Useful NMAP commands for SysAdmins

Posted by SysAdmin Tools on

NMAP Is an extremely powerful tool for network scanning, surveillance and vulnerability management.

The typical format of an NMAP command is as follows.

  • nmap -function --script=scriptname <target> 

The target can be a host ( or a network (

Typical open port (services) scan
nmap -sV <target>
nmap -sV <network/subnet> (Example <


SSL NMAP Commands

Enumerate the SSL ciphers enabled on a server/device to see if SSL2, SSL3 or TLS1.0 is still enabled

  • nmap -sV --script ssl-enum-ciphers -p 443 <target>

Detects whether a server is vulnerable to the OpenSSL Heartbleed bug

  • nmap -p 443 --script ssl-heartbleed <target>

Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.

  • nmap --script ssl-dh-params <target>

Retrieves a server's SSL certificate

  • nmap <target> --script=ssl-cert

Detects whether a server is vulnerable to the SSL/TLS "CCS Injection" vulnerability

  • nmap <target> --script ssl-ccs-injection

Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).

  • nmap <target> --script tls-ticketbleed

Enumerates a TLS server's supported protocols by using the next protocol negotiation extension.

  • nmap --script=tls-nextprotoneg <targets>

Enumerates a TLS server's supported application-layer protocols using the ALPN protocol.

  • nmap --script=tls-alpn <targets>


SSH NMAP Commands

Returns authentication methods that a SSH server supports.

  • nmap -p 22 --script ssh-auth-methods <target>

Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.
If verbosity is set, the offered algorithms are each listed by type.

  • nmap -p 22 --script ssh2-enum-algos <target>

SNMP NMAP Commands

Attempts to find an SNMP community string by brute force guessing.
The default wordlist used to bruteforce the SNMP community strings is nselib/data/snmpcommunities.lst. In case this wordlist does not exist, the script falls back to nselib/data/passwords.lst

  • nmap -sU -p 161 --script=snmp-brute <target>

SMB NMAP Commands

Check the SMB version on a server to see if SMB1 is still enabled.

  • nmap -p445 --script smb-protocols <target>
  • nmap -p139 --script smb-protocols <target>
  • nmap --script smb-security-mode.nse -p445 <target>

Scan for SMB Vulnerbilities

  • nmap -p445 --script=smb-vuln-ms17-010 <target>
  • nmap -p445 --script=smb-vuln-ms10-061 <target>
  • nmap -p445 --script=smb-vuln-ms10-054 <target>
  • nmap -p445 --script=smb-vuln-ms08-067 <target>
  • nmap -p445 --script=smb-vuln-ms07-029 <target>
  • nmap -p445 --script=smb-vuln-ms06-025 <target>
  • nmap -p445 --script=smb-vuln-cve-2017-7494 <target>
  • nmap -p445 --script=smb-vuln-cve2009-3103 <target>
  • nmap -p445 --script=smb-vuln-conficker <target>
  • nmap -p445 --script=smb-vuln-webexec <target>
  • nmap -p445 --script=smb-webexec-exploit <target>
  • nmap -p445 --script=smb-vuln-regsvc-dos <target>
  • nmap -p445 --script=smb2-vuln-uptime <target>


RDP NMAP Commands

Check RDP Encryption and Vulnerbilities

  • nmap -p 3389 --script rdp-enum-encryption <target>
  • nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

FTP NMAP Commands

  • nmap --script=ftp-vuln-cve2010-4221 <target>


HTTP NMAP Commands

Enumerates directories used by popular web applications and servers.

  • nmap -sV --script=http-enum <target>

Performs a HEAD request for the root folder ("/") of a web server and displays the HTTP headers returned.

