Examples include from host discovery to vulnerability audit, network diagnostics and more. Most of them were produced in real or simulated scenarios making them real valuable for network administrators or students.
Implementing the examples described in this tutorial is pretty simple, as running a command.
All subjects covered in this article include:
NOTE: Last update of this tutorial was in October 2021.
Ping Sweep with Nmap
Ping sweep is a technique used to discover live hosts within a network or range.
Nmap ping sweep examples were deeply explained at Nmap ping sweep.
To execute ping sweep using Nmap, you need to implement the -sP or -sn options, which instruct Nmap to avoid port scan after discovery.
In the following example, a wildcard is implemented to instruct Nmap to discover all online C class network hosts or devices.
In the previous example, Nmap only confirms the host is alive without scanning the target. The opposite would be the -Pn option, which instructs Nmap to start the scan without checking if the host is alive.
At the end, it will print the total number of live hosts as shown in the screenshot below.
As you can see, from 239 scanned addresses, 10 were online devices.
Defining Ports with Nmap Using the -p Flag
Defining a port to scan with Nmap is pretty easy, just add the flag -p followed by the port, or ports separated by commas as shown in the screenshot below.
nmap -p 80,22,139,21,23 192.168.0.*
In the following example the port range is defined with a hyphen to scan Linux Hint port range from 22 to 80:
nmap -p 22–80 linuxhint.com
The following example shows Nmap scanning two different port ranges separated by commas.
nmap -p 20–80,100–600 192.168.0.3-14
There are many ways to specify ports to scan using Nmap. We have published a tutorial showing different ways to scan all ports using Nmap. One of these methods to scan all ports on a target requires the implementation of the -p- option as shown in the following example.
The final example of this section shows an ARP scan executed through Nping, part of the Nmap suite, which inherited Nmap flags to customize ARP scans.
nping –arp-type ARP 192.168.1.100-104
As you see, Nping identifies every IP with the proper MAC address.
Nmap FIN Scan Example
The next example is an aggressive FIN scan against a port range.
nmap -sF -T4 192.168.0.3-14
This is an example of an insane FIN scan against a single device:
To end FIN scan examples, let’s do a less aggressive scan against a metasploit virtual device.
nmap -sF -T2 192.168.56.1
Nmap NULL Scan Example
The following example shows a NULL scan against linuxhint.com port 80. Remember Nmap NULL, Xmas and FIN scans can’t distinguish between open and filtered ports, in many scenarios.
sudo nmap -v -sN -p 80 linuxhint.com
Now, let’s try an insane scan against a router.
nmap -sN -T5 192.168.56.1
Usually NULL, Xmas and FIN scans can’t distinguish between filtered and open ports when the port is open, the next example includes the -sV option to help it distinguish, but adding this option results in a less stealthy scan:
nmap -sN -T2 -sV -p80,22,21,139 192.168.56.1
Nmap Xmas Scan Example
The Xmas scan with Nmap was deeply explained in this article.
Below, you can see an example of an aggressive Xmas scan against the target 192.168.56.1.
nmap -sX -T4 192.168.56.1
Now, a less aggressive Xmas scan against port 80 and 22.
nmap -sX -T2 -p80,22 192.168.0.3
The following example is similar to the above, but includes level 2 verbosity:
nmap -sX -T2 -v2 -p80,22 192.168.0.3
As you can see, the last output reveals additional information than the previous output.
Update Scripts Database
Nmap contains a suite of scripts with additional functionalities. This suite is known as Nmap NSE.
Before using the Nmap NSE update the database by running the command below.
Once updated, you can proceed with Nmap NSE.
Get Devices OS, Workgroup, Domain, Device Name Over SMB Protocol
The following example uses the NSE script –script smb-os-discovery (https://nmap.org/nsedoc/scripts/smb-os-discovery.html) against whole last 2 octets of the network 172.31.X.X
nmap -p 445 –script smb-os-discovery 172.31.*.*
As you can see in the screenshot below, the first possible vulnerable target was one.
The screenshot below reveals a new vulnerable target was found.
Two Windows XP computers were found, great candidates for a Idle scan which will be explained later below in this tutorial.
Finding Zombie for Idle Scan
The following example shows how to search for a zombie candidate to execute an Idle scan by scanning the last octet of the 10.100.100.X network by using the NSE script ipidseq (https://nmap.org/nsedoc/scripts/ipidseq.html).
nmap -p80 –script ipidseq 10.100.100.*
Another way to find potential zombie candidates for Idle scans:
nmap -Pn -O -v 192.168.56.102
Executing an Idle Scan
Running an Idle scan using a candidate found in the previous step.
nmap -Pn -sI 10.100.100.108 -p80,21,22,443 172.31.124.141
Another Idle scan using the same candidate against a gateway:
nmap -Pn -sI 172.31.100.108 -p80,21,22,443 172.31.99.2
An Idle scan against the FTP of a router using a Windows 98 virtualized device:
nmap -Pn -sI 192.168.56.102 -p21 192.168.0.1
Scanning Ranges for Vulnerabilities
The following example shows the wildcard implementation to scan a whole octet’s range.
nmap -v –script vuln 172.31.100.*
Below, you can see an output sample.
Scanning for smb-vuln-ms08-067 Vulnerability
The following scan uses the NSE script smb-vuln-ms08-067 (https://nmap.org/nsedoc/scripts/smb-vuln-ms08-067.html) to search for a remote execution vulnerability on two last octets of the network by implementing the wildcard twice.
nmap -p445 –script smb-vuln-ms08-067 172.31.*.*
Brute Force Against SSH with Nmap NSE
Nmap NSE (Nmap Scripting Engine) was deeply covered in the Nmap NSE tutorial. This example shows how to use the Nmap scripting engine to bruteforce the target ssh.
For this attack we will use the NSE script named ssh-brute.nse.
nmap –script ssh-brute.nse 192.168.0.3
As you can see, NSE will read a list including username and password pairs. Of course, you can provide NSE your custom list.
I hope all Nmap examples shown in this tutorial were useful to you. Nmap is probably the best network scanner in the market. Despite faster solutions, like Mass Scan, Nmap leads with multiple features and additional scripts. You also can write your own NSE scripts to use with Nmap.
As you can see, despite its power, Nmap can be easily executed by any Linux level user. Deep Nmap learning is very advantageous for anyone dealing with networking.
Thank you for reading this tutorial showing 30 Nmap examples. Keep following Linux Hint for additional Linux tips and tutorials.