nmap Command in Linux with examples
Nmap Command with Examples in Linux System
Various Nmap Commands with Examples for Linux System is explained in this article. It is used for exploring networks, perform security scans, network audit and finding open ports on remote machine. It also scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.
To Install NMAP
Install Nmap on specific distribution use the following command.
[root@linuxhelp ~]# yum install nmap
Loaded plugins: aliases, changelog, fastestmirror, kabi, presto, refresh-packagekit,
: security, tmprepo, verify, versionlock
Loading support for CentOS kernel ABI
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos-hcm.viettelidc.com.vn
* extras: mirror.fibergrid.in
* updates: mirrors.vonline.vn
----> Package 2:nmap-5.51-4.el6.x86_64 will be installed
.
.
.
Installed:
nmap-5.51-4.el6.x86_64
Complete!
To Scan a System with Hostname and IP Address
Execute the following command to scan all open ports, services and MAC address on the system. Scan using IP Address
[root@linuxhelp ~]# nmap 192.168.7.13
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-17 11:00 IST
Nmap scan report for 192.168.7.13
Host is up (0.00019s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
3128/tcp open squid-http
5500/tcp open hotline
5900/tcp open vnc
5901/tcp open vnc-1
5989/tcp open wbem-https
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
Scanning using “ -v” option
To get more detailed information about the remote machine, use the below command with “ -v” option.
[root@linuxhelp ~]# nmap -v 192.168.7.13
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-17 11:01 IST
Initiating Ping Scan at 11:01
Scanning 192.168.7.13 [4 ports]
Completed Ping Scan at 11:01, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:01
Completed Parallel DNS resolution of 1 host. at 11:01, 0.07s elapsed
Initiating SYN Stealth Scan at 11:01
Scanning 192.168.7.13 [1000 ports]
Discovered open port 111/tcp on 192.168.7.13
Discovered open port 5900/tcp on 192.168.7.13
Discovered open port 80/tcp on 192.168.7.13
Discovered open port 21/tcp on 192.168.7.13
Discovered open port 5901/tcp on 192.168.7.13
Discovered open port 5500/tcp on 192.168.7.13
.
.
.
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.064KB)
Multiple Hosts Scanning
Write the IP addresses or hostnames with Nmap to scan multiple hosts.
[root@linuxhelp ~]# nmap 192.168.7.7 192.168.7.13 192.168.5.177
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-17 11:04 IST
Nmap scan report for 192.168.7.7
Host is up (0.00022s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
.
.
Nmap scan report for 192.168.7.13
Host is up (0.00022s latency
.
.
Nmap scan report for 192.168.5.177
Host is up (0.00022s latency
.
.
111/tcp open rpcbind
5989/tcp open wbem-https
Nmap done: 3 IP addresses (3 hosts up) scanned in 0.17 seconds
To Scan a whole Subnet
Provide * wildcard with it to scan a whole subnet or IP range with Nmap.
[root@linuxhelp ~]# nmap 192.168.7.*
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-17 11:06 IST
Nmap scan report for 192.168.7.1
Host is up (0.0024s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
Nmap scan report for 192.168.7.2
.
.
Nmap scan report for 192.168.7.200
Host is up (0.00043s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
3128/tcp open squid-http
Nmap done: 256 IP addresses (18 hosts up) scanned in 12.86 seconds
To Scan Multiple Servers using last octet of IP address
To scan on multiple IP address by specifying only the last octet of IP address.
[root@linuxhelp ~]# nmap 192.168.7.2,7,13
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-17 11:11 IST
Nmap scan report for 192.168.7.2
Host is up (0.00031s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
.
.
Nmap scan report for 192.168.7.7
Host is up (0.00022s latency
.
.
Nmap scan report for 192.168.7.13
Host is up (0.00022s latency
.
.
5989/tcp open wbem-https
Nmap done: 3 IP addresses (3 hosts up) scanned in 0.39 seconds
To Scan an IP Address Range
To specify an IP range, execute the following command.
[root@linuxhelp ~]# nmap 192.168.7.2-11
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-17 11:29 IST
Nmap scan report for 192.168.7.2
Host is up (0.00035s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
.
.
3306/tcp open mysql
Nmap done: 10 IP addresses (6 hosts up) scanned in 6.75 seconds
To Scan Network Excluding a Host
To exclude some hosts, use wildcards with “ --exclude” option.
[root@linuxhelp ~]# nmap 192.168.7.* --exclude 192.168.7.11
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-17 11:35 IST
Nmap scan report for 192.168.7.1
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
.
.
3128/tcp open squid-http
Nmap done: 255 IP addresses (17 hosts up) scanned in 15.44 seconds
To Scan OS information and Traceroute
Use “ -A” option with NMAP to view the OS information.
[root@linuxhelp ~]# nmap -A 192.168.7.7
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-17 11:38 IST
Nmap scan report for 192.168.7.7
Host is up (0.00038s latency).
Not shown: 986 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
25/tcp open smtp?
53/tcp open domain
80/tcp open http Apache httpd
.
.
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 0.96 ms 192.168.5.1
2 0.28 ms 192.168.7.7
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.81 seconds
In the above Output, we can see that nmap is came up with TCP/IP fingerprint of the OS running on remote hosts.
To Enabling OS Detection with Nmap
We can also discover OS information by using “ -O” and “ -osscan-guess” options.
[root@linuxhelp ~]# nmap -O 192.168.7.7
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-17 11:44 IST
Nmap scan report for 192.168.7.7
Host is up (0.00039s latency).
Not shown: 985 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
.
.
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.06 seconds
To Scan a Host to Detect Firewall
Detect if any packet filters or Firewall is used by host with following command.
[root@linuxhelp ~]# nmap -sA 192.168.7.13
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 06:52 IST
Nmap scan report for 192.168.7.13
Host is up (0.00017s latency).
All 1000 scanned ports on 192.168.7.13 are unfiltered
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
To Scan a Host to check whether its protected by Firewall
Execute the following command to scan a host whether its protected by any packet filtering software or Firewalls.
[root@linuxhelp ~]# nmap -PN 192.168.7.13
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 06:54 IST
Nmap scan report for 192.168.7.13
Host is up (0.00020s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
3128/tcp open squid-http
5500/tcp open hotline
5900/tcp open vnc
5901/tcp open vnc-1
5989/tcp open wbem-https
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
To Find out Live hosts in a Network
Use “ -sP” option to check which hosts are live and up in Network, with this option nmap also skips port detection and other things.
[root@linuxhelp ~]# nmap -sP 192.168.5.*
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 06:57 IST
Nmap scan report for 192.168.5.1
Host is up (0.0035s latency).
MAC Address: 3C:61:04:6C:D6:81 (Unknown)
Nmap scan report for 192.168.5.14
Host is up (0.00039s latency).
MAC Address: 00:27:0E:14:DB:A1 (Intel Corporate)
Nmap scan report for 192.168.5.18
Host is up (0.000093s latency).
MAC Address: 00:27:0E:14:CC:5F (Intel Corporate)
Nmap scan report for 192.168.5.19
Host is up (0.00016s latency).
MAC Address: 00:27:0E:14:D3:0F (Intel Corporate)
Nmap scan report for 192.168.5.177
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 5.28 seconds.
To Perform a Fast Scan
To perform fast scan, use “ -F” option.
[root@linuxhelp ~]# nmap -F 192.168.7.13
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:03 IST
Nmap scan report for 192.168.7.13
Host is up (0.00015s latency).
Not shown: 94 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
3128/tcp open squid-http
5900/tcp open vnc
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
To Scan the Ports Consecutively
To scan consecutive ports, use the “ -r” option.
[root@linuxhelp ~]# nmap -r 192.168.7.13
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:07 IST
Nmap scan report for 192.168.7.13
Host is up (0.00036s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
3128/tcp open squid-http
5500/tcp open hotline
5900/tcp open vnc
5901/tcp open vnc-1
5989/tcp open wbem-https
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
To Print Host interfaces and Routes
Use “ --iflist” option to print host interfaces and routes.
[root@linuxhelp ~]# nmap --iflist
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:08 IST
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 65536
eth1 (eth1) 192.168.5.177/24 ethernet up 1500 00:0C:29:3F:43:A5
virbr0 (virbr0) 192.168.122.1/24 ethernet up 1500 52:54:00:6A:E0:F8
**************************ROUTES**************************
DST/MASK DEV GATEWAY
192.168.5.0/24 eth1
192.168.122.0/24 virbr0
169.254.0.0/16 eth1
0.0.0.0/0 eth1 192.168.5.1
To Scan for specific Port
By default, nmap scans only TCP ports with “ -p” option.
