Nmap Commands for Network Security
Nmap (Network Mapper) is a powerful open-source tool for network exploration and security auditing. It is widely used by security professionals to discover hosts and services on a computer network, thus creating a "map" of the network. This section provides a collection of useful Nmap commands for various scanning and auditing tasks.
Basic Network Scanning
These commands cover fundamental Nmap operations for discovering active hosts and open ports.
# Basic host discovery scan
nmap -sn 192.168.1.0/24
# Scan for common ports on a target
nmap target
# Scan all TCP ports
nmap -p- target
# Scan all TCP and UDP ports (takes significantly longer)
nmap -sU -sS -p- target
Version and OS Detection
Identify the operating system and service versions running on discovered hosts.
# Nmap verbose scan with OS and service version detection
nmap -v -sV -O target
# Aggressive scan: enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute)
nmap -A -T4 target
Nmap Scripting Engine (NSE) Usage
Leverage Nmap's powerful scripting engine for advanced tasks like vulnerability detection and enumeration.
# Search nmap scripts for keywords (e.g., 'ftp')
ls /usr/share/nmap/scripts/* | grep ftp
# Nmap script to scan for vulnerable SMB servers (WARNING: unsafe=1 may cause issues)
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 target
# Port 21 - FTP specific scripts
nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 target
# Port 25 - SMTP enumeration and vulnerability scripts
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 target
# Example using smtp-user-enum (requires separate installation)
# smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t target
# Port 69 - UDP TFTP enumeration
nmap -p69 --script=tftp-enum.nse 10.11.1.111
# Port 88 - Kerberos user enumeration
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" Target
# Port 135 - MSRPC enumeration
nmap target --script=msrpc-enum
# Port 139/445 - SMB enumeration and vulnerability scripts
nmap --script=smb-enum* --script-args=unsafe=1 -T5 target
nmap --script smb-enum-shares -p139,445 -T4 -Pn target
nmap --script smb-vuln* -p139,445 -T4 -Pn target
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt target -vvvv
nmap –script smb-brute target
# Port 161/162 UDP - SNMP scanning
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes target
# Port 443 - HTTPS Heartbleed vulnerability check
nmap -sV --script=ssl-heartbleed target
# Port 1433 - MSSQL information gathering
nmap -p 1433 -sU --script=ms-sql-info.nse target
# Port 1521 - Oracle database scanning
nmap -p 1521 -A target
nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute target
# Port 3306 - MySQL enumeration and vulnerability checks
nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse target -p 3306
# Port 3389 - RDP vulnerability check
nmap -p 3389 --script=rdp-vuln-ms12-020.nse target
# Port 5900 - VNC information gathering and brute-forcing
nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 target
Output and Performance Options
Control Nmap's output formats and scanning speed.
# HTB scan: enumerate versions (-sV), use safe scripts (-sC), output in all formats (-oA)
nmap -sV -sC -oA nmap_scan_results 0.0.0.0
# Increase scan speed using T4 timing
nmap -T4 target