29 practical examples of Nmap commands prepared for Linux/network administrators

Nmap is an open-source and generic tool for Linux systems/network administrators. Nmap is used to detect networks on remote machines, perform security scans, perform network audits, and search for open ports. It scans the remote online host, the operating system of the host, and packages the NmapLinux command.

NmapThat isNetwork erIt is an open-source and very common tool for Linux systems/network administrators.NmapUsed on a remote machineDetects networks, performs security scans, network audits, and searches for open ports. It scans remote online hosts, the operating system of the host, packet filters, and open ports.

I will use two different parts to cover mostNMAPThis is the first key part of nmap. In the following settings, I use two servers with the firewall disabled to test the Nmap command.

1. 192.168.0.100-server1.tecmint.com
2. 192.168.0.101-server2.tecmint.com

NMAP command usage

# nmap [Scan Type(s)] [Options] {target specification}

How to install NMAP in Linux

Current releases of most LinuxRed Hat, CentOS, Fedoro, DebianAndUbuntuIn its default software package management Library (namely, Yum and APT ),Nmap,Both tools are used to install and manage software packages and updates. Install on the releaseNmapUse the following command.

# yum install nmap[on Red Hat based systems]$ sudo apt-get install nmap[on Debian based systems]

Once you have installed the latest nmap application, you can follow the examples provided in this article.

1. scan the system with host name and IP address

NmapTool provides a variety of methods to scan the system. In this example, I useServer2.tecmint.comHost name to scan the system to find all open ports, services, and MAC addresses on the system.

　　Use host name scanning

[root@server1 ~]# nmap server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.415 secondsYou have new mail in /var/spool/mail/root

　　IP address scanning

[root@server1 ~]# nmap 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http111/tcp  open  rpcbind958/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.465 secondsYou have new mail in /var/spool/mail/root

2. scan to use the "-v" option

You can see that the following command uses"-V"More detailed information about the remote machine is provided after the option.

[root@server1 ~]# nmap -v server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 ESTInitiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43The ARP Ping Scan took 0.01s to scan 1 total hosts.Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43Discovered open port 22/tcp on 192.168.0.101Discovered open port 80/tcp on 192.168.0.101Discovered open port 8888/tcp on 192.168.0.101Discovered open port 111/tcp on 192.168.0.101Discovered open port 3306/tcp on 192.168.0.101Discovered open port 957/tcp on 192.168.0.101The SYN Stealth Scan took 0.30s to scan 1680 total ports.Host server2.tecmint.com (192.168.0.101) appears to be up ... good.Interesting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds               Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB)

3. scan multiple hosts

You can simply add multiple IP addresses or host names after the Nmap command to scan multiple hosts.

[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds

4. scan the entire subnet

You can use* WildcardTo scan the entire subnet or IP address range.

[root@server1 ~]# nmap 192.168.0.*Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 ESTInteresting ports on server1.tecmint.com (192.168.0.100):Not shown: 1677 closed portsPORT    STATE SERVICE22/tcp  open  ssh111/tcp open  rpcbind851/tcp open  unknownInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 secondsYou have new mail in /var/spool/mail/root

From the above output, we can see that nmap scans the entire subnet and providesNetworkMediumCurrent networkOnline Host.

5. scan multiple servers with the last byte of the IP address

You can simply specify the last byte of an IP address to scan multiple IP addresses. For example, I scanned the IP addresses 192.168.0.101, 192.168.0.102, and 192.168.0.103 in the following execution.

[root@server1 ~]# nmap 192.168.0.101,102,103Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 secondsYou have new mail in /var/spool/mail/root

6. scan the host list from a file

If you have multiple hosts that need to be scanned and all the host information is written in one file, you can directly let nmap read the file for scanning. let's see how to do this.

Create aNmaptest.txtAnd define all the server IP addresses or host names you want to scan.

[root@server1 ~]# cat > nmaptest.txtlocalhostserver2.tecmint.com192.168.0.101

Next, run theIL"To scan all IP addresses listed in the file.

[root@server1 ~]# nmap -iL nmaptest.txtStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 ESTInteresting ports on localhost.localdomain (127.0.0.1):Not shown: 1675 closed portsPORT    STATE SERVICE22/tcp  open  ssh25/tcp  open  smtp111/tcp open  rpcbind631/tcp open  ipp857/tcp open  unknownInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http111/tcp  open  rpcbind958/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Interesting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http111/tcp  open  rpcbind958/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds