nmap Command Cheatsheet

  • Blog
  • nmap Command Cheatsheet

Knowledge Base

Site Reliability Experience

View Categories

nmap Command Cheatsheet

3 min read

Table of Contents

The Linux nmap command is a powerful tool used for network exploration and security auditing. It is primarily used to discover hosts and services on a computer network, as well as for performing security scans and vulnerability assessments. nmap is widely used by network administrators, security professionals, and penetration testers to identify open ports, detect network devices, and uncover potential security risks.

Key Usage and Syntax of the nmap Command #

The nmap command follows a basic syntax structure:

nmap [OPTIONS] [TARGET]

  • OPTIONS allow you to modify the scan behavior and customize the results, such as -sP for a ping scan or -p to specify ports.
  • TARGET specifies the host(s) you want to scan, which can be an IP address, hostname, or a range of IPs.

nmap Command Cheatsheet Table #

Command Description
nmap -sP <target> Perform a ping scan to discover hosts on the network
nmap -sT <target> Perform a TCP connect scan (default scan type)
nmap -sS <target> Perform a stealth SYN scan to detect open ports without completing the TCP handshake
nmap -p <port-range> <target> Scan specific ports (e.g., -p 80,443 to scan HTTP and HTTPS)
nmap -O <target> Enable OS detection (fingerprint the operating system)
nmap -A <target> Enable OS detection, version detection, script scanning, and traceroute
nmap -sV <target> Service version detection (detect software versions on open ports)
nmap -T4 <target> Increase scan speed with a more aggressive timing template
nmap --script=<script> <target> Run specific Nmap scripts to enhance scanning (e.g., --script=http-title to fetch web page titles)

The -sS Stealth SYN Scan #

The -sS option in nmap performs a SYN scan, which is one of the most common and stealthy methods of detecting open ports without completing the TCP handshake.

Example Command #

nmap -sS 192.168.1.1

Example Output #

Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-08 12:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
443/tcp open     https

Explanation of the Output #

  • Host is up: Indicates that the target host is online and reachable.
  • PORT: Lists the open ports on the target, such as port 80 (HTTP) and port 443 (HTTPS).
  • STATE: Shows the status of each port (open, closed, or filtered).

This command is useful for quickly scanning for open ports without alerting firewalls or intrusion detection systems.

The -sV Service Version Detection #

The -sV flag allows you to detect the versions of the services running on the open ports.

Example Command #

nmap -sV 192.168.1.1

Example Output #

Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-08 12:15 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0020s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE VERSION
80/tcp  open     http    Apache httpd 2.4.29
443/tcp open     https   OpenSSL 1.1.1f

Explanation of the Output #

  • SERVICE: The service name (e.g., HTTP, HTTPS) running on each port.
  • VERSION: The specific version of the service detected (e.g., Apache httpd 2.4.29, OpenSSL 1.1.1f).

This option helps in identifying specific software versions and potential vulnerabilities related to those versions.

The -O OS Detection #

The -O option in nmap is used to detect the operating system of the target host based on various network characteristics.

Example Command #

nmap -O 192.168.1.1

Example Output #

Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-08 12:30 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0015s latency).
OS fingerprint not recognized.

Explanation of the Output #

  • OS fingerprint not recognized: This indicates that nmap was unable to identify the operating system based on the available data.

If successful, nmap will provide the detected OS along with version details.

The --script Nmap Scripting Engine (NSE) #

Nmap’s scripting engine allows you to run various pre-written scripts for vulnerability scanning, service enumeration, and other tasks.

Example Command #

nmap --script=http-title 192.168.1.1

Example Output #

Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-08 12:45 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0015s latency).
PORT    STATE    SERVICE VERSION
80/tcp  open     http    Apache httpd 2.4.29
| http-title: "Welcome to Apache HTTP Server"

Explanation of the Output #

  • http-title: This script fetches the title of the HTTP server’s default webpage, which can help identify the web server software and its version.

Examples of Using the nmap Command #

Basic Host Discovery #

To find active hosts in a subnet:

nmap -sP 192.168.1.0/24

This command will perform a ping scan to detect all live hosts in the 192.168.1.0/24 range.

Scan a Specific Port #

To check if a specific port is open:

nmap -p 22 192.168.1.1

This command checks if port 22 (SSH) is open on the target 192.168.1.1.

Advanced Scan with OS and Version Detection #

To perform a detailed scan that includes OS detection and version detection:

nmap -A 192.168.1.1

This command provides a full scan, including OS fingerprinting, version detection, script scanning, and traceroute.

Summary #

In summary, the Linux nmap command is an essential tool for network discovery, security auditing, and vulnerability scanning. It

SHARE ON:

Powered by BetterDocs