Linux Security Networking

30 Nmap examples

Brief introduction to this article
Nmap Ping Sweep Examples
Defining Ports to Scan with Nmap
Nmap NULL Scan
Nmap FIN Scan
Nmap Xmas Scan
Nmap ARP Scan
Updating Nmap NSE database
Get devices OS, workgroup, domain, device name over SMB protocol
Finding Zombie for Idle Scan
Executing an Idle scan
Scanning ranges for vulnerabilities
Scanning for  smb-vuln-ms08-067  vulnerability
Brute force against SSH with Nmap NSE
Related articles

Brief introduction to this article

This article is a summary of subjects related to Nmap which were explained in previous articles (you can access them at the Related Articles section). In it examples of what was previously taught are applied, when possible, on real scenarios. Examples include from host discover to vulnerability audit, network problems diagnostics and more. Yet this tutorial avoids basic description on Nmap and deep explanations on flags which can be found on the articles linked at the end, here you’ll find examples from basic scans to complex vulnerability scans on vulnerable virtual machines and real scenarios.

Nmap Ping Sweep Examples

Nmap ping sweep examples were deeply exposed on the tutorial Nmap ping sweep, in short, summarized by Wikipedia “In computing, a ping sweep is a method that can establish a range of IP addresses which map to live hosts.” , it simply a method to discover online devices within a network or range.

nmap -sP/-sn:

The option -sP or -sn (equivalents) instruct Nmap to avoid port scan after discovery. In the following example the wildcard (*) is applied instructing Nmap to discovery all hosts of a class C network (described on the chapter Brief Introduction to Subnets).

nmap -sP 192.168.0.*

nmap -Pn:

This flag or option instructs nmap to avoid initial ping assuming the host is alive. The following scan skips ping to discover hosts within the range 192.168.0.2 and 192.168.0.240, note a hyphen was implemented in the last octet to define the range.

nmap -Pn 192.168.0.2-240

nmap -PA:
nmap -PA 192.168.*.*

Defining Ports to Scan with Nmap

Defining ports with the -p flag:

Defining a port to scan with Nmap is pretty easy, just add the flag -p and the port, or ports separated by commas.

nmap -p 80,22,139,21,23 192.168.0.*

In the following example the port range is defined with a hyphen to scan LinuxHint port range from 22 to 80:

nmap -p 22-80 linuxhint.com

The next example shows Nmap scanning two different port ranges separated by commas:

nmap -p 20-80,100-600 192.168.0.3-14

Nmap ARP Scan

Nmap ARP scan main features belong now to Nping, a tool belonging to the Nmap suite, the following examples include 2 using Nmap and one using Nping.

nmap -sP -PR 192.168.*.*

Contrary, the following example forces a discovery (no port) and non-ARP scan in a local network

nmap -sn --disable-arp-ping 192.168.0.*

The final example shows an ARP scan executed through Nping, part of the Nmap suite, which inherited Nmap flags to customize ARP scans.

nping --arp-type ARP 192.168.0.1-50

As you see Nping identifies every IP with the proper MAC address.

Nmap FIN Scan

The next example is an aggressive FIN scan against a port range:

nmap -sF -T4 192.168.0.3-14

This is an example of an insane FIN scan against a single device:

nmap -sF -T5 192.168.0.3

To end FIN scan examples, let’s do a less aggressive scan against a metasploit virtual device:

nmap -sF -T2 192.168.56.1

Nmap NULL Scan example

The following example shows a NULL scan against linuxhint.com port 80. Remember Nmap NULL, Xmas and FIN scans can’t distinguish between open and filtered ports, in many scenarios.

nmap -v -sN -p 80 linuxhint.com

Now let’s try an insane scan against a router:

nmap -sN -T5 192.168.56.1

Usually NULL, Xmas and FIN scans can’t distinguish between filtered and open ports when the port is open, the next example includes the -sV option to help it distinguish, but adding this option results in a less sthealty scan:

nmap -sN -T2 -sV -p80,22,21,139  192.168.56.1

Nmap Xmas Scan example

An example of an aggressive Xmas scan:

nmap -sX -T4 192.168.56.1

Now a less aggressive Xmas scan against port 80 and 22.

nmap -sX -T2 -p80,22 192.168.0.3

The next example is similar to the above, but includes level 2 verbosity:

nmap -sX -T2 -v2  -p80,22 192.168.0.3

Update scripts database

Before using the Nmap NSE update the database by running:

nmap --script-updatedb

Get devices OS, workgroup, domain, device name over SMB protocol

The following example uses the NSE script –script smb-os-discovery (https://nmap.org/nsedoc/scripts/smb-os-discovery.html) against whole last 2 octets of the network 172.31.X.X

nmap -p 445 --script smb-os-discovery 172.31.*.*

 

Two Windows XP computers were found, great candidates for a Idle scan which will be explained later below in this tutorial.

 Finding Zombie for Idle Scan

The following example shows how to search for a zombie candidate to execute an Idle scan by scanning the last octet of the 10.100.100.X network by using the NSE script ipidseq  (https://nmap.org/nsedoc/scripts/ipidseq.html).

nmap -p80 --script ipidseq 10.100.100.*

Another way to find potential zombie candidates for Idle scans:

nmap -Pn -O -v 192.168.56.102

Executing an Idle scan


Running an Idle scan using a candidate found in the previous step. 

nmap -Pn  -sI 10.100.100.108 -p80,21,22,443 172.31.124.141

Another Idle scan using the same candidate against a gateway:

nmap -Pn -sI 172.31.100.108 -p80,21,22,443 172.31.99.2

An Idle scan against the FTP of a  router using a Windows 98 virtualized device:

nmap -Pn -sI  192.168.56.102 -p21 192.168.0.1

Scanning ranges for vulnerabilities

nmap -v --script vuln  172.31.100.*

Scanning for  smb-vuln-ms08-067  vulnerability

The following scan uses the NSE script  smb-vuln-ms08-067 (https://nmap.org/nsedoc/scripts/smb-vuln-ms08-067.html) to search for a remote execution vulnerability on two last octets of the network:

nmap -p445 --script smb-vuln-ms08-067 172.31.*.*

Brute force against SSH with Nmap NSE

As the title says, by using the ssh-brute.nse NSE script you can bruteforce vulnerable SSH services by running:

nmap --script ssh-brute.nse 192.168.0.3

I hope you found the examples above interesting, below you have a list of articles explaining each example deeply. Keep following LinuxHint for more tips and updates on Linux and networking.

 Related articles:

NMAP basics Tutorial
nmap network scanning
Nmap Stealth Scan
Nping and Nmap arp scan
Nmap: scan IP ranges
nmap ping sweep
Using nmap scripts: Nmap banner grab
Traceroute with Nmap
Nmap Idle Scan tutorial
How to scan for services and vulnerabilities with Nmap

About the author

Ivan Vanney

Ivan Vanney

Ivan Vanney has over a decade working as sysadmin. He is s contributor on LinuxHint.com, and the founder of linuxer.info