Ethical Hacking Laboratory

Ex.No :02
Nmap Commands
1. Introduction:
Nmap is Linux command-line tool for network exploration and security auditing. This tool
is generally used by hackers and cybersecurity enthusiasts and even by network and
system administrators. It is used for the following purposes:
 Real time information of a network
 Detailed information of all the IPs activated on your network
 Number of ports open in a network
 Provide the list of live hosts
 Port, OS and Host scanning

2. Key Features and Uses:

 Network Mapping: Visualizing the structure of a network and identifying

connected devices.
 Port Scanning: Discovering open ports and the services running on them.
 Vulnerability Scanning: Identifying potential security weaknesses in systems and
applications.
 OS Detection: Determining the operating system and version of target hosts.
 Service and Version Detection: Identifying the applications and their versions
running on open ports.
 Firewall and IDS Evasion: Employing techniques to bypass security measures.
 Network Inventory: Keeping track of devices and services on a network.
 Security Auditing: Evaluating the security posture of a network and its
components.

3. Top Nmap Commands

 Port scanning
 UDP scan
 Exclude hosts
 OS detection
 Scan multiple hosts
 Aggressive scan
 Display open ports
 IP protocol scan
 Nmap ping scan
 Service detection
  Verbose output
 Detect vulnerabilities
 Find nmap version
 Host discovery
 List all hosts on a network
 Nmap commands for port selection
 Perform a tcp connect scan
 Port range
 Scan a subnet
 Timing options
Example:
S.No Commands Description Output
ip a s To display and manipulate network
interface parameters
1 Nmap domain To scan a System with Hostname and IP
address. First, Scan using Hostname
2 Nmap 10.0.2.15 The nmap command allows scanning a
system in various ways.

3 Nmap -v domain It is used to get more detailed

information about the remote machines.

4 Nmap To scan multiple hosts

5 Nmap 10.0.2.15.* To scan whole subnet

6 Nmap 10.0.2.15.1-20 We can specify the range of IP addresses.

This command will scan IP address
145.223.22.1 to 145.223.22.20 .

7 Sudo nmap -sA 10.0.2.15 Detecting firewall settings can be useful

during penetration testing and
vulnerability scans. To detect it we use "-
sA" option. This will provide you with
information about firewall being active
on the host.
8 Sudo nmap -sL 10.0.2.15 We use "sL" option to find hostnames for
the given host by completing a DNS
query for each one. In addition to this "-
n" command can be used to skip DNS
resolution, while the “-R” command can
be used to always resolve DNS.
9 Nmap -iL input.txt If we have a long list of addresses that
we need to scan, we can directly import
a file through the command line. It will
produce a scan for the given IP
addresses.

10 Nmap -h We use the "-h" option if we have any

 questions about nmap or any of the
given commands. It shows the help
section for nmap command, including
giving information regarding the
available flags.

11 Nmap -sS drngpit.ac.in nmapHere -sS flag is used for TCP SYN
Scan, Which is a stealthy and efficient
method of scanning for open ports on a
target system.

12 nmap -sS <Domain Here "-oG" flag can be used to store the
Name> -oG <file-path> nmap result in to specific file.

13 nmap -sU <Domain The "-sU" flag is used with nmap to

Name> perform a UDP scan, which allows the
user to discover open UDP ports and
services on a target system.

14 nmap -sn <Domain The "-sn" flag is used with nmap to

Name> perform a ping scan, which sends ICMP
requests to a target host or network to
determine hosts is up or not.

15 nmap -p 80 443 21 The "-p" flag is used with nmap to

<Domain Name> perform scan on a specific port or range
of ports. ( In our case it will scan port
80,443 and 21 )

16 nmap -p 1-80 <Domain We can also specify the range of ports to

Name> scan on a network. ( In this case it will
scan all the ports in the range of 1 to 80 )

17 nmap -A <Domain Here -A indicates aggressive, it will give

Name> us extra information, like OS detection (-
O), version detection, script scanning (-
sC), and traceroute (--traceroute). It
even provides a lot of valuable
information about the host.

18 nmap --trace out Using this command we can discover the

<Domain Name> target hosting service or identify
additional targets according to our
needs for quickly tracing the path.

19 nmap -O <Domain Here it will display the operating system

Name> where the domain or ip address is
running, but will not display the exact
operating system available on the
computer. It will display only the chance
of operating system available in the
 computer. The command will just guess
the running operating system (OS) on
the host.

20 nmap -F target.com Fast Scanning

21 dig 10.0.2.15 The dig command (short for Domain
Information Groper) is a powerful DNS
lookup tool used to query DNS name
servers and troubleshoot DNS-related
issues.
22 whois 10.0.2.15 Address
23 traceroute 10.0.2.15 Traceroute to target
24 nmap -sP 10.0.0.0/16 Scan network range
25 dig example.com MX # Mail exchange records
dig example.com NS # Name servers
dig example.com TXT # Text records (SPF, DKIM, etc.)
dig example.com AAAA # IPv6 address
dig example.com CNAME # Canonical name (alias)