[Linux 文章收集] Top 30 Nmap Command Examples For Sys/Network Admins

Source From Here 
Preface 
nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing. However, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users. 

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes. 

More about nmap 
From the man page: 

Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

It was originally written by Gordon Lyon and it can answer the following questions easily: 

1. What computers did you find running on the local network?
2. What IP addresses did you find running on the local network?
3. What is the operating system of your target machine?
4. Find out what ports are open on the machine that you just scanned?
5. Find out if the system is infected with malware or virus.
6. Search for unauthorized servers or network service on your network.
7. Find and remove computers which don't meet the organization's minimum level of security.

Sample setup (LAB) 
Port scanning may be illegal in some jurisdictions. So setup a lab as follows: 
 

Where, 

* wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.
* server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.
* server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server with firewall. Again, feel free to install few services such as a web-server, file server and so on.
* All three systems are connected via switch.

How do I install nmap? 
See: 

1. Debian / Ubuntu Linux: Install nmap Software For Scanning Network
2. CentOS / RHEL: Install nmap Network Security Scanner
3. OpenBSD: Install nmap Network Security Scanner

Scan a single host or an IP address (IPv4) 

### Scan a single ip address ###
$ nmap 192.168.1.1

## Scan a host name ###
$ nmap server1.cyberciti.biz

## Scan a host name with more info###
$ nmap -v server1.cyberciti.biz

Sample outputs: 
 

Scan multiple IP address or subnet (IPv4) 

$ nmap 192.168.1.1 192.168.1.2 192.168.1.3
## works with same subnet i.e. 192.168.1.0/24
$ nmap 192.168.1.1,2,3

You can scan a range of IP address too: 

$ nmap 192.168.1.1-20

You can scan a range of IP address using a wildcard: 

$ nmap 192.168.1.*

Finally, you scan an entire subnet: 

$ nmap 192.168.1.0/24

Read list of hosts/networks from a file (IPv4) 
The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks. Create a text file as follows: 
- /tmp/test.txt 

view plaincopy to clipboardprint?

1. server1.cyberciti.biz  
2. 192.168.1.0/24  
3. 192.168.1.1/24  
4. 10.1.2.3  
5. localhost  

The syntax is: 

$ nmap -iL /tmp/test.txt

Excluding hosts/networks (IPv4) 
When scanning a large number of hosts/networks you can exclude hosts from a scan: 

$ nmap 192.168.1.0/24 --exclude 192.168.1.5
$ nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

OR exclude list from a file called /tmp/exclude.txt 

$ nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt

Turn on OS and version detection scanning script (IPv4) 

## Scan 192.168.1.254 for OS and version.
$ nmap -A 192.168.1.254

## Scan 192.168.1.1 for OS and version in detail
$ nmap -v -A 192.168.1.1

## Scan Hosts from /tmp/scanlist.txt for OS and version.
$ nmap -A -iL /tmp/scanlist.txt

Find out if a host/network is protected by a firewall 

## -sA (TCP ACK scan)
## This scan is different than the others discussed so far in that it never determines open (or even
## open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or
## not and which ports are filtered.
$ nmap -sA 192.168.1.254
$ nmap -sA server1.cyberciti.biz

Scan a host when protected by the firewall 

$ nmap -PN 192.168.1.1
$ nmap -PN server1.cyberciti.biz
Starting Nmap 5.51 ( http://nmap.org ) at 2014-09-13 21:58 CST
Nmap scan report for nlg13.csie.ntu.edu.tw (140.112.31.76)
Host is up (0.000075s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: F4:6D:04:65:1F:E0 (Unknown)

Scan an IPv6 host/address 
The -6 option enable IPv6 scanning. The syntax is: 

$ nmap -6 IPv6-Address-Here
$ nmap -6 server1.cyberciti.biz
$ nmap -6 2607:f0d0:1002:51::4
$ nmap -v A -6 2607:f0d0:1002:51::4

Scan a network and find out which servers and devices are up and running 
This is known as host discovery or ping scan: 

## -sn or -sP: This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts
## that responded to the scan.
$ nmap -sP 192.168.1.0/24
Host 192.168.1.1 is up (0.00035s latency).
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host 192.168.1.2 is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host 192.168.1.5 is up.
Host nas03 (192.168.1.12) is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second
...

How do I perform a fast scan? 

## -F (Fast (limited port) scan):
## Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000
## ports for each scanned protocol. With -F, this is reduced to 100.
$ nmap -F 192.168.1.1

Display the reason a port is in a particular state 

## OUTPUT:
## --reason: Display the reason a port is in a particular state
$ nmap --reason 192.168.1.1
$ nmap --reason server1.cyberciti.biz
Starting Nmap 5.51 ( http://nmap.org ) at 2014-09-14 09:11 CST
Nmap scan report for xxx.xxx.tw (192.168.1.1)
Host is up, received arp-response (0.000075s latency).
Not shown: 998 filtered ports
Reason: 988 no-responses and 10 host-prohibiteds
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
MAC Address: x:x:x:x:x:x (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds

Only show open (or possibly open) ports 

## OUTPUT:
## --open: Only show open (or possibly open) ports
$ nmap --open 192.168.1.1
$ nmap --open server1.cyberciti.biz
...
Host is up (0.000071s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: F4:6D:04:65:1F:E0 (Unknown)
...

