The Top 20 Nmap Commands You Must Know Вас сбивают с толку бесчисленные команды Nmap и их описания в официальной документации? Мы вас понимаем и готовы помочь. Хорошая новость в том, что не нужно знать все возможности Nmap, чтобы эффективно использовать его в повседневной работе.   Мы расскажем о 20 самых популярных командах Nmap, которые пригодятся вам в работе. Независимо от того, являетесь ли вы этичным хакером, студентом, изучающим эту сферу, или просто любителем игр в стиле «захват флага», эти 20 основных команд Nmap помогут вам практически в любой ситуации.     Вам больше не придется разбираться в тонкостях работы с Nmap.  Давайте прокрутим страницу вниз и приступим к сканированию наших целей на предмет уязвимостей. What Is Nmap? Network Mapper  (Nmap)  is a command-line-based multi-platform (Windows, Mac OS X, Linux, etc.)  network scanning  application designed to  detect hosts  and services on a computer network. Nmap is a vital tool for any student or professional in cyber security. This free and open-source utility helps you gather network information and assess the security posture of devices in the networks you scan with it. Nmap can identify a host’s operating system, running applications, open ports, firewall information, and more. If you don’t have it yet, install Nmap  here . How To Use Nmap The Nmap command syntax is the “nmap” keyword followed by at least two arguments: nmap All flags begin with one (-) or two (--) hyphens, and a single Nmap command may contain multiple flags. A target is typically an IPv4/IPv6 address or address range. Some flags apply to files instead of targets; those are for Nmap commands that read from a file or write Nmap scan results to files. Download the "Nmap Cheat Sheet" PDF 1. List all hosts on a network nmap -sL This type of scan (list scan) is a version of host discovery that only lists each host on the selected network (s) and doesn’t send any packets to the target hosts. By default, Nmap does a reverse DNS lookup to get host names. 2. Disable port scanning and only discover active hosts nmap -sn nmap -sP With this option, Nmap will only print the names of hosts that have responded to the host discovery probes without any port scan. By default, this option is slightly more intrusive than the list scan. Use this option as a “ ping sweep ” to count available machines on a network or monitor server availability. 3. Discover the network path to a host nmap --traceroute A packet may traverse several hosts before reaching its destination. This option allows you to trace this packet’s journey from host to host. 4. Scan for open ports and version information of services nmap -sV When preparing for and doing pentesting, the command above helps you find open ports and determine the versions of running processes. Having accurate version numbers enables you to assess a device’s vulnerabilities. 5. Scan the ports specified nmap -p Use this option to tell Nmap which ports you want to scan. It admits individual port numbers and ranges separated by a hyphen (e.g., 1-1023). Nmap can also scan port zero, but you must specify it explicitly. When scanning a combination of protocols (e.g., TCP and UDP), you can specify a particular protocol by preceding the port numbers using a single-letter qualifier: T : for TCP, U : for UDP, S : for SCTP, and P : for IP Protocol. The qualifier lasts until you specify another qualifier. For example, the argument  -p U:53,111,137,T:21-25,80,139,8080  would scan UDP ports  53, 111,  and  137,  and the listed TCP ports. 6. Scan all ports on a target nmap -p- This command will scan ports numbered 1 through 65535. 7. Scan for open ports on the target nmap --open Only show hosts with open or likely open ports, and list those ports. Here, “open ports” refer to any ports that may be open, which includes the port states “open,” “open|filtered (open or filtered),” and “unfiltered.” The Nmap official documentation has more on  port states . 8. Scan for the specified number of most common ports nmap --top-ports Specify an arbitrary number of the most commonly open ports for Nmap to scan. Nmap scans the highest-ratio ports found in nmap-services file after excluding all ports specified by --exclude-ports. must be at least 1. 9. Perform a TCP connect scan nmap -sT A TCP connect scan is where Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the “connect” system call. The “connect” system call is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. 10. Scan for UDP ports nmap -sU In a UDP scan,  Nmap sends a UDP packet to every targeted port , usually without extra data, except for ports where a payload would increase the response rate, such as 53 and 161. If Nmap receives an error message, the port is unavailable. Avoid rushing UDP scans, as operating systems such as Linux and Solaris impose strict rate limits. 11. Enable OS detection, version detection, script scanning, and traceroute nmap -A This option turns on  operating system detection  and the advanced and aggressive functions mentioned above. 12. Scan for remote operating system nmap -O Perform remote operating system detection using TCP/IP stack fingerprinting: Nmap sends a series of TCP and UDP packets to the remote host, examines every bit in the responses, compares its  nmap-os-db  database of more than 2,600 known operating system fingerprints, and prints out the operating system details if there is a match. 13. Scan a target with a specific timing template nmap -T Timing templates allow users to specify how aggressive they wish to be, leaving Nmap to pick the exact timing values. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). Polite mode slows the scan to use less bandwidth and target machine resources to evade intrusion detection systems. 14. Increase the verbosity of the output (second level) nmap -vv A single  -v  flag increases the verbosity level, causing Nmap to print more information about the scan in progress, such as open ports found in real-time and completion time estimates for scans that may take considerable time. Use it twice or more for even greater verbosity:  -vv,  or give a verbosity level directly, for example  -v3 . Grab Your FREE Nmap Cheat Sheet Now! Want to keep all Nmap commands at your fingertips? Just enter your email address, and we’ll send the cheat sheet to your inbox. DOWNLOAD → 15. Scan for commonly used ports and services nmap -sC This command is equivalent to nmap  --script=default . It uses Nmap’s  default   Nmap Scripting Engine (NSE)  scripts to scan for individual ports and protocols, including HTML and POP3. The scripts are mostly safe but contain intrusive processes. For example, the default script “ ​​jdwp-info ” tries to exploit Java’s remote debugging port. 16. Run a script on the target nmap --script