Nmap is probably one of the most known scanning tools. Nmap is a free and open-source network scanning tools created by Gordon Lyon. It’s used to scan hosts for open ports and running services. In the present post, you will have a great understanding of the most useful scanning commands implemented by Nmap. Let’s dive in 🙂
Before we start, I have to mention that to fully understand, you need to have some basics about networking, TCP/IP and the OSI model. I’m gonna be using a Kali Linux on a Metasploitable target virtual machine.
Obviously, before using Nmap, you have to install it first.
yum install nmap
apt-get install nmap
sudo apt-get install nmap
For windows, you just need to go to the website, download it and install it like usual windows software.
The most basic command is straight forward one. Just write nmap followed by the IP address you want to scan.
using the command above means that we are using a ping scan discovering live hosts in that range. We do that trying to map the network.
nmap -Pn 10.0.2.5
This is exactly the opposite of the ping scanning. Here, we are scanning the host without sending the ping packets. This is useful with hosts that do no allow ping scanning.
In the table below, we summarize the Flags that we can use as packet requests.
|-Pn||No host discovery|
|-PS||TCP SYN Request|
|-PA||TCP ACK Request|
|-PE||ICMP Echo Request|
The -n Flag skips the DNS resolution. We use it as follows
nmap -n 10.0.2.5
TCP SYN scan
The SYN is the default scan for nmap and the most used one. It can be performed quickly scanning thousands of ports. The SYN scan is stealthy because it never completes a TCP connection. It also allows for a clear separation between open/closed and filtered status.
nmap -sS 10.0.2.5
TCP connect scan
As described in the Nmap official website, the TCP connect scan which can be used by the -sT flag, is the default TCP scan when the SYN is not an option. It is basically, used by the web browsers and P2P clients.
nmap -sT 10.0.2.5
TCP scan table
To summarize things up, the table below mention all the TCP scan types.
|-sS||TCP SYN scan|
|-sT||TCP connect scan|
|-sN||TCP NULL scan|
|-sF||TCP FIN scan|
|-sX||TCP Xmas scan|
|-sA||TCP ACK scan|
|-sW||TCP window scan|
|-sM||TCP Maimon scan|
In order to scan for UDP based ports and services the command below is used
nmap -sU 10.0.2.5
We most certainly can use one command to scan for multiple protocols and options. We can use for example a scan for TCP and UDP SYN scan as follows
nmap -sU -sS 10.0.2.5
Scan for the 100 top known ports
nmap -F 10.0.2.5
The -F flag is very quick and useful when it comes to scanning the known ports.
Customised scan for some ports
We can use the -p flag to scan for specific ports as follows
nmap -p 80 10.0.2.5
Or in a different way using the name of the service in a more straight forward way
nmap -p http,https 10.0.2.5
nmap -p- 10.0.2.5
the -p- flag will scan every ports there.
Nmap timing templates
You have to be careful when choosing timing templates. Some of them take forever to finish. Other ones are just too quick to provide precise information.
Operating system detection
We can use nmap to detect operating systems using the flag -O
nmap -O 10.0.2.5
Service version detection
Nmap is able to detect also service versions if are not protected enough as follows
nmap -sV 10.0.2.5
Version detection is very important in terms of searching for vulnerabilities.
-A flag offers a scanning shortcut that activated several popular options
- Remote OS detection
- Service and version detection
- Traceroute to the target
- Nmap Scripting Engine (NSE) – allows customised
If we want to use it with a timing template, it would be like that for example
nmap -A -T4 10.0.2.5
Output the scan
|-oN||Human-readable text file|
|-oX||machine-readable XML file|
|-oG||Grepable text file|
Saving the file in the appropriate format is important since it can be used to automate scanning and utilising other tools as well.
The verbose mode is very important when the scanning should take a while. It tells us what is doing and how much percentage it is completed. We can use it for example with a timing template -T2 as follows
nmap -A -T2 -v 10.0.2.5