Nmap to stop the random port scan nmap -O target_IP
-r target_IP
nmap -sV target_IP --version-intensity 0
Nmap top port scan nmap target_IP --top-ports 10
nmap -O target_IP --max-tries 5 -vv
Nmap service detection (Banner Grabbing) nmap -sV
-sv -v -T4target_IP
-oN filename.txt - Normal 5Output
--version-intensity
Nmap OS detection with some scripts nmap -O target_IP --osscan-limit -vv
nmap -sV -T4 -oX filename.xml - XML output
Nmap OS detection with SMB script nmap --script smb-os-discovery target_IP
Nmap OUTPUT file formats nmap -sV -T4 -oA filename - all file format.
Running default nse script against the target server nmap target_IP --script=default
Nmap for ftp bruteforcing Nmap target_ip -vv -Pn -p 9999 --script ftp-brute --script-args userdb=
Nmap --script=updatedb or
Scanning the Target system with wildcard NSE scripts Nmap target_system -vv --script http-* -p 80,443 -Pn
How to update the nse script database nmap --script updatedb -vv
Nmap Vulnerability scan Nmap target_IP
Nmap --script --script=exploit
vuln -vv -p-
-p- -vv target_IP
or
Check For DOS attack using Nmap Nmap target_IP --script=dos -vv -Pn
Exploit scan against the target_IP nmap target_IP --script exploit -vv -p-
How to check your target system is vulnerable for malwanmap target_IP --script=http-malware-host
Boolean nmap script scan Nmap target_ip --script "(vulns and exploit) and not http-*" -vv
Nmap Traceroute scan Nmap target_IP --traceroute -vv
How to find the geolocation of the target system Nmap target_ip --traceroute --script=traceroute-geolocation -p 80
How to perform the dns bruteforce scan Nmap target_ip --script=dns-brute -vv
Whois scan for the targetIP Nmap --script=whois-domain target_IP
How to detect the WAF using nmap nmap --script=http-waf-detect target_IP -p 80,443 -vv
Fingerprinting the WAF nmap --script=http-waf-fingerprint target_IP -p 80,443, -vv
Nmap to find the firewalled ports Nmap target_ip --script=firewalk --traceroute -vv
Enumerating emails by spidering the target website and gr
Nmap target_ip --script=http-grep --script-args http-grep.builtins=e-m
Sitemap generation using the Nmap command Nmap -vv target_ip --script http-sitemap-generator -p 80
Website Crawler scan Nmap --script=http-useragent-tester target_IP -vv -p 80
Nmap HTTP directory scan Nmap --script=http-enum target_IP -vv -p 80
SMTP Open Relay Attack Scan Nmap --script=smtp-open-relay target_IP -vv -p 25
SMTP username Enumeration nmap --script=smtp-enum-users target_IP -vv -p 25
SMTP password Bruteforcing
SMTP backdoor Detection Scan
POP3 Enumeration
IMAP Enumeration
Nmap Decoy Scan
Nmap Scan with Customized Interface
Scan with spoosed Mac address
Spoofing the source port
Spoofing TTL to confuse the target person
How to use Proxy for scanning the system
Nmap Bogus Scan
Nmap Fragementation Scan
Nmap --script smtp-brute target_IP -vv -p 25
Nmap target_ip --script=smtp-strangeport -vv
nmap --script=pop3-capabilities target_IP -vv -p 25
nmap --script=imap-capabilities target_IP -vv -p 25
Nmap -D spoofed_ip target_IP -vv
Nmap target_IP -e eth0 -sV -Pn -vv
Nmap target_IP --spoof-mac mac_address -vv -Pn
Nmap target_IP --source-port 3555 -vv
Nmap target_IP -p 80,443 -vv --ttl 64
Nmap target_IP --proxies proxy:portno -vv
Nmap target_IP -vv --badsum -p 21,22,23
nmap target_IP -f -vv -p 21,22,23
Note:
 Wireshark Filters Firewall Bypass Commands Comments
ip.addr==ipaddress

