Saturday, 3 August 2013

Top 5 Nmap Essential Commands That Every Penetration Tester Must Know

nmap network mapper tool

Nmap "Network Mapper" is a free and open source utility for network discovery and security auditing.
It is the most important enumeration tool of almost every hacker. In this tutorial, i will demonstrate only the most important commands that every beginner must need to know.
Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.   


Windows: users can download its GUI  as well as command line binaries. Graphical Nmap is called Zenmap. Both are available Here.

Linux: users can download it using a terminal commands with apt-get or yum package installer tools.
  • Debian Linux: sudo apt-get install nmap
  • RPM Linux: sudo yum install nmap
Mac OS X: users can download its standalone installer from Here.

Always run your Nmap tool with sudo user in linux and in windows run it as administrator for better performance and results.


1-Ping Scan:

Ping scan is used to check alive hosts in a network. Its a good command to analyze total hosts in a network in very short time.

I-Single IP Ping Scan:
Following command will perform a ping scan on one IP.
nmap -sP
II-Multiple IPs Ping Scan:
We can scan multiple victim IPs in 2 ways.

By Defining IP Range:
Following command, will scan victims from to Means total 254 IPs will be scanned with this command. Hyphen (-) is showing range.
nmap -sP
By giving IPs manually: 
In following command, we are giving 3 IPs for scanning using a space separator.
nmap -sP
III-Whole Network Ping Scan: 
To scan whole network we need to know network's subnet mask.With netmask we may calculate CIDR of network. For example, for netmask we have CIDR 24 and for netmask we have CIDR 22.
Kindly Check my IP Calculators tutorial for better under standing of networks mapping and calculation.
Following command will scan whole network and its sub-networks using CIDR notation.
nmap -sP

2- SYN Stealth Scan:

This is kind of ninja scanning in which you are very hard to be traced. This is the default scanning type that nmap uses in its scans. This scan type scans an IP for all well known ports (port numbers from from 1 -1023) in stealth mode. Parameter for SYN scan is -sS as I am using it in the following command.
nmap  -sS

4- Service Scan (Vulnerability Scan): 

This is the most important scan type which is used by many penetration testers for exploitation purpose. This scan type is used to enumerate services on remote systems and through version of those services, we check that either those services are exploitable or not. Following command will scan whole network for running services on remote systems.
 nmap -sV
For Better Understanding Of Service Scan Usage, follow my tutorial : 
Proper Way Of Vulnerability Exploitation Using Metasploit And Nessus

4- Port Scan: 

Nmap by default scans for all well known ports only, but if you want to scan custom ports then u need to give a parameter -p and after that u can give the ports that you want to scan.
Following command will do a stealth scan, service scan as well as port scan from port number 2000 to 4000.
nmap -sS -sV -p 2000-4000
or you can give multiple comma separated ports
nmap -sS -sV -p 12000,25000 192,168.1.200

5- OS Detection Scan:

OS scanning is a great feature of nmap in which nmap can guess the Operating System of remote machine by analyzing services running on it. Parameter for OS detection scan is -O.
nmap -O
NOTE: For verbose (detailed) information, you can use Parameter -v in your scans.
nmap -O -v

Happy Hacking :)