[root@linuxhelp ~]# nmap -p 80 192.168.7.13
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:12 IST
Nmap scan report for 192.168.7.13
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
To Scan a TCP Port
Specify the specific port types and numbers with nmap to scan.
[root@linuxhelp ~]# nmap -p T:8888,80 192.168.5.177
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:14 IST
Nmap scan report for 192.168.5.177
Host is up (0.000028s latency).
PORT STATE SERVICE
80/tcp closed http
8888/tcp closed sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
To Scan a UDP Port
[root@linuxhelp ~]# nmap -sU 53 192.168.5.177
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on system.linuxhelp1.com (192.168.5.177):
PORT STATE SERVICE
53/udp open http
8888/udp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds
To Scan Multiple Ports
Use option " -p" to scan multiple ports.
[root@linuxhelp ~]# nmap -p 80,443 192.168.5.177
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:21 IST
Nmap scan report for 192.168.5.177
Host is up (0.000041s latency).
PORT STATE SERVICE
80/tcp closed http
443/tcp closed https
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
To Scan Ports by Network Range
Scan ports with range using the following command.
[root@linuxhelp ~]# nmap -p 80-160 192.168.7.13
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:22 IST
Nmap scan report for 192.168.7.13
Host is up (0.00020s latency).
Not shown: 79 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
To Find Host Services version Numbers
Use “ -sV” option to find host services version which are running on remote hosts.
[root@linuxhelp ~]# nmap -sV 192.168.5.177
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:27 IST
Nmap scan report for 192.168.5.177
Host is up (0.0000060s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
111/tcp open rpcbind
5989/tcp open ssl/http Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
Service Info: OS: Linux
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.71 seconds
To Scan Remote Hosts using TCP ACK (PA) and TCP Syn (PS)
Packet filtering firewalls blocks the standard ICMP ping requests, at that time we can use TCP ACK and TCP Syn methods to scan remote hosts.
[root@linuxhelp ~]# nmap -PS 192.168.5.177
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:31 IST
Nmap scan report for 192.168.5.177
Host is up (0.0000060s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
5989/tcp open wbem-https
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
To Scan Remote host for specific ports with TCP ACK
[root@server1 ~]# nmap -PA -p 22,80 192.168.5.177
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST
Interesting ports on system.linuxhelp1.com (192.168.5.177):
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 1 IP address (1 host up) scanned in 0.166 seconds
You have new mail in /var/spool/mail/root
Scan Remote host for specific ports with TCP Syn.
[root@linuxhelp ~]# nmap -PS -p 22,80 192.168.5.177
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:31 IST
Nmap scan report for 192.168.5.177
Host is up (0.000035s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Perform a stealthy Scan
[root@linuxhelp ~]# nmap -sS 192.168.5.177
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:34 IST
Nmap scan report for 192.168.5.177
Host is up (0.0000060s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
5989/tcp open wbem-https
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
Check most commonly used Ports with TCP Syn
[root@linuxhelp ~]# nmap -sT 192.168.5.177
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:34 IST
Nmap scan report for 192.168.5.177
Host is up (0.00036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
5989/tcp open wbem-https
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Perform a TCP null scan.
[root@linuxhelp ~]# nmap -sN 192.168.5.177
Starting Nmap 5.51 ( http://nmap.org ) at 2016-06-10 07:36 IST
Nmap scan report for 192.168.5.177
Host is up.
All 1000 scanned ports on 192.168.5.177 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 201.46 seconds
To Find Nmap version
Run “ -V” option to find Nmap version.
[root@linuxhelp ~]# nmap -V
Nmap version 5.51 ( http://nmap.org )
Tag :
nmap
Q
how to Scan OS information and Traceroute in linux?
A
by using the following command to Scan OS information and Traceroute
# nmap -A 192.168.7.7
# nmap -A 192.168.7.7
Q
How to scan subnet or Iprange in linux?
A
execute the below command to see iprage
# nmap 192.168.1.5
# nmap 192.168.1.5
Q
I don't want full ips in a subnet to be scanned some to be avoided?
A
Use exclude option for it (for example nmap 192.168.7.* --exclude 192.168.7.11)
Q
how to install nmap package for fedora?
A
use the following command to install nmap
# dnf install nmap
# dnf install nmap
# nmap -O 192.168.7.7