Bypass Firewall Use only on the non-windows system to bypass the firew
For scanning the UDP ports
It sets all the TCP packet header as FIN
Sends the packet with FIN, URG ,PUSH flag
Used to determine the state of the firewall
Used to bypass some Firewall rules on the internal system scan

It scans only top 100 ports

This scan automatically picks 20 ipaddress from internet

xclude IP_you_wanna_exclude
xcludefile file.txt
Bypass the firewall based on the ICMP ruIt basically skips the ping scan and directly goes to the p

It scans the target system's port in ascending order.

ntensity 0
It only scans the top 10 ports
- Normal 5Output
n-intensity
l - XML output

l file format.

9 --script ftp-brute --script-args userdb=path_to_userdb.txt , passdb=path_to_password_db.txt

pt http-* -p 80,443 -Pn

It runs different scripts to detect whether the target syst

It basically runs all the exploits that are with nmap again
malware-host It basically checks for if the target system is afftected by
s and exploit) and not http-*" -vv
This to identify where the target system is hosted on.
-script=traceroute-geolocation -p 80
It is used to enumerate all the DNS records of the target

t target_IP -p 80,443 -vv This command used for firewall Detection

print target_IP -p 80,443, -vv
alk --traceroute -vv It basically finds what are the ports are filtered
grep --script-args http-grep.builtins=e-mail -vv
ttp-sitemap-generator -p 80 It basically give the sitempa, Which looks like the tree st
-tester target_IP -vv -p 80 It is used to identify the what are the HTTP crawlers are
et_IP -vv -p 80 It is just trying to enumerate the sensitive directories ag
ay target_IP -vv -p 25 It is basically check for the target system is vulnerable to
ers target_IP -vv -p 25 It is basically enumerates the SMTP usernames of the ta
 et_IP -vv -p 25 It bruteforce the password for the SMTP service
-strangeport -vv It basically checks the target server's smtp service, If the
es target_IP -vv -p 25 It basically tells us the what are the supported command
es target_IP -vv -p 25 It basically tells us the what are the supported command
Firewall Bypassing
We can manually select the interface to perform the sca
mac_address -vv -Pn Firewall Bypassing We can spoof the mac address while doing the scan aga
Firewall Bypassing
By using this scan we can prevent
fragement
thethe
OSsize of the pack
detection.
By using this scan we can come to whether the target sy
y:portno -vv
But by using this scan we can reduce the fragment size o
-p 21,22,23 If the target system has the firewall or IDS -> for this sca
Firewall Bypassing This can be works on only on the old firewalls

Note:
Red Box indicates the firewall Bypassing Scripts
Blue Box indicates the service based enumeration and attack based scripts
Green Box indicates the vulnerability Scanning related scripts.
 system to bypass the firewall

G ,PUSH flag

20 ipaddress from internet and it starts to scan that

and directly goes to the port scan

ort in ascending order.

ect whether the target system is vulnerable to DOS attack or not

s that are with nmap against the target server
rget system is afftected by any known malware attack.

get system is hosted on.

DNS records of the target domain.

all Detection

ports are filtered

Which looks like the tree structure of the files that are presented on the webpages of the target website
are the HTTP crawlers are allowed to crawl against the target website
he sensitive directories against the target webserver
get system is vulnerable to SMTP open Relay Attack or not
SMTP usernames of the target server
r the SMTP service
erver's smtp service, If the SMTP service is running on the target server apart from the defautl port, Then there is a possibility of running t
e the supported commands from the POP3 service
e the supported commands from the IMAP service

terface to perform the scan against the target system

s while doing the scan against the target IP

ement
vent thethe
OSsize of the packet, Basically default TCP packet size is 16 bytes.
detection.
e to whether the target system is behind the IDS or Firewall.
reduce the fragment size of the of the packet to bypass the firewalls.
ewall or IDS -> for this scan you will get the reply. Else you will not get the reply for this scan.
the old firewalls
ere is a possibility of running the SMTP backdoor on that server