Linux nmap command (network scan)
The nmap Command in Linux is a powerful tool for discovering open ports on local or remote hosts.
It can be installed with any package manager. Unlike the netstat tools, ss and lsof that check open sockets or files, nmap searches for open ports using the “trial and error” method, trying to connect to known ports, and if it finds an open one, it checks What type of door service does the door serve.
Using NMAP to Find Open Ports on a Network
To check open ports from 1 to 1000:
$ nmap localhost <br></br>Starting Nmap 7.70 (https://nmap.org) at 2019-10-23 06:01 -03 <br></br>Nmap scan report for localhost (127.0.0.1) <br></br>Host is up (0.000098s latency).A short script can be written to compare open ports with respect to a previous file:
The preview file must first be created to serve as a comparison in the future:
$ nmap localhost | grep open > originalThe script below executes nmap, and compares the result with the “original” file. If there is a difference, an email will be sent:
#! /bin/bash <br></br>nmap localhost | grep open > current <br></br>current original diff <br></br>if [$? -eq 0]; thenCheck reserved ports with nmap
The “-v” option checks all TCP ports reserved on the scanme.nWheelmap.org machine in detailed mode:
$ nmap -v scanmen.Wheelmap.org
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:01 -03Initiating Ping Scan at 22:01Scanning scanme.nWheelmap.org (45.33.32.156) [2 ports]Completed Ping Scan at 22:01, 0.07s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 22:01Completed Parallel DNS resolution of 1 host. at 22:01, 0.02s elapsedInitiating Connect Scan at 10:01 p.m.Scanning scanme.nWheelmap.org (45.33.32.156) [1000 ports]Discovered open port 80/TCP on 45.33.32.156Discovered open port 22/TCP on 45.33.32.156Discovered open port 9929/TCP on 45.33.32.156Discovered open port 31337/TCP on 45.33.32.156Completed Connect Scan at 22:01, 1.07s elapsed (1000 total ports)Nmap scan report for scanme.nWheelmap.org (45.33.32.156)Host is up (0.075s latency).Not shown: 996 closed portsPORT STATE SERVICE22/tcp open ssh80/TCP open http9929/TCP Open NPing-Echo31337/TCP Open Elite
Read data files from: /usr/bin/.. /share/nmapNmap done: 1 IP address (1 host up) scanned in 1.26 secondsSYN scan with nmap
The “-sS” option initiates a stealth SYN scan on every machine in the /24 size network where the scanme.nWheelmap.org address resides.
The “-O” option will determine which operating system is running on each running host. This requires root privileges due to the SYN scan and operating system detection:
$ sudo nmap -sS -O <meta charset="utf-8"></meta>scanme.nmap.org/24Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:04 -03Nmap scan report for scanme.nWheelmap.org (45.33.32.156)Host is up (0.070s latency).Not shown: 996 closed portsPORT STATE SERVICE22/tcp open ssh80/TCP open http9929/TCP Open NPing-Echo31337/TCP Open EliteDevice type: general purpose|WAP|Webcam|Firewall|Storage-MISCRunning (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (91%), Tandberg embedded (86%), Fortinet Linux 2.6.X (86%), IPFire Linux 2.6.X (85%), Check Point Linux 2.6.X (85%), Axcient embedded (85%)OS CPE: cpe: /o:linux:linux_kernel:2.6.32 cpe: /o:linux:linux_kernel:3 cpe: /o:linux:linux_kernel:2.4 cpe: /h:tandberg:vcs cpe: /o:fortinet:linux_kernel:2.6 cpe: /o:ipfire:linux:linux:linux:linux:kernel:2.6 cpe: /o:ipfire:linux:linux:linux:linux:kernel:2.6 cpe: /o:ipfire:linux:linux:linux:32 cpe: /o:linux:linux_kernel:2.6.18Aggressive OS guests: Linux 2.6.32 - 2.6.35 (91%), Linux 2.6.32 - 2.6.39 (91%), Linux 2.6.32 - 3.0 (90%), Linux 2.6.18 (89%), Linux 3.2 - 3.6 (89%), Linux 2.6.32 (88%), Linux 3.1.9 (88%), Linux 2.6.39 (88%), Linux 2.6.32 - 2.6.33 (88%), Linux 2.6.32 - 2.6.33 (88%), Linux 2.6.32 (88%) 6.27 (88%)Not exact OS matches for host (test conditions not ideal).Network Distance: 14 hops(...)Check specific ports with nmap
