{"id":13580,"date":"2019-04-03T11:06:26","date_gmt":"2019-04-03T11:06:26","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13580"},"modified":"2019-04-03T11:06:26","modified_gmt":"2019-04-03T11:06:26","slug":"29-practical-examples-of-nmap-commands-for-linux-system-network-administrators","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/03\/29-practical-examples-of-nmap-commands-for-linux-system-network-administrators\/","title":{"rendered":"29 Practical Examples of Nmap Commands for Linux System\/Network Administrators"},"content":{"rendered":"

The\u00a0Nmap<\/strong>\u00a0aka\u00a0Network Mapper<\/strong>\u00a0is an open source and a very versatile tool for Linux system\/network administrators.\u00a0Nmap<\/strong>\u00a0is used for\u00a0exploring networks<\/strong>,\u00a0perform security scans<\/strong>,\u00a0network audit<\/strong>\u00a0and\u00a0finding open ports<\/strong>\u00a0on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.<\/p>\n

\n

\"Nmap<\/a><\/p>\n

Nmap Commands and Examples<\/p>\n<\/div>\n

I\u2019ll be covering most of\u00a0NMAP<\/strong>\u00a0usage in two different parts and this is the first part of nmap serious. Here in this setup, I have used two servers without firewall to test the working of the Nmap command.<\/p>\n

    \n
  1. 192.168.0.100 \u2013 server1.tecmint.com<\/strong><\/li>\n
  2. 192.168.0.101 \u2013 server2.tecmint.com<\/strong><\/li>\n<\/ol>\n
    Nmap command usage<\/h5>\n
    # nmap [Scan Type(s)] [Options] {target specification}<\/pre>\n
    How to Install NMAP in Linux<\/h3>\n
    Most of the today\u2019s Linux distributions like\u00a0Red Hat<\/strong>,\u00a0CentOS<\/strong>,\u00a0Fedoro<\/strong>,\u00a0Debian<\/strong>\u00a0and\u00a0Ubuntu<\/strong>\u00a0have included\u00a0Nmap<\/strong>\u00a0in their default package management repositories called\u00a0Yum<\/a>\u00a0and\u00a0APT<\/a>. The both tools are used to install and manage software packages and updates. To install\u00a0Nmap<\/strong>\u00a0on distribution specific use the following command.<\/p>\n
    # yum install nmap\t\t[on Red Hat<\/strong> based systems]\r\n\r\n$ sudo apt-get install nmap\t[on Debian<\/strong> based systems]<\/pre>\n
    Once you\u2019ve install latest nmap application, you can follow the example instructions provided in this article.<\/p>\n
    1. Scan a System with Hostname and IP Address<\/h3>\n
    The\u00a0Nmap<\/strong>\u00a0tool offers various methods to scan a system. In this example, I am performing a scan using hostname as\u00a0server2.tecmint.com<\/strong>\u00a0to find out all open ports, services and MAC address on the system.<\/p>\n
    Scan using Hostname<\/h5>\n
    [root@server1 ~]# nmap server2.tecmint.com<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 15:42 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.415 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    Scan using IP Address<\/h5>\n
    [root@server1 ~]# nmap 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-18 11:04 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n958\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.465 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    2. Scan using \u201c-v\u201d option<\/h3>\n
    You can see that the below command with \u201c-v<\/strong>\u201d option is giving more detailed information about the remote machine.<\/p>\n
    [root@server1 ~]# nmap -v server2.tecmint.com<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 15:43 EST\r\nInitiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43\r\nThe ARP Ping Scan took 0.01s to scan 1 total hosts.\r\nInitiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43\r\nDiscovered open port 22\/tcp on 192.168.0.101\r\nDiscovered open port 80\/tcp on 192.168.0.101\r\nDiscovered open port 8888\/tcp on 192.168.0.101\r\nDiscovered open port 111\/tcp on 192.168.0.101\r\nDiscovered open port 3306\/tcp on 192.168.0.101\r\nDiscovered open port 957\/tcp on 192.168.0.101\r\nThe SYN Stealth Scan took 0.30s to scan 1680 total ports.\r\nHost server2.tecmint.com (192.168.0.101) appears to be up ... good.\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.485 seconds\r\n               Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB)<\/pre>\n
    Scan Multiple Hosts<\/h3>\n
    You can scan multiple hosts by simply writing their IP addresses or hostnames with Nmap.<\/p>\n
    [root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:06 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\nNmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds<\/pre>\n
    4. Scan a whole Subnet<\/h3>\n
    You can scan a whole subnet or IP range with Nmap by providing\u00a0* wildcard<\/strong>\u00a0with it.<\/p>\n
    [root@server1 ~]# nmap 192.168.0.*<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:11 EST\r\nInteresting ports on server1.tecmint.com (192.168.0.100):\r\nNot shown: 1677 closed ports\r\nPORT    STATE SERVICE\r\n22\/tcp  open  ssh\r\n111\/tcp open  rpcbind\r\n851\/tcp open  unknown\r\n\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    On above output you can see that nmap scanned a whole subnet and gave the information about those hosts which are\u00a0Up<\/strong>\u00a0in the\u00a0Network<\/strong>.<\/p>\n
    5. Scan Multiple Servers using last octet of IP address<\/h3>\n
    You can perform scans on multiple IP address by simple specifying last octet of IP address. For example, here I performing a scan on IP addresses 192.168.0.101, 192.168.0.102 and 192.168.0.103.<\/p>\n
    [root@server1 ~]# nmap 192.168.0.101,102,103<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:09 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    6. Scan list of Hosts from a File<\/h3>\n
    If you have more hosts to scan and all host details are written in a file , you can directly ask nmap to read that file and perform scans. Let\u2019s see how to do that.<\/p>\n
    Create a text file called \u201cnmaptest.txt<\/strong>\u201d and define all the IP addresses or hostname of the server that you want to do a scan.<\/p>\n
    [root@server1 ~]# cat > nmaptest.txt<\/strong>\r\n\r\nlocalhost\r\nserver2.tecmint.com\r\n192.168.0.101<\/pre>\n
    Next, run the following command with \u201ciL<\/strong>\u201d option with nmap command to scan all listed IP address in the file.<\/p>\n
    [root@server1 ~]# nmap -iL nmaptest.txt<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-18 10:58 EST\r\nInteresting ports on localhost.localdomain (127.0.0.1):\r\nNot shown: 1675 closed ports\r\nPORT    STATE SERVICE\r\n22\/tcp  open  ssh\r\n25\/tcp  open  smtp\r\n111\/tcp open  rpcbind\r\n631\/tcp open  ipp\r\n857\/tcp open  unknown\r\n\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n958\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n958\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds<\/pre>\n
    7. Scan an IP Address Range<\/h3>\n
    You can specify an IP range while performing scan with Nmap.<\/p>\n
    [root@server1 ~]# nmap 192.168.0.101-110<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:09 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds<\/pre>\n
    8. Scan Network Excluding Remote Hosts<\/h3>\n
    You can exclude some hosts while performing a full network scan or when you are scanning with wildcards with \u201c\u2013exclude<\/strong>\u201d option.<\/p>\n
    [root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:16 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    9. Scan OS information and Traceroute<\/h3>\n
    With Nmap, you can detect which OS and version is running on the remote host. To enable OS & version detection, script scanning and traceroute, we can use \u201c-A<\/strong>\u201d option with NMAP.<\/p>\n
    [root@server1 ~]# nmap -A 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:25 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE VERSION\r\n22\/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)\r\n80\/tcp   open  http    Apache httpd 2.2.3 ((CentOS))\r\n111\/tcp  open  rpcbind  2 (rpc #100000)\r\n957\/tcp  open  status   1 (rpc #100024)\r\n3306\/tcp open  mysql   MySQL (unauthorized)\r\n8888\/tcp open  http    lighttpd 1.4.32\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\nNo exact OS matches for host (If you know what OS is running on it, see http:\/\/www.insecure.org\/cgi-bin\/nmap-submit.cgi).\r\nTCP\/IP fingerprint:\r\nSInfo(V=4.11%P=i686-redhat-linux-gnu%D=11\/11%Tm=52814B66%O=22%C=1%M=080027)\r\nTSeq(Class=TR%IPID=Z%TS=1000HZ)\r\nT1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)\r\nT2(Resp=N)\r\nT3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)\r\nT4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)\r\nT5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)\r\nT6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)\r\nT7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)\r\nPU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)\r\n\r\nUptime 0.169 days (since Mon Nov 11 12:22:15 2013)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 22.271 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    In above Output, you can see that nmap is came up with\u00a0TCP<\/strong>\/IP<\/strong>\u00a0fingerprint of the\u00a0OS<\/strong>\u00a0running on remote hosts and being more specific about the port and services running on the remote hosts.<\/p>\n
    10. Enable OS Detection with Nmap<\/h3>\n
    Use the option \u201c-O<\/strong>\u201d and \u201c-osscan-guess<\/strong>\u201d also helps to discover OS information.<\/p>\n
    [root@server1 ~]# nmap -O server2.tecmint.com<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 17:40 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\nNo exact OS matches for host (If you know what OS is running on it, see http:\/\/www.insecure.org\/cgi-bin\/nmap-submit.cgi).\r\nTCP\/IP fingerprint:\r\nSInfo(V=4.11%P=i686-redhat-linux-gnu%D=11\/11%Tm=52815CF4%O=22%C=1%M=080027)\r\nTSeq(Class=TR%IPID=Z%TS=1000HZ)\r\nT1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)\r\nT2(Resp=N)\r\nT3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)\r\nT4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS\r\nR%Ops=)\r\nT5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)\r\nT6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)\r\nT7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)\r\nPU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)\r\n\r\nUptime 0.221 days (since Mon Nov 11 12:22:16 2013)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 11.064 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    11. Scan a Host to Detect Firewall<\/h3>\n
    The below command will perform a scan on a remote host to detect if any packet filters or Firewall is used by host.<\/p>\n
    [root@server1 ~]# nmap -sA 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:27 EST\r\nAll 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.382 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    12. Scan a Host to check its protected by Firewall<\/h3>\n
    To scan a host if it is protected by any packet filtering software or Firewalls.<\/p>\n
    [root@server1 ~]# nmap -PN 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:30 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.399 seconds<\/pre>\n
    13. Find out Live hosts in a Network<\/h3>\n
    With the help of \u201c-sP<\/strong>\u201d option we can simply check which hosts are live and up in Network, with this option nmap skips port detection and other things.<\/p>\n
    [root@server1 ~]# nmap -sP 192.168.0.*<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-18 11:01 EST\r\nHost server1.tecmint.com (192.168.0.100) appears to be up.\r\nHost server2.tecmint.com (192.168.0.101) appears to be up.\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\nNmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds<\/pre>\n
    14. Perform a Fast Scan<\/h3>\n
    You can perform a fast scan with \u201c-F<\/strong>\u201d option to scans for the ports listed in the nmap-services files and leaves all other ports.<\/p>\n
    [root@server1 ~]# nmap -F 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:47 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1234 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.322 seconds<\/pre>\n
    15. Find Nmap version<\/h3>\n
    You can find out Nmap version you are running on your machine with \u201c-V<\/strong>\u201d option.<\/p>\n
    [root@server1 ~]# nmap -V<\/strong>\r\n\r\nNmap version 4.11 ( http:\/\/www.insecure.org\/nmap\/ )\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    16. Scan Ports Consecutively<\/h3>\n
    Use the \u201c-r<\/strong>\u201d flag to don\u2019t randomize.<\/p>\n
    [root@server1 ~]# nmap -r 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 16:52 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.363 seconds<\/pre>\n
    17. Print Host interfaces and Routes<\/h3>\n
    You can find out host interface and route information with nmap by using \u201c\u2013iflist<\/strong>\u201d option.<\/p>\n
    [root@server1 ~]# nmap --iflist<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 17:07 EST\r\n************************INTERFACES************************\r\nDEV  (SHORT) IP\/MASK          TYPE     UP MAC\r\nlo   (lo)    127.0.0.1\/8      loopback up\r\neth0 (eth0)  192.168.0.100\/24 ethernet up 08:00:27:11:C7:89\r\n\r\n**************************ROUTES**************************\r\nDST\/MASK      DEV  GATEWAY\r\n192.168.0.0\/0 eth0\r\n169.254.0.0\/0 eth0<\/pre>\n
    In above output, you can see that map is listing interfaces attached to your system and their respective routes.<\/p>\n
    18. Scan for specific Port<\/h3>\n
    There are various options to discover ports on remote machine with Nmap. You can specify the port you want nmap to scan with \u201c-p<\/strong>\u201d option, by default nmap scans only\u00a0TCP<\/strong>\u00a0ports.<\/p>\n
    [root@server1 ~]# nmap -p 80 server2.tecmint.com<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 17:12 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nPORT   STATE SERVICE\r\n80\/tcp open  http\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) sca<\/pre>\n
    19. Scan a TCP Port<\/h3>\n
    You can also specify specific port types and numbers with nmap to scan.<\/p>\n
    [root@server1 ~]# nmap -p T:8888,80 server2.tecmint.com<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 17:15 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nPORT     STATE SERVICE\r\n80\/tcp   open  http\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.157 seconds<\/pre>\n
    20. Scan a UDP Port<\/h3>\n
    [root@server1 ~]# nmap -sU 53 server2.tecmint.com<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 17:15 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nPORT     STATE SERVICE\r\n53\/udp   open  http\r\n8888\/udp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.157 seconds<\/pre>\n
    21. Scan Multiple Ports<\/h3>\n
    You can also scan multiple ports using option \u201c-p<\/strong>\u201c.<\/p>\n
