30 Nmap Examples


This instructional presentations 30 Nmap utilization examples, associated with topics which have been defined in earlier articles revealed at Linux Hint.

Examples come with from host discovery to vulnerability audit, community diagnostics and extra. Most of them had been produced in actual or simulated eventualities making them actual treasured for community directors or scholars.

Implementing the examples described on this instructional is beautiful easy, as operating a command.

All topics lined on this article come with:

NOTE: Last replace of this instructional used to be in October 2021.

Ping Sweep with Nmap

Ping sweep is a method used to find reside hosts inside of a community or vary.

Nmap ping sweep examples had been deeply defined at Nmap ping sweep.

To execute ping sweep the usage of Nmap, you want to put in force the -sP or -sn choices, which instruct Nmap to steer clear of port scan after discovery.

In the next instance, a wildcard is carried out to instruct Nmap to find all on-line C magnificence community hosts or gadgets.

In the former instance, Nmap best confirms the host is alive with out scanning the objective. The reverse will be the -Pn possibility, which instructs Nmap to start out the scan with out checking if the host is alive.

At the tip, it’ll print the full choice of reside hosts as proven within the screenshot under.

As you’ll be able to see, from 239 scanned addresses, 10 had been on-line gadgets.

Defining Ports with Nmap Using the -p Flag

Defining a port to scan with Nmap is beautiful simple, simply upload the flag -p adopted through the port, or ports separated through commas as proven within the screenshot under.

nmap -p 80,22,139,21,23 192.168.0.*

In the next instance the port vary is outlined with a hyphen to scan Linux Hint port vary from 22 to 80:

nmap -p 2280 linuxhint.com

The following instance presentations Nmap scanning two other port levels separated through commas.

nmap -p 2080,100600

There are some ways to specify ports to scan the usage of Nmap. We have revealed an educational appearing alternative ways to scan all ports the usage of Nmap. One of those the way to scan all ports on a goal calls for the implementation of the -p- possibility as proven within the following instance.

The ultimate instance of this segment presentations an ARP scan performed thru Nping, a part of the Nmap suite, which inherited Nmap flags to customise ARP scans.

nping –arp-type ARP

As you notice, Nping identifies each and every IP with the right kind MAC cope with.

Nmap FIN Scan Example

The subsequent instance is an competitive FIN scan in opposition to a port vary.

nmap -sF -T4

This is an instance of an insane FIN scan in opposition to a unmarried tool:

To finish FIN scan examples, let’s do a much less competitive scan in opposition to a metasploit digital tool.

nmap -sF -T2

Nmap NULL Scan Example

The following instance presentations a NULL scan in opposition to linuxhint.com port 80. Remember Nmap NULL, Xmas and FIN scans can’t distinguish between open and filtered ports, in lots of eventualities.

sudo nmap -v -sN -p 80 linuxhint.com

Now, let’s check out an insane scan in opposition to a router.

nmap -sN -T5

Usually NULL, Xmas and FIN scans can’t distinguish between filtered and open ports when the port is open, the following instance contains the -sV technique to lend a hand it distinguish, however including this selection leads to a much less stealthy scan:

nmap -sN -T2 -sV -p80,22,21,139

Nmap Xmas Scan Example

The Xmas scan with Nmap used to be deeply defined on this article.

Below, you’ll be able to see an instance of an competitive Xmas scan in opposition to the objective

nmap -sX -T4

Now, a much less competitive Xmas scan in opposition to port 80 and 22.

nmap -sX -T2 -p80,22

The following instance is very similar to the above, however contains stage 2 verbosity:

nmap -sX -T2 -v2  -p80,22

As you’ll be able to see, the remaining output unearths more information than the former output.

Update Scripts Database

Nmap comprises a collection of scripts with further functionalities. This suite is referred to as Nmap NSE.

Before the usage of the Nmap NSE replace the database through operating the command under.

Once up to date, you’ll be able to continue with Nmap NSE.

Get Devices OS, Workgroup, Domain, Device Name Over SMB Protocol

The following instance makes use of the NSE script –script smb-os-discovery (https://nmap.org/nsedoc/scripts/smb-os-discovery.html) in opposition to complete remaining 2 octets of the community 172.31.X.X

nmap -p 445 –script smb-os-discovery 172.31.*.*

As you’ll be able to see within the screenshot under, the primary conceivable inclined goal used to be one.

The screenshot under unearths a brand new inclined goal used to be discovered.

Two Windows XP computer systems had been discovered, nice applicants for a Idle scan which might be defined later under on this instructional.

Finding Zombie for Idle Scan

The following instance presentations the way to seek for a zombie candidate to execute an Idle scan through scanning the remaining octet of the ten.100.100.X community through the usage of the NSE script ipidseq (https://nmap.org/nsedoc/scripts/ipidseq.html).

nmap -p80 –script ipidseq 10.100.100.*

Another solution to in finding possible zombie applicants for Idle scans:

nmap -Pn -O -v

Executing an Idle Scan

Running an Idle scan the usage of a candidate discovered within the earlier step.

nmap -Pn  -sI -p80,21,22,443

Another Idle scan the usage of the similar candidate in opposition to a gateway:

nmap -Pn -sI -p80,21,22,443

An Idle scan in opposition to the FTP of a router the usage of a Windows 98 virtualized tool:

nmap -Pn -sI -p21

Scanning Ranges for Vulnerabilities

The following instance presentations the wildcard implementation to scan a complete octet’s vary.

nmap -v –script vuln  172.31.100.*

Below, you’ll be able to see an output pattern.

Scanning for smb-vuln-ms08-067 Vulnerability

The following scan makes use of the NSE script smb-vuln-ms08-067 (https://nmap.org/nsedoc/scripts/smb-vuln-ms08-067.html) to seek for a far flung execution vulnerability on two remaining octets of the community through enforcing the wildcard two times.

nmap -p445 –script smb-vuln-ms08-067 172.31.*.*

Brute Force Against SSH with Nmap NSE

Nmap NSE (Nmap Scripting Engine) used to be deeply lined within the Nmap NSE instructional. This instance presentations the way to use the Nmap scripting engine to bruteforce the objective ssh.

For this assault we will be able to use the NSE script named ssh-brute.nse.

nmap –script ssh-brute.nse

As you’ll be able to see, NSE will learn a listing together with username and password pairs. Of direction, you’ll be able to supply NSE your customized record.


I am hoping all Nmap examples proven on this instructional had been helpful to you. Nmap is most certainly the most efficient community scanner out there. Despite sooner answers, like Mass Scan, Nmap leads with more than one options and further scripts. You may write your individual NSE scripts to make use of with Nmap.

As you’ll be able to see, regardless of its energy, Nmap will also be simply performed through any Linux stage person. Deep Nmap finding out could be very positive for any person coping with networking.

Thank you for studying this instructional appearing 30 Nmap examples. Keep following Linux Hint for added Linux pointers and tutorials.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More