Home Tech Top 40 Nmap Commands for Network Scanning and Security Analysis

Top 40 Nmap Commands for Network Scanning and Security Analysis

Tech By · March 28, 2025 · 1 Comment
Top 40 Nmap Commands

Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. It can quickly scan networks, identify active hosts, discover open ports, and detect vulnerabilities.

Here are the top 40 Nmap commands that every cybersecurity professional and network administrator should know.

  1. Discover Active Devices
  2. TCP SYN Scan
  3. Service Version Detection
  4. Operating System Detection
  5. Comprehensive Scan
  6. Bypass Ping Restriction
  7. UDP Port Scan
  8. Full Port Scan
  9. Check for Vulnerabilities
  10. Enumerate SMB Shares
  11. Web Server Enumeration
  12. Check for EternalBlue (MS17-010)
  13. Detect SambaCry (CVE-2017-7494)
  14. Check for MS08-067 Vulnerability
  15. Detect Print Spooler Vulnerability (MS10-061)
  16. Check for DoS Vulnerability in Registry Service
  17. SQL Injection Testing
  18. List All IPs in a Subnet
  19. Discover Allowed HTTP Methods
  20. Retrieve Web Page Title
  21. Fetch HTTP Headers
  22. Detect Web Applications
  23. Test for HTTP Authentication Methods
  24. Enumerate User Directories
  25. Check for /etc/passwd File Exposure
  26. Analyze robots.txt File
  27. Xmas Scan
  28. ACK Scan
  29. Window Scan
  30. Maimon Scan
  31. SSH Brute Force
  32. Anonymous FTP Login Test
  33. vsftpd Backdoor Vulnerability Check
  34. Check for PHP_SELF XSS Vulnerabilities
  35. DNS Brute-Force Enumeration
  36. Retrieve SSH Host Keys
  37. Check for DNS Recursion
  38. Perform a Traceroute
  39. Ping Scan to Detect Live Hosts
  40. Scan and Detect Network Devices without Port Scanning

1. Discover Active Devices:

nmap -sP 192.168.1.0/24

Scans the network to find live hosts.

2. TCP SYN Scan:

nmap -sS 192.168.1.1

Performs a stealthy scan to detect open ports.

3. Service Version Detection:

nmap -sV 192.168.1.1

Identifies running service versions on open ports.

4. Operating System Detection:

nmap -O 192.168.1.1

Determines the OS running on the target device.

5. Comprehensive Scan:

nmap -A 192.168.1.1

Combines OS detection, version detection, and script scanning.

6. Bypass Ping Restriction:

nmap -Pn 192.168.1.1

Scans hosts that do not respond to ping.

7. UDP Port Scan:

nmap -sU 192.168.1.1

Scans for open UDP ports.

8. Full Port Scan:

nmap -p- 192.168.1.1

Scans all 65,535 ports.

9. Check for Vulnerabilities:

nmap --script vuln 192.168.1.1

Uses vulnerability detection scripts.

10. Enumerate SMB Shares:

nmap --script smb-enum-shares -p 445 192.168.1.1

Lists shared SMB resources.

11. Web Server Enumeration:

nmap --script http-enum -p 80 192.168.1.1

Enumerates directories on web servers.

12. Check for EternalBlue (MS17-010):

nmap --script smb-vuln-ms17-010 192.168.1.1

Scans for the SMBv1 vulnerability exploited by WannaCry ransomware.

13. Detect SambaCry (CVE-2017-7494):

nmap --script smb-vuln-cve-2017-7494 192.168.1.1

Checks for a remote code execution flaw in Samba file-sharing services.

14. Check for MS08-067 Vulnerability:

nmap --script smb-vuln-ms08-067 192.168.1.1

Detects a critical Windows SMB flaw exploited by Conficker malware.

15. Detect Print Spooler Vulnerability (MS10-061):

nmap --script smb-vuln-ms10-061 192.168.1.1

Identifies a flaw in Windows Print Spooler that allows remote execution.

16. Check for DoS Vulnerability in Registry Service:

nmap --script smb-vuln-regsvc-dos 192.168.1.1

Tests for a Denial-of-Service flaw in Windows Registry Service.

17. SQL Injection Testing:

nmap --script http-sql-injection --script-args='http-sql-injection.args' -p 80 192.168.1.1

Scans for SQL injection vulnerabilities on web applications.

18. List All IPs in a Subnet:

nmap -sL 192.168.1.0/24

Displays all possible IP addresses within a given subnet.

