nmap : How to use nmap command in Linux with examples

Network exploration tool and security / port scanner

# nmap -h
Usage: nmap [Scan Type(s)] [Options] {target specification}

HOST DISCOVERY:
  -Pn: Treat all hosts as online -- skip host discovery

SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan

PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9


EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80

# man nmap
       -Pn (No ping) .
       -sT (TCP connect scan) .
       -sU (UDP scans) .

nmap -Pn -sT -p 22 xx.xx.xx.xx
nmap -Pn -sT -p 443 x.x.x.x -max-rtt-timeout 0.1

open or closed : Firewall is pass.
filterd : Firewall is blocked.

# nmap -Pn -sT -p 3306 192.168.0.100

Starting Nmap 6.40 ( http://nmap.org ) at 20xx-09-21 16:36 JST
Nmap scan report for test-db-01.example.local (192.168.0.100)
Host is up.
PORT     STATE    SERVICE
3306/tcp filtered mysql

Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds

#nmap google.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:07 JST
Warning: Hostname google.com resolves to 11 IPs. Using 74.125.235.102.
Interesting ports on nrt19s02-in-f6.1e100.net (74.125.235.102):
Not shown: 1678 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap finished: 1 IP address (1 host up) scanned in 31.587 seconds

nmap -sU google.com

# nmap -sU -p 161 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-18 00:47 JST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00024s latency).
PORT    STATE SERVICE
161/udp open  snmp

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

# time nmap -sT -sU  -Pn x.x.x.x
# time nmap -sT -sU  -Pn --scan-delay 10ms  x.x.x.x   # 100 counts/sec
# time nmap -sT -sU  -Pn --scan-delay 50ms  x.x.x.x/24   # 20 counts/sec

# time nmap -sT -sU  -Pn --scan-delay 50ms   -oX `date +"%Y%m%d_%H%M"`.txt   x.x.x.x/24   # 20 counts/sec

# nmap -sT -sU  -Pn  localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:26 JST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 3155 closed ports
PORT     STATE         SERVICE
22/tcp   open          ssh
25/tcp   open          smtp
80/tcp   open          http
139/tcp  open          netbios-ssn
199/tcp  open          smux
445/tcp  open          microsoft-ds
3306/tcp open          mysql
9999/tcp open          abyss
123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
161/udp  open|filtered snmp

Nmap finished: 1 IP address (1 host up) scanned in 1.301 seconds
#

# nmap -sU -sT   -p 1-500 localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:28 JST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 990 closed ports
PORT    STATE         SERVICE
22/tcp  open          ssh
25/tcp  open          smtp
80/tcp  open          http
139/tcp open          netbios-ssn
199/tcp open          smux
445/tcp open          microsoft-ds
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp

Nmap finished: 1 IP address (1 host up) scanned in 1.236 seconds

# nmap --script=ssl-enum-ciphers -p 443 www.google.com

nmap -sP -oG nmap.grep.txt 192.168.10.0/24   <- Output test

nmap -sP -oX nmap.xml 192.168.10.0/24    <- Output XML

-O: Enable OS detection

# nmap -O localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:17 JST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1672 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
139/tcp  open  netbios-ssn
199/tcp  open  smux
445/tcp  open  microsoft-ds
3306/tcp open  mysql
9999/tcp open  abyss
(abbr)

-sV: Probe open ports to determine service/version info

# nmap -O -sV localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:18 JST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1672 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 4.3 (protocol 2.0)
25/tcp   open  smtp        Postfix smtpd
80/tcp   open  http        Apache httpd 2.2.11 ((Unix) mod_ssl/2.2.11 OpenSSL/0.9.8b PHP/5.1.6)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: HELP-PAL)
199/tcp  open  smux        Linux SNMP multiplexer
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: HELP-PAL)
3306/tcp open  mysql       MySQL 5.0.45-log
9999/tcp open  http-proxy  DeleGate proxy 9.2.3
(abbr)

-A: Enables OS detection and Version detection

# nmap -A localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-28 21:15 JST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1672 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 4.3 (protocol 2.0)
25/tcp   open  smtp        Postfix smtpd
80/tcp   open  http        Apache httpd 2.2.11 ((Unix) mod_ssl/2.2.11 OpenSSL/0.9.8b PHP/5.1.6)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: HELP-PAL)
199/tcp  open  smux        Linux SNMP multiplexer
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: HELP-PAL)
3306/tcp open  mysql       MySQL 5.0.45-log
9999/tcp open  http-proxy  DeleGate proxy 9.2.3
(abbr)

nmap -sV --reason -PN -n --top-ports 100 www.example.com