nmap flags and what they do

Chưa phân loại
On LinuxHint nmap port scanning was already explained. This tutorial is the first of a series of introductory tutorials to nmap’s main functionalities. The first article focuses on Nmap flags, the second on ping sweep then network scanning and the last one NSE, then you can continue with our old (but still relevant) article on nmap scan for services and vulnerabilities.

Previous brief introduction to nmap’s target syntax:

When we use nmap we first call the program “nmap”, then specify the instructions through flags (like the port with the flag -p) and the target/s using it’s IP, host or host range. While there are many ways to pass targets we’ll use 5: single ip scan which you can execute by providing nmap the target’s host or IP, IP range scan which you can define by using a hyphen between the starting and end point of possible IPs between 0 and 255 (e.g which instructs nmap to scan between IP 35 and 120 of the last octet), multiple target scan which we’ll carry out importing targets from a file, random scan and full octet’s scan by using wildcard (*).


Single IP scan: nmap X.X.X.X/www.hostname.com

IP range scan: nmap nmap X.X.X.Y-Z/X.X.Y-Z.Y-Z

Random scan: nmap -iR X <FLAG>

Full octet scan: X.X.X.*

Where: X,Y and Z are replaced by numbers

Previous brief introduction to nmap’s port states:

Nmap outputs report between 6 possible states when scanning ports:

Open: the port is open and an application is listening through it.

Closed: the port is closed, not application is listening.

Filtered: a firewall prevents nmap from reaching the port.

Unfiltered: Port is accessible but nmap is unable to check it’s state.

Open|filtered: Nmap is unable to determine if a port is open or filtered.
Closed|Filtered: Nmap is unable to determine if a port is closed or filtered.

Nmap flags

Nmap flags are the parameters we use after calling the program, for example -Pn (no ping) is the flag or parameter to prevent nmap from pinging targets. Below you’ll find nmap’s main flags with examples.

-p: the -p flag or parameter is useful to specify one or many ports or port ranges. We can add several ports separated by a comma as shown in the image below:

nmap -p 80,22,139 linuxhint.com

I instructed nmap to scan LinuxHint’s server for ports 80,22,139, while http and ssh are open netbios port is closed.
To scan a port range you can use a hyphen to separate the range’s limit, to scan LinuxHint’s ports from the 21 to 25 run:

nmap -p 2125 linuxhint.com

Optionally you can also define ports by their default service name rather than their port number like “nmap -p ssh <target>

–open: This flag instructs nmap to find open ports on a specified IP range, in this example nmap will look for all open ports of IP addresses within the range (using wildcard equals using the 1-255 range.)

nmap –open <IP/HostRange>

-iL: Another way to define targets by creating a targets list. In the list hosts can be separated by comma, space, tab or new line. Below an example of nmap used to scan multiple targets using a list called “hostslist” which includes LinuxHint and other two hosts.

nmap -iL hostslist

–exclude: This flag is useful to exclude IP addresses or hosts from scans when we scan IP ranges or target files. In the following example I’ll use the hostlist again to scan ports ssh, ftp and sftp but I instruct nmap to exclude linuxhint.com from the list. As you see in contrast with the result shown in the -iL flag example linuxhint.com wasn’t scanned.

nmap -p ssh,ftp,sftp -iL hostslist linuxhint –exclude linuxhint.com

-iR: The -iR flag instructs nmap to find hosts randomly, the -iR flag depends on an argument and a numerical instructions, it requires the user to define how many hosts or targets nmap should generate. In the following example I apply the -iR flag to scan http ports of 50 automatically generated random addresses, from the generated addresses nmap found 2 up hosts.

In the following example I instruct nmap to  generate 200 random targets to scan for the NetBios port.

-v: The -v flag (verbosity) will print information on the scan process. By default nmap doesn’t show the process, this parameter will instruct nmap to show what’s going on during the scan.

-e: This flag allows us to specify a network interface (e.g eth0, wlan0, enp2s0,etc), useful if we are connected both through our wired and wireless cards. In my case my wireless card is wlp3s0, to instruct nmap to use that interface to scan ports 22 and 80 on LinuxHint.

-f: The -f (fragment packets) flag is also used to try to keep the scan process undetected by fragmenting the packets making harder for firewalls or IDS to detect the scan. This option isn’t compatible with all nmap features.

nmap -p 80,ssh,21,23,25 -f linuxhint.com

–source-port / -g: flags –source-port and -g are equivalent and instruct nmap to send packets through a specific port. This option is used to try to cheat firewalls whitelisting traffic from specific ports. The following example will scan the target from the port 20 to ports 80, 22, 21,23 and 25 sending fragmented packets to LinuxHint.

nmap -g 20 -p 80,ssh,21,23,25 -f linuxhint.com

All flags mentioned above are the main flags used with nmap, the following tutorial on ping sweep explains additional flags for host discovery with a brief introduction to nmap’s phases.

For questions on nmap you can visit LinuxHint’s support center.

Sandclock IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, Sandclock IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

[FTP][Phần 2]Hướng dẫn cấu hình FTP Server trên CentOS-7 với VSFTPD

Tại phần 1, ta đã tìm hiểu tổng quan về giao thức FTP, cũng như cách hoạt động của nó. Bài...

Consul Service Mesh

The service mesh is a software directed way to routing and segmentation. There used to be some issues and challenges running...

QOwnNotes 17.03.7 released, Install QOwnNotes on Linux

Are you looking for a simple note taking editor, then checkout QOwnNotes. QOwnNotes is an open source plain-text file notepad editor,...
Bài Viết

Bài Viết Mới Cập Nhật

Hướng dẫn chuyển đổi windows server windows evaluation to standard và active windows server 2008 + 2012 + 2016 + 2019

How to Update Ubuntu Linux

Squid Proxy Manager cài đặt và quản lý Proxy Squid tự động trên ubuntu

Hướng dẫn cài đặt Apache CloudStack

Hướng dẫn ký file PDF bằng chữ ký số (chữ ký điện tử) và sửa lỗi mới nhất 2021 foxit reader