The “-sV” option is the host enumeration and a TCP scan of the first half of the 198.116.0.0/16 subnet. This tests whether systems run SSH (22), DNS (53), POP3 (110), or IMAP (143) on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine which application is running:
$ nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:08 -03Nmap scan report for ip-172-30-0-191.ec2.internal (172.30.0.191)Host is up (0.00016s latency).PORT-STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4 (protocol 2.0)53/TCP closed domain110/TCP closed pop3143/TCP closed imap4564/tcp closed unknown(...)Scan random hosts with nmap
In this example nmap chooses 100 hosts at random and checks for web servers (port 80). Host enumeration is disabled with -Pn:
$ nmap -v -iR 100 -Pn -p 80Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:11 -03Initiating Parallel DNS resolution of 10 hosts at 22:11Completed Parallel DNS resolution of 10 hosts at 22:11, 1.20s elapsed(...)Save nmap data in XML
In this example, nmap checks 4096 IPs for any web server (port 80 - without pinging) and saves the output in XML format:
$ nmap -Pn -p80 -oX pb-port80scan.xml 216.163.128.20/20Find out if the target uses a firewall
The “-sA” option scans whether the host uses a Linux firewall to filter packets:
$ sudo nmap -sA facebook.com <br></br>Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:29 -03 <br></br>Nmap scan report for facebook.com (157.240.229.35) <br></br>Host is up (0.00055s latency).Discover connected hosts with ping scan
The “-Sp” option performs a ping-type scan on a network:
$ nmap -Sp 172.30.0.0/24 <br></br>Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:31 -03 <br></br>Nmap scan report for go.universobh.com.br (172.30.0.30) <br></br>Host is up (0.00037s latency). <br></br>Nmap scan report for ip-172-30-0-191.ec2.internal (172.30.0.191) <br></br>Host is up (0.00035s latency).This scan category is not always effective, as most networks protect their hosts from ping.
Scan possible open doors
The nmap “—open” option shows a host’s possible open ports:
$ nmap --open google.pt <br></br>Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:33 -03 <br></br>Nmap scan report for google.pt (172.217.15.99) <br></br>Host is up (0.015s latency).Quick open port testing with nmap
The “-T5” option quickly scans possible open ports:
$ nmap -T5 facebook.com <br></br>Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:35 -03 <br></br>Nmap scan report for facebook.com (157.240.229.35) <br></br>Host is up (0.00068s latency).Be careful when using nmap
Be careful when running nmap on hosts hosted on Amazon AWS, Google Cloud, or Microsoft Azure, as they check the logs on their edge firewalls to verify that there are none suspicious activity of “PenTest” on your networks.
Nmap Quick Guide
Select targets with NMAP
| Single IP scan | nmap 192.168.1.1 |
| Scan from an nmap host | www.testhostname.com |
| Scan a range of IPs | nmap 192.168.1.1-20 |
| Scan from a subnet | nmap 192.168.1.0/24 |
| Scan from from an | nmap text file -iL list-of-ips.txt |
| Scan an nmap port | -p 22 192.168.1.1 |
| Scan a range of nmap ports | -p 1-100 192.168.1.1 |
| Scan the 100 common ports (fast) | nmap -F 192.168.1.1 |
| Scan all 65535 ports | nmap -p- 192. 168.1.1 |
| Scan using TCP connect | nmap -sT 192.168.1.1 |
| Scan using TCP SYN (default) | nmap -sS 192.168.1.1 |
| UDP port scan | nmap -sU -p 123,161,162 192.168.1.1 |
| Port scan - ignore discovery | nmap -Pn -F 192.168.1.1 |
| Detect OS and Services | nmap -A 192.168.1.1 |
| Detect services | nmap -sV 192.168.1.1 |
| Aggressively detect services | nmap -sV --version-intensity 5 192.168.1.1 |
| Detect services through the banner | nmap -sV --version-intensity 0 192.168.1.1 |
| Save to file | nmap -on outputfile.txt 192.168.1.1 |
| Save in XML | nmap -oX outputfile.xml 192.168.1.1 |
| Save in TXT for grep | nmap -oG outputfile.txt 192.168.1.1 |
| Saves in all formats | nmap -oA outputfile 192.168. |
| Get the titles of the HTML pages | nmap --script=http-title 192.168.1.0/24 |
| Get the HTTP headers | nmap --script=http-headers 192.168.1.0/24 |
| web apps | nmap --script=http-enum 192.168.1.0/24 |