Top 7 Nmap Commands for Effective Network Scanning

Nmap (“Network Mapper”) is a powerful open-source tool used for network discovery and security auditing. It is a command-line utility capable of scanning networks, identifying hosts, detecting open ports, and discovering running services. Nmap is widely used by security professionals and penetration testers to assess network security.

For users who prefer a graphical interface, Zenmap serves as Nmap’s GUI, providing network visualization and enhanced reporting capabilities.

In this guide, we’ll explore essential Nmap commands, network scanning techniques, and practical tips to enhance your scanning efficiency.

Essential Nmap Commands

To view a list of available commands and options, use:

nmap --help

This displays a comprehensive list of options, including target specification, scan techniques, port scanning methods, service detection, script scanning, OS fingerprinting, firewall evasion techniques, and more.

Effective Network Scanning Techniques

1. Basic Network Scan

To scan an entire network or a range of IP addresses:

nmap -sn 10.228.12.1-254

Alternatively, you can specify multiple hosts:

nmap 10.228.12.1 10.228.12.2 10.228.12.3
nmap 10.228.12.*
nmap 10.228.12.1,2,3

2. Stealth (SYN) Scan

A SYN scan sends SYN packets to target ports without completing the TCP handshake, making it stealthier and less likely to be logged.

nmap -sS 10.228.12.128

3. Connect Scan

For users without raw socket privileges, a TCP connect scan completes the full three-way handshake.

nmap -sT 10.228.12.128

4. UDP Scan

Nmap sends empty UDP packets or service-specific probes to identify open UDP ports.

sudo nmap -sU 10.228.12.128

For a comprehensive scan combining TCP and UDP:

sudo nmap -sS -sU 10.228.12.128

5. Port Scanning

To scan a specific port:

nmap -p 22 10.228.12.128

To scan all 65,536 ports:

nmap -p- 10.228.12.128

6. Top Ports Scan

Scan only the most commonly used ports:

nmap --top-ports 20 10.228.12.128

7. Scanning from a File

Import a list of IP addresses from a file for bulk scanning:

nmap -iL /path/input-ips.txt

Advanced Nmap Features

1. Nmap Scripting Engine (NSE)

NSE allows users to automate tasks such as DNS enumeration, brute-force attacks, and vulnerability detection. Scripts are located in /usr/share/nmap/scripts.

Example commands:

nmap 10.10.10.1 --script=smb-os-discovery
nmap --script=dns-zone-transfer -p 53 10.10.10.1

To view script details:

nmap --script-help=smb-os-discovery

2. Fast Scanning Techniques

Perform a quick scan of the most common 1000 TCP ports:

nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP>

Full port scan with increased speed:

nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP>

Full scan with reduced speed to avoid errors:

nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>

Recommended Nmap Commands

These are some useful Nmap commands commonly used in security assessments:

nmap 10.10.10.1/24
nmap -vv -p- 10.10.10.1
nmap -vv -sCV -A -O -p21,80,139,443,445 10.10.10.1
nmap -vv -sCV -A -O -Pn -p21,80,139,443,445 10.10.10.1

Explanation of Flags:

-vv : Very verbose mode
-p- : Scan all 65,536 ports
-sCV : Perform default script scan (-sC) and version detection (-sV)
-A : Aggressive scan mode (includes OS detection, version detection, script scanning, and traceroute)
-O : OS detection
-p : Specify ports to scan
-Pn : Skip host discovery (assumes the host is online)

Conclusion

Nmap is an essential tool for network security professionals, enabling detailed network reconnaissance and vulnerability assessment. Whether you’re scanning individual hosts, entire networks, or performing advanced scripting, Nmap provides the flexibility and power needed for effective security auditing.

You may also like: