How To Use Nmap: A Beginner’s Guide

Nmap is an open-source network mapping tool developed by Gordon Lyon. It is widely used as a port scanner and a host discovery tool by network administrators and hackers world-wide.

The reason for its popularity is that it allows users to perform powerful scans using a combination of a small set of options. Using only these options, you can run effective and powerful scans by running specifically crafted commands.

But even if you are not familiar with Nmap, you can still use it by executing simple commands. These will allow you to get a few good scan results. However, if you want your scans to be more accurate, then you need to learn more about Nmap and how to use it correctly.

This is precisely what this post aims to do. In it, I tried to share with you the different ways to use Nmap.

To fully understand the content of this post, you need to have a basic understanding of computer networks. You don’t need to be an expert, but you should at least understand the basic concepts like IP addresses, subnets, and TCP.

With that being said, let’s go ahead and start.

What You’ll Need

If you have a pen-testing Linux distribution like Kali or Parrot, then Nmap should already be installed with your OS.

For non-Linux users, you can download Nmap here, although I recommend that you switch to Linux if you want to take advantage of all the Linux-based hacking tools.

During this post, we will be performing some of our tests on scanme.nmap.org. This is a test machine maintained by Nmap to help users learn and test their commands legally. You should make sure to not overwhelm this address with scans and only use it a few times a day. Alternatively, you can perform scans on your local network, provided, of course, that you have the proper rights to do so.

The Most Basic Command

Here is the syntax for all Nmap commands :

nmap [options] target

The target can be a domain name, an IP address, a range of IP addresses, or a combination of all these elements.

If you don’t specify options, then Nmap will perform a default port scan of the target.

nmap default scan
nmap default scan
Nmap - Default Scan

As you can see, we have obtained some interesting information from the target host by using this simple command:

  • Nmap does a DNS resolution and provides the IP address of the target.
  • We know that the host is up.
  • We have a list of all open ports and their corresponding service.

Not bad for a default scan, don’t you think?

Host discovery

For instance, if you had to scan the network associated with the IP address 192.168.1.1/24, and only three machines are available, then it wouldn’t make sense to test for open ports in every IP address in that range.

This is where host discovery can be useful. It helps you focus your scanning efforts and, instead of 255 addresses, you will only scan the three addresses belonging to the available machines.

To perform host discovery, simply add the -sn option.

In the following test, I used Nmap to scan for available hosts in my local network.

By providing 192.168.1.0–255 as the target, Nmap will scan all addresses ranging from 192.168.1.0 to 192.168.1.255.

nmap host discovery
Nmap — Host Discovery

As shown in this output, Nmap detected 5 hosts that are connected to my network.

This type of scan is also called a ping sweep.

Port Scanning

The reason for this is that firewall rules in the target host can sometimes deny certain types of packets used in port scanning. As a result, in some cases, only one technique will be effective in detecting open ports, while all others will fail.

It is, therefore, important to have various types of scanning techniques that you can choose from and apply depending on the case.

By default, Nmap scan for the first 1000 ports. If you want to specify the exact ports to test, you can use the option -p followed by a number (or a group of numbers separated by a comma, or even a range of ports separated by a hyphen).

Port specification
Port Specification

In this example, by using the -p option, the command limits the scan to ports 21, 22, 23, 53, 80, and 443.

Please note that you would need to have privileged access to perform most of the following scans. If you are on Linux, you would need to run these commands as root, and if you are on Windows, make sure that you run Nmap as an administrator.

TCP SYN Scan

The testing host does not complete the three-way handshake. Once it receives the reply from the target host, it closes the connection before it is established. By doing so, the target machine will have a lower chance of detecting the scan. This is why this scanning technique is also known as Stealth Scan.

To perform a TCP SYN Scan, you can use the option -sS

TCP SYN Scan
TCP SYN Scan
TCP SYN Scan

As you can tell from the dash sign (#) in this command prompt, I switched to a superuser before running the command.

Notice that some ports are shown to be filtered. What this means is that there is a filtering software or device (Like a firewall) that is blocking packets from reaching those ports.

TCP Connect Scan

This technique does not require privileged access as opposed to other scanning techniques, and so, it can be useful when the user doesn’t have root access on the testing machine.

To perform a TCP Connect Scan, you can simply use the -sT option.

TCP Connect Scan
TCP Connect Scan
TCP Connect Scan

UDP Scan

Since UDP does not use a three-way handshake, a sent packet to an open port will not be acknowledged. However, when you send a UDP packet to a closed port, the target host will send back an ICMP port unreachable packet. Using this technique, Nmap can determine if a port is open or not.

To perform a UDP scan, you can use the -sU option.

udp scan
udp scan
UDP Scan

TCP Flag Scan

You can determine which ports are open by sending packets not containing these three flags, but instead containing a combination of the other flags(FIN, URG, and PSH) or no flag at all (NULL).

To perform this scanning technique, Nmap offers three options :

-sN : NULL (All flag bits are equal to 0)

TCP Null Scan
TCP Null Scan
TCP Null Scan

-sF : FIN (Only the FIN bit is set to 1)

TCP FIN Scan
TCP FIN Scan
TCP FIN Scan

-sX : Xmas (URG, PSH and FIN bits are all set to 1)

TCP Xmas Scan
TCP Xmas Scan
TCP Xmas Scan

OS Identification

To activate this functionality, you can use the -O option.

Nmap OS Detection
OS Detection

One other useful feature is version detection, which you can enable using the -sV option.

Version Detection
Version Detection
Version Detection

Output

If you add the option -oN followed by a file name, then the output will be saved to the given file name.

normal output to a file
Normal output to a file

The above command generates the following file:

resulted file
resulted file
Resulted file

Although this is a good format for humans to read, it isn’t as easily understandable by scripts if you ever decide to send the output to another tool.

For this reason, Nmap also supports XML, which can be easily parsed by another program.

If you want to retrieve an XML file as an output, you can use the option -oX.

output to an xml file
output to an xml file
Output to an XML file

And here is the generated XML file:

Generated XML file

You should now have a basic understanding of Nmap and how you can use it. You can perform your own scans and experiment by combining the options that you’ve learned here.

Of course, Nmap supports other options that we didn’t cover in this post. In fact, we’ve only scratched the surface here.

For further reading, you can refer to the official Nmap reference guide, and if you ever need help while typing a command, just type in the following command: nmap --help.

Originally published at https://patchthenet.com on January 19, 2021.

A cybersecurity enthusiast, and founder @ Patchthenet.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store