19. Discover Allowed HTTP Methods:

nmap -p80 --script http-methods 192.168.1.1

Enumerates HTTP methods like GET, POST, PUT, and DELETE on a server.

20. Retrieve Web Page Title:

nmap -p80 --script http-title 192.168.1.1

Extracts and displays the title of a webpage from an HTTP response.

21. Fetch HTTP Headers:

nmap -p80 --script http-headers 192.168.1.1

Retrieves and lists HTTP response headers from a target web server.

22. Detect Web Applications:

nmap -p80 --script http-enum 192.168.1.1

Identifies web applications, frameworks, and technologies running on a server.

23. Test for HTTP Authentication Methods:

nmap -p80 --script http-auth 192.168.1.1

Checks authentication mechanisms like Basic, Digest, or NTLM.

24. Enumerate User Directories:

nmap -p80 --script http-userdir-enum 192.168.1.1

Scans for publicly accessible user directories on a web server.

25. Check for /etc/passwd File Exposure:

nmap -p80 --script http-passwd 192.168.1.1

Detects if the sensitive Linux password file is accessible via HTTP.

26. Analyze robots.txt File:

nmap -p80 --script http-robots.txt 192.168.1.1

Examines a site’s robots.txt file for restricted or sensitive directories.

27. Xmas Scan:

nmap -sX 192.168.1.1

Sends TCP packets with FIN, PSH, and URG flags set.

28. ACK Scan:

nmap -sA 192.168.1.1

Maps firewall rulesets.

29. Window Scan:

nmap -sW 192.168.1.1

Uses TCP window size differences to detect open ports.

30. Maimon Scan:

nmap -sM 192.168.1.1

Uses FIN/ACK flag combinations for port detection.

31. SSH Brute Force:

nmap --script ssh-brute -p 22 192.168.1.1

Attempts to brute-force SSH credentials on port 22.

32. Anonymous FTP Login Test:

nmap --script ftp-anon 192.168.1.1

Checks if FTP allows anonymous login access.

33. vsftpd Backdoor Vulnerability Check:

nmap --script ftp-vsftpd-backdoor 192.168.1.1

Detects the presence of a backdoor in vulnerable vsftpd versions.

34. Check for PHP_SELF XSS Vulnerabilities:

nmap --script http-phpself-xss 192.168.1.1

Identifies potential XSS vulnerabilities in PHP applications.

35. DNS Brute-Force Enumeration:

nmap --script dns-brute 192.168.1.1

Attempts to discover subdomains using a brute-force approach.

36. Retrieve SSH Host Keys:

nmap -p 22 --script ssh-hostkey 192.168.1.1

Extracts and displays the SSH host keys of a target server.

37. Check for DNS Recursion:

nmap -p 53 --script dns-recursion 192.168.1.1

Tests if a DNS server allows recursive queries from external sources.

38. Perform a Traceroute:

nmap --traceroute 192.168.1.1

Maps the network path to a target by analyzing router hops.

39. Ping Scan to Detect Live Hosts:

nmap -sn 192.168.1.0/24

Sends ICMP echo requests to identify active devices in a subnet.

40. Scan and Detect Network Devices without Port Scanning:

nmap -sP 192.168.1.0/24

Lists network devices without scanning for open ports.

Conclusion

Nmap is an essential tool for ethical hacking, network analysis, and vulnerability assessment. With the right combination of scanning techniques, security professionals can uncover weaknesses in networks and take necessary actions to mitigate threats. Mastering these 40 commands will significantly enhance your network security capabilities.

Sarcastic Writer

Related Posts

Top 20 Free Tools Cybersecurity

Top 20 FREE Tools For Cybersecurity Enthusiasts

Top Hacking Tools

Top 66 Hacking Tools You Need To Know

Windows Firewall Management Commands

Top 28 Windows Firewall Management Commands You Need To Know

Cybersecurity Certifications

How to Become a Cybersecurity Consultant with Certifications

Online Science Courses

Top 10 Best Online Science Courses to Take in 2025

Most In Demand Skills

Top 10 Most In-Demand Skills for 2025 and How to Learn Them

SIEM Insider Threats

How SIEM Helps Combat Insider Threats in Real-Time

CISSP Certification

How CISSP Certification Can Boost Your Cybersecurity Career

This Post Has One Comment

  1. Pingback: Top 66 Hacking Tools You Need To Know - Tech Hyme

Leave a Reply