Show all packets sent and received 

## OUTPUT:
## --packet-trace: Show all packets sent and received
$ nmap --packet-trace 192.168.1.1
$ nmap --packet-trace server1.cyberciti.biz
...
SENT (0.1030s) TCP x.x.x.x:59711 > 192.168.1.1:1025 S ttl=51 id=30599 iplen=44 seq=1459857601 win=4096
RCVD (0.1020s) ICMP 192.168.1.1 > x.x.x.x Destination host 192.168.1.1 administratively prohibited (type=3/code=10) ttl=64 id=2667 iplen=72
...
Host is up (0.000071s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
...

Show host interfaces and routes 
This is useful for debugging (ip command or route command or netstat command like output using nmap) 

## OUTPUT:
## --iflist: Print host interfaces and routes (for debugging)
$ nmap --iflist

Sample outputs: 
 
How do I scan specific ports? 

## PORT SPECIFICATION AND SCAN ORDER:
## -p : Only scan specified ports
## Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9

## Scan port 80
$ nmap -p 80 192.168.1.1

## Scan TCP port 80
$ nmap -p T:80 192.168.1.1

## Scan UDP port 53
$ nmap -p U:53 192.168.1.1

## Scan two ports ##
$ nmap -p 80,443 192.168.1.1

## Scan port ranges ##
$ nmap -p 80-200 192.168.1.1

## Combine all options ##
$ nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
$ nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
$ nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254

## Scan all ports with * wildcard ##
$ nmap -p "*" 192.168.1.1

## Scan top ports i.e. scan $number most common ports ##
## PORT SPECIFICATION AND SCAN ORDER:
## --top-ports : Scan most common ports
$ nmap --top-ports 5 192.168.1.1
$ nmap --top-ports 10 192.168.1.1

Sample outputs: 
 

The fastest way to scan all your devices/computers for open ports ever 

## TIMING AND PERFORMANCE:
## -T<0-5>: Set timing template (higher is faster)
$ nmap -T5 192.168.1.0/24

How do I detect remote operating system? 
You can identify a remote host apps and OS using the -O option: 

## OS DETECTION:
## -O: Enable OS detection
## --osscan-limit: Limit OS detection to promising targets
## --osscan-guess: Guess OS more aggressively
$ nmap -O 192.168.1.1
$ nmap -O --osscan-guess 192.168.1.1
$ nmap -v -O --osscan-guess 192.168.1.1
...
Aggressive OS guesses: Crestron XPanel control system (90%), Netgear DG834G WAP (90%), Linux 2.6.24 - 2.6.35 (86%), Linux 2.6.31 - 2.6.34 (85%), Linux 2.6.32 (85%), Linux 2.6.9 - 2.6.18 (85%), Linux 2.6.9 - 2.6.27 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
...

See also: Fingerprinting a web-server and a dns server command line tools for more information. 

How do I detect remote services (server / daemon) version numbers? 

## SERVICE/VERSION DETECTION:
## -sV: Probe open ports to determine service/version info
## --version-intensity : Set from 0 (light) to 9 (try all probes)
## --version-light: Limit to most likely probes (intensity 2)
## --version-all: Try every single probe (intensity 9)
## --version-trace: Show detailed version scan activity (for debugging)
$ nmap -sV 192.168.1.1
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:34 IST
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.52 (protocol 2.0)
80/tcp open http?
1 service unrecognized despite returning data.

Scan a host using TCP ACK (PA) and TCP Syn (PS) ping 
If firewall is blocking standard ICMP pings, try the following host discovery methods: 

## HOST DISCOVERY:
## -sL: List Scan - simply list targets to scan
## -sn: Ping Scan - disable port scan
## -Pn: Treat all hosts as online -- skip host discovery
## -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
## -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
## -PO[protocol list]: IP Protocol Ping
## -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
## --dns-servers : Specify custom DNS servers
## --system-dns: Use OS´s DNS resolver
## --traceroute: Trace hop path to each host
$ nmap -PS 192.168.1.1
$ nmap -PS 80,21,443 192.168.1.1
$ nmap -PA 192.168.1.1
$ nmap -PA 80,21,200-512 192.168.1.1

Scan a host using IP protocol ping 

$ nmap -PO 192.168.1.1

Scan a host using UDP ping 
This scan bypasses firewalls and filters that only screen TCP: 

## -PU port list (UDP Ping) .
## Another host discovery option is the UDP ping, which sends a UDP packet to the given ports. For most ports, the
## packet will be empty, though for a few a protocol-specific payload will be sent that is more likely to get a
## response.. The payload database is described at http://nmap.org/book/nmap-payloads.html.
$ nmap -PU 192.168.1.1
$ nmap -PU 2000.2001 192.168.1.1

Find out the most commonly used TCP ports using TCP SYN Scan 

### Stealthy scan ###
## -sS (TCP SYN scan): SYN scan is the default and most popular scan option for good reasons.
$ nmap -sS 192.168.1.1

### Find out the most commonly used TCP ports using TCP connect scan (warning: no stealth scan)
### OS Fingerprinting ###
## -sT (TCP connect scan): TCP connect scan is the default TCP scan type when SYN scan is not an option.
$ nmap -sT 192.168.1.1

### Find out the most commonly used TCP ports using TCP ACK scan
## -sA (TCP ACK scan):
## This scan is different than the others discussed so far in that it never determines open (or even
## open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and
## which ports are filtered.
$ nmap -sA 192.168.1.1

### Find out the most commonly used TCP ports using TCP Window scan
## -sW (TCP Window scan):
## Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems
## to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It
## does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a
## positive window size (even for RST packets) while closed ones have a zero window. So instead of always listing
## a port as unfiltered when it receives a RST back, Window scan lists the port as open or closed if the TCP
## Window value in that reset is positive or zero, respectively.
$ nmap -sW 192.168.1.1

### Find out the most commonly used TCP ports using TCP Maimon scan
## -sM (TCP Maimon scan): The Maimon scan is named after its discoverer, Uriel Maimon... "Port Scanning without the SYN flag"
$ nmap -sM 192.168.1.1

Scan a host for UDP services (UDP scan) 
Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services: 

## SCAN TECHNIQUES:
## -sU: UDP Scan
$ nmap -sU nas03
$ nmap -sU 192.168.1.1
...
PORT STATE SERVICE
111/udp open|filtered rpcbind
123/udp open|filtered ntp
161/udp open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
...

Scan for IP protocol 
This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines: 

## SCAN TECHNIQUES:
## -sO: IP protocol scan
$ nmap -sO 192.168.1.1

Scan a firewall for security weakness 
The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks: 

## TCP Null Scan to fool a firewall to generate a response ##
## Does not set any bits (TCP flag header is 0) ##
$ nmap -sN 192.168.1.254

## TCP Fin scan to check firewall ##
## Sets just the TCP FIN bit ##
$ nmap -sF 192.168.1.254

## TCP Xmas scan to check firewall ##
## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##
$ nmap -sX 192.168.1.254

See how to block Xmas packkets, syn-floods and other conman attacks with iptables. 

Scan a firewall for packets fragments 
The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. 

## FIREWALL/IDS EVASION AND SPOOFING:
## -f; --mtu : fragment packets (optionally w/given MTU)
## -D : Cloak a scan with decoys
## -S : Spoof source address
## -e : Use specified interface
## -g/--source-port : Use given port number
## --data-length : Append random data to sent packets
## --ip-options : Send packets with specified ip options
## --ttl : Set IP time-to-live field
## --spoof-mac : Spoof your MAC address
## --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
$ nmap -f 192.168.1.1
$ nmap -f fw2.nixcraft.net.in
$ nmap -f 15 fw2.nixcraft.net.in
## Set your own offset size with the --mtu option ##
$ nmap --mtu 32 192.168.1.1

Cloak a scan with decoys 
The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys: 

## -n (No DNS resolution) :
## Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be
## slow even with Nmap´s built-in parallel stub resolver, this option can slash scanning times.
##
## -D decoy1[,decoy2][,ME][,...] (Cloak a scan with decoys)
## Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you
## specify as decoys are scanning the target network too.
$ nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
$ nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5

Scan a firewall for MAC address spoofing 

## FIREWALL/IDS EVASION AND SPOOFING:
## --spoof-mac : Spoof your MAC address
### Spoof your MAC address ##
$ nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

### Add other options ###
$ nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

### Use a random MAC address ###
### The number 0, means nmap chooses a completely random MAC address ###
$ nmap -v -sT -PN --spoof-mac 0 192.168.1.1

How do I save output to a text file? 
The syntax is: 

## OUTPUT:
## -oN/-oX/-oS/-oG : Output scan in normal, XML, s|
$ nmap 192.168.1.1 > output.txt
$ nmap -oN /path/to/filename 192.168.1.1
$ nmap -oN output.txt 192.168.1.1

Not a fan of command line tools? 
Try zenmap the official network mapper front end: 

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

You can install zenmap using the following apt-get command: 

$ sudo apt-get install zenmap

 

How do I detect and block port scanning? 
Try the following resources: 

1. How to use psad tool to detect and block port scan attacks in real time.
2. Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall).
3. CentOS / Redhat Iptables Firewall Configuration Tutorial.
4. Linux: 20 Iptables Examples For New SysAdmins.
5. 20 Linux Server Hardening Security Tips.

Supplement 
* The official Nmap project guide to network discovery and security Scanning. 
* The official Nmap project home page.