Helping Information

nmap scanning

11 Different Types of Nmap Scanning Commands.

Today we are taking a look of 11 different types of Nmap Scanning Commands. Nmap (Network Mapper) may be a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is employed to get hosts and services on a network by sending packets and analyzing the responses.

Here 11 Different Types of Nmap Scanning Commands for Vulnerability Scanning.
11 Different Types of Nmap Scanning
Nmap provides a variety of features for probing computer networks, including host discovery and repair and OS detection. These characteristics are extensible by scripts that give more advanced service discovery, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and overcrowding during a scan.
Nmap started as a Linux service and was ported to other systems including Windows, macOS, and BSD. it’s most excited on Linux, followed by Windows. We need different types of Nmap scanning commands for test vulnerability by each aspect.

1. The basic type of Nmap scanning against host or IP:

       a. nmap 
        Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:
       b. nmap
           These kinds of basic scans are perfect for your first steps when starting with Nmap.

2. Scan multiple IP addresses:

Let’s try to scan multiple IP addresses. For this you need to use this syntax:
       a. nmap
          You can also scan consecutive IP addresses:
       b. nmap -p,2,3,4
          This will scan,, and

3. Scan multiple IP addresses:

Using “–top-ports” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:
       nmap –top-ports 20

4. Scan hosts and IP addresses reading from a text file:

In this case, Nmap is also useful to read files that contain hosts and IPs inside.
Let’s suppose you create a list.txt file that contains these lines inside:

The “-iL” parameter lets you read from that file, and scan all those hosts for you:
       e. nmap -iL list.txt

5. Save your Nmap scan results to a file:

On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file:

       a. nmap -oN output.txt
          Nmap has the ability to export files into XML format as well, see the next example:
       b. nmap -oX output.xml

6. Scan + OS and service detection with fast execution:

Using the “-A” parameter enables you to perform OS and service detection, and at the same time we are combining this with “-T4” for faster execution. See the example below:
        a. nmap -A -T4

7. Scan using TCP and UDP Protocols:

One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services. Let’s see some examples.

      Standard TCP scanning output:
            a. [[email protected]:~]nmap -sT  
      UDP scanning results using “-sU” parameter:
            b. [[email protected]:~]nmap -sU localhost

8. Vulnerability detection using different types of Nmap scan:

One of Nmap’s greatest features that not all the network and systems administrators know about is something called “Nmap Scripting Engine” (known as NSE). This scripting engine allows users to use a pre-defined set of scripts, or write their own using Lua programming language.
Using NSE is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters:
        a. nmap -Pn –script vuln

9. Launching DOS with Nmap:

Nmap features never seem to end, and thanks to the NSE, that even allows us to launch DOS attacks against our network testings.
In our the previous example, we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS an attack in a forever loop:

      a. nmap -max-parallelism 800 -Pn –script http-slowloris –script-args http-slowloris.runforever=true

10. Launching brute force attacks:

NSE is really fascinating – it contains scripts for everything you can imagine. See the next three examples of BFA against WordPress, MSSQL, and FTP server:
      a. WordPress brute force attack:
            i. nmap -sV –script http-wordpress-brute –script-args ‘userdb=users.txt,passdb=passwds.txt,, http-wordpress-brute.threads=3,brute.firstonly=true’
       b. Brute force attack against MS-SQL:

          i. nmap -p 1433 –script ms-sql-brute –script-args userdb=customuser.txt,passdb=custompass.txt

      c. FTP brute force attack:
                       i. nmap –script ftp-brute -p 21

11. Detecting malware infection in remote hosts:

Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP. It also has a module to check for popular malware signs inside remote servers and integrates Google’s Safe Browsing and VirusTotal databases as well.
      a. A common malware scan can be performed by using:
                    i. nmap -sV –script=http-malware-host
      b. Or using Google’s Malware check:
                    i. nmap -p80 –script http-google-malware
      c. Output example:
                    i. 80/tcp open  http  |_http-google-malware.nse: The host is known for distributing malware.
Nmap is one of the most complete and accurate port scanners used by infosec professionals today. With it, you can perform simple port scan tasks or use its powerful scripting engine to launch DOS attacks, detect malware or brute force testings on remote and local servers.

Leave a Reply

Your email address will not be published. Required fields are marked *