    [root@server1 ~]# nmap -p 80,443 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-18 10:56 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nPORT    STATE  SERVICE\r\n80\/tcp  open   http\r\n443\/tcp closed https\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.190 seconds<\/pre>\n
    22. Scan Ports by Network Range<\/h3>\n
    You can scan ports with ranges using expressions.<\/p>\n
    [root@server1 ~]#  nmap -p 80-160 192.168.0.101<\/strong><\/pre>\n
    23. Find Host Services version Numbers<\/h3>\n
    We can find out service\u2019s versions which are running on remote hosts with \u201c-sV<\/strong>\u201d option.<\/p>\n
    [root@server1 ~]# nmap -sV 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 17:48 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE VERSION\r\n22\/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)\r\n80\/tcp   open  http    Apache httpd 2.2.3 ((CentOS))\r\n111\/tcp  open  rpcbind  2 (rpc #100000)\r\n957\/tcp  open  status   1 (rpc #100024)\r\n3306\/tcp open  mysql   MySQL (unauthorized)\r\n8888\/tcp open  http    lighttpd 1.4.32\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 12.624 seconds<\/pre>\n
    24. Scan remote hosts using TCP ACK (PA) and TCP Syn (PS)<\/h3>\n
    Sometimes packet filtering firewalls blocks standard\u00a0ICMP<\/strong>\u00a0ping requests, in that case, we can use\u00a0TCP ACK<\/strong>\u00a0and\u00a0TCP Syn<\/strong>\u00a0methods to scan remote hosts.<\/p>\n
    [root@server1 ~]# nmap -PS 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 17:51 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.360 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    25. Scan Remote host for specific ports with TCP ACK<\/h3>\n
    [root@server1 ~]# nmap -PA -p 22,80 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 18:02 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nPORT   STATE SERVICE\r\n22\/tcp open  ssh\r\n80\/tcp open  http\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.166 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    26. Scan Remote host for specific ports with TCP Syn<\/h3>\n
    [root@server1 ~]# nmap -PS -p 22,80 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 18:08 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nPORT   STATE SERVICE\r\n22\/tcp open  ssh\r\n80\/tcp open  http\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.165 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    27. Perform a stealthy Scan<\/h3>\n
    [root@server1 ~]# nmap -sS 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 18:10 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.383 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    28. Check most commonly used Ports with TCP Syn<\/h3>\n
    [root@server1 ~]# nmap -sT 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 18:12 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE SERVICE\r\n22\/tcp   open  ssh\r\n80\/tcp   open  http\r\n111\/tcp  open  rpcbind\r\n957\/tcp  open  unknown\r\n3306\/tcp open  mysql\r\n8888\/tcp open  sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 0.406 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    29. Perform a tcp null scan to fool a firewall<\/h3>\n
    [root@server1 ~]# nmap -sN 192.168.0.101<\/strong>\r\n\r\nStarting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2013-11-11 19:01 EST\r\nInteresting ports on server2.tecmint.com (192.168.0.101):\r\nNot shown: 1674 closed ports\r\nPORT     STATE         SERVICE\r\n22\/tcp   open|filtered ssh\r\n80\/tcp   open|filtered http\r\n111\/tcp  open|filtered rpcbind\r\n957\/tcp  open|filtered unknown\r\n3306\/tcp open|filtered mysql\r\n8888\/tcp open|filtered sun-answerbook\r\nMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)\r\n\r\nNmap finished: 1 IP address (1 host up) scanned in 1.584 seconds\r\nYou have new mail in \/var\/spool\/mail\/root<\/pre>\n
    That\u2019s it with\u00a0NMAP<\/strong>\u00a0for now,<\/p>\n
    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    The\u00a0Nmap\u00a0aka\u00a0Network Mapper\u00a0is an open source and a very versatile tool for Linux system\/network administrators.\u00a0Nmap\u00a0is used for\u00a0exploring networks,\u00a0perform security scans,\u00a0network audit\u00a0and\u00a0finding open ports\u00a0on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts. Nmap Commands and Examples I\u2019ll be covering most of\u00a0NMAP\u00a0usage in two different parts and this … <\/p>\n
    Continue reading “29 Practical Examples of Nmap Commands for Linux System\/Network Administrators”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13580","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=13580"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13580\/revisions"}],"predecessor-version":[{"id":13581,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13580\/revisions\/13581"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=13580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=13580"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=13580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}