Thursday, December 15, 2011

Nmap Network Probing Cheatsheet

SkyHi @ Thursday, December 15, 2011
Nmap is a powerful utility for scanning your network and discovering all kinds of information about who is on it and what they’re doing. You can discover used and unused IP addresses, hostnames, services, and operating systems, and their versions – information that can help you monitor who is on your network, and lead you to unsafe or unauthorized servers.
Nmap is included in all Linux distros, and the project also offers binaries for Mac OS X and Windows.
Nmap is a great tool for finding out who is on your network, and listing used and unused IP addresses. This command finds all live hosts in the specified network range and their hostnames:
$ nmap -sn
The -n option disables DNS lookups, so this version is a little faster when you don’t need to see hostnames:
$ nmap -sn -n
Nmap’s -sL option lists all addresses in a specified target range. It doesn’t send any packets to network hosts, so it won’t tell you if hosts are up or down, but it does reverse DNS lookups, so it’s a useful tool for testing the correctness of your DNS configuration. Use this to see if your reverse DNS configuration is correct and complete, and if you have any entries for non-existent hosts. The grep '(' incantation weeds out the empty addresses and displays only the addresses that have reverse DNS records:
$ nmap -sL | grep '('
This handy one-liner finds all unused IP addresses in an address range and stores them in a plain text file:
$ nmap -v -sn | grep down | awk '{print $5}' > filename.txt
A good way to understand what these compound commands do is to run them one part at a time, like this:
$ nmap -v -sn
Starting Nmap 5.21 ( ) at 2011-12-11 20:00 PST
Initiating Ping Scan at 20:00
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 20:00, 10.37s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 20:00
Completed Parallel DNS resolution of 256 hosts. at 20:00, 0.01s elapsed
Nmap scan report for [host down]
Nmap scan report for [host down]
Nmap scan report for (
Host is up (0.010s latency).
Nmap scan report for [host down]

$ nmap -v -sn | grep down
Nmap scan report for [host down]
Nmap scan report for [host down]
Nmap scan report for [host down]

$ nmap -v -sn | grep down | awk '{print $5}'
You can make a list of the IP addresses of hosts that are up, so you can track who is on your network and keep an eye out for visitors who shouldn’t be there, and check for duplicate addresses:
$ nmap -sn |grep -o '192.168.1.*' | sed 's/[ \)]*$//' 

Port and Operating System Detection

Nmap can probe your network hosts to learn all sorts of interesting things, such as what operating systems they are running, what services, and the service versions. Version information is especially valuable because you don’t want to be caught running outdated, insecure software. This deceptively short command digs deeply into what your servers are exposing to the network:
$ nmap -A
Nmap scan report for (
Host is up (0.0082s latency).
Not shown: 995 filtered ports
22/tcp   open   ssh      OpenSSH 4.1p1 Debian 7ubuntu4 (protocol 2.0)
| ssh-hostkey: 1024 06:fd:72:16:0d:fc:c2:f5:ea:b7:5b:ea:5d:93:3e:45 (DSA)
|_1024 56:73:4a:1f:4b:ac:d1:53:2d:a2:65:0e:a5:10:b9:38 (RSA)
53/tcp   open   domain   dnsmasq 2.23
443/tcp  open   ssl/http lighttpd 1.4.11
|_sslv2: server still supports SSLv2
|_html-title: Site doesn't have a title (text/html).
5060/tcp closed sip
8000/tcp closed http-alt
Service Info: OS: Linux
The -A switch tells Nmap to perform a comprehensive scan with OS detection, version detection, and traceroute. The result of the command as run here shows an old server running a lot of old software, possibly dangerously old. The OpenSSL server even supports SSLv2, which is a big no-no, as SSLv2 has been obsolete and recognized as insecure since its release in 1995, and was replaced by SSLv3 in 1996. Nmap fetches SSH public key fingerprints, which are handy for verifying the authenticity of a public key. It even shows that an HTTP server is running, but the home page has no title and may even be the default page that displays on a new installation. You can quickly check this by pointing your web browser to the IP address or hostname.
You can capture Nmap’s output to files in three formats at once with the -oA option:
$ nmap -A -oA filename
Replace filename with whatever you want the filename to be. This gives you three output files: filename.gnmap, filename.nmap, and filename.xml. gnmap is designed to be easily grep-able, nmap is the same as your screen output, and of course xml is XML, to look nice on web pages. There is even a tongue-in-cheek script kiddie format option:
$ nmap -sn -oS skriptkiddee
This results in something like this in skriptkiddee.nmap:
Start1Ng Nmap 5.21 ( http://nmap.0rg ) aT 2011-12-12 11:48 PsT
NmaP scan r3pOrT fOR sErvEr1.gr33n.n3t (
h0st !z uP (0.0041s LatencY)
You might want to limit a scan to check whether specific ports are open. This example probes HTTP ports 80, 443, and 8080:
$ nmap -p T:80,443,8080
-T: specifies TCP ports. Use -U: for UDP ports.
You can also probe only for services and version information:
$ nmap -sV
Add -v or -vv to any nmap command to increase the verbosity of the output. If you are filtering the output through a command like awk or sed, you’ll probably have to adjust it to allow for the different verbosity levels.

Target Specifications

The Nmap documentation calls the IP addresses or hostnames you are probing the target specification. You can slice and dice your targets in a lot of useful ways. In our examples the target specification has been a single private subnet in CIDR notation. You can query a single IP address or hostname, or multiple hostnames, with a space-, tab-, or newline-delimited list. I like space-delimited lists on the command line:
$ nmap -A server1 server2 server3
Or create a plain-text list of hostnames or IP addresses separated by newlines, and then call this list with the -iL option:
$ nmap -A -iL hostname-list
Use the --excludefile option instead of -iL for listing hostnames or addresses you don’t want to scan.
You can specify a list of non-consecutive IP addresses in this form:,77,103. An address range looks like
All of the above only gives you a hint at all Nmap can do. You can learn more about this powerful network scanner at