  • nmap -sV --script=http-headers <target>

Various HTTP Vulnerability scans

  • nmap --script http-iis-webdav-vuln -p80,8080 <target>
  • nmap -sV --script http-vuln-wnr1000-creds <target> -p80
  • nmap <target> -p 7547 --script=http-vuln-misfortune-cookie
  • nmap --script http-vuln-cve2017-8917 -p 80 <target>
  • nmap -p 16992 --script http-vuln-cve2017-5689 <target>
  • nmap -p <port> --script http-vuln-cve2017-5638 <target>
  • nmap --script http-vuln-cve2017-1001000 <target>
  • nmap -p80 --script http-vuln-cve2015-1635.nse <target>
  • nmap --script=http-vuln-cve2015-1427 --script-args command= 'ls' <targets>


SMTP NMAP Commands

Scan for various SMTP vulnerbilities

  • nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>
  • nmap --script=smtp-vuln-cve2011-1720 --script-args='smtp.domain=<domain>' -pT:25,465,587 <host>
  • nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587 <host>



MSSQL Instance discovery - requires SQL server Browser service to run

  • nmap --script broadcast-ms-sql-discover

MySQL NMAP Commands

MySQL Vulnerbility Scan

  • nmap -p3306 --script mysql-vuln-cve2012-2122 <target>


VNC NMAP Commands

  • nmap -sV -sC <target>
  • nmap -sV --script=vnc-title <target>
  • nmap --script vnc-brute -p 5900 <host>



Detect Target Operating System

  • nmap -O <target>

Discover DHCP Servers

  • nmap --script=broadcast-dhcp-discover

Checks if a target on a local Ethernet has its network card in promiscuous mode.

  • nmap -sV --script=sniffer-detect <target>


  • nmap --script whois-domain.nse <domain>

Unusual Port Detection
Compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations. The script requires that a version scan has been run in order to be able to discover what service is actually running on each port.

  • nmap --script unusual-port <ip>

Checks if a target is a known Tor node.

  • nmap --script=tor-consensus-checker <host>


Telnet NMAP Commands

This script enumerates information from remote Microsoft Telnet services with NTLM authentication enabled.

  • nmap -p 23 --script telnet-ntlm-info <target>

Determines whether the encryption option is supported on a remote telnet server.

  • nmap -p 23 <ip> --script telnet-encryption

General Vulnerability Scan

Download the .nse file from and place them in the nmap\scripts directory

  • nmap -Pn -sV --script=vulners <target>
  • nmap -Pn -sV -p80 --script=vulners <target>

*There are two a few examples on the GitHub page

Detects whether a host is infected with the Stuxnet worm

  • nmap --script stuxnet-detect -p 445 <host>


STUN NMAP Commands

Sends a binding request to the server and attempts to extract version information from the response, if the server attribute is present.

  • nmap -sU -sV -p 3478 <target>

Retrieves the external IP address of a NAT:ed host using the STUN protocol.

  • nmap -sV -PN -sU -p 3478 --script stun-info <ip>


RCP NMAP Commands

Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.

  • nmap -sV --script rpcinfo <target>

Performs brute force password auditing against Mikrotik RouterOS devices with the API RouterOS interface enabled

  • nmap -p8728 --script mikrotik-routeros-brute <target>


LDAP NMAP Commands

Attempts to perform an LDAP search and returns all matches.
If no username and password is supplied to the script the Nmap registry is consulted. If the ldap-brute script has been selected and it found a valid account, this account will be used. If not anonymous bind will be used as a last attempt.

  • nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=users,ldap.attrib=sAMAccountName' <host>


  • nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib=operatingSystem,whencreated,OperatingSystemServicePack}' <host>=


iSCSI NMAP Commands

Collects and displays information from remote iSCSI targets.

  • nmap -sV -sC <target>



Tries to identify the physical location of an IP address using the Geoplugin geolocation web service ( There is no limit on lookups using this service.

  • nmap --script ip-geolocation-geoplugin


FIREWALL Bypass NMAP Commands

Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.

  • nmap --script firewall-bypass <target>
  • nmap --script firewall-bypass --script-args firewall-bypass.helper="ftp", firewall-bypass.targetport=22 <target>

SonicWALL / Ubiquity Device NMAP Commands

SonicWALL - may only work if SonicWALL is on same subnet

  • nmap -e eth0 --script broadcast-sonicwall-discover


  • nmap -sU -p 10001 --script ubiquiti-discovery <target/subnet>



Listens for the LAN sync information broadcasts that the client broadcasts every 20 seconds

  • nmap --script=broadcast-dropbox-listener

Check your script directory for more discovery, vulnerability and brute scripts to see if there are other scripts that can help you identify vulnerabilities



Share this post

← Older Post Newer Post →

Leave a comment

Please note, comments must be approved before they are published.