Nmap Tutorial Basics

4.0 rating

This is a neat and concise video by HackerSploit who makes a bunch of great videos. If you watch this video you’ll understand the basics of using Nmap and its’ a superb video for beginners to check out.

What Is Nmap?

Nmap is traditionally described as being a Port Scanner Tool.

Another explanation for Nmap is that it’s an extremely popular hacker tool used for footprinting and especially for reconnaissance. And, as we all know, reconnaissance is considered as being one of the most important aspects of any Penetration Test.

The tool is really best used when you need to establish information regarding your actual target or IP that you’re interested in.

The tool is available on almost every platform imaginable, and of course, if you download and install a copy of Kali Linux, Parrot, Backbox or similar then Nmap ships with those Linux Distros.

Popular & Useful Nmap Commands

In this post we’ll list out some highly useful Nmap commands that will help you out when you perform your Penetration Test or Security Audit.

  1. How To Launch A Basic Nmap Scan Against A Single IP, Host Or Target
  2. How To Scan Specific Ports Or Scan Entire Port Ranges On A Local Or Remote Server
  3. How To Scan Multiple IP Addresses
  4. How To Scan A Set Of IP Ranges
  5. How To Scan The Most Popular And Well-known Ports
  6. How To Scan Hosts And IP Addresses Reading From A Text File
  7. How To Save Your Nmap Scan Results To A Text File
  8. How To Disable DNS Name Resolution
  9. How To Scan For Operating Systems
  10. Detect Service/Daemon Versions
  11. Scan Using TCP or UDP Protocols
  12. How To Execute CVE Detection Using Nmap
  13. How To Launch a DoS With Nmap
  14. How To Launch a Brute Force Attack Using Nmap
  15. How To Detect Malware Infections On Remote Hosts
  16. Combining Nikto Scan and Nmap

1. How To Launch A Basic Nmap Scan Against A Single IP, Host Or Target

Fire-up nmap by simply typing in this command:

nmap

Then, and this is ultra-mega easy, just type in the IP address if your target!

nmap 1.1.1.1

You can also scan a specific hostname, just replace the IP for the hostname like this:

nmap hostname.com

If you’re just getting started with your PenTest or Security Audit then this type of initial scan could be appropriate, but – proceed with caution since it will be fairly noisy and any Firewall with decent setup will flag this behavior pretty much instantly and kick you off.

2. How To Scan Specific Ports Or An Entire Port Ranges On A Server

nmap -p 1-65535 servername

The command we used above uses the flag -P which signals that Nmap will associate itself with Ports (hence the “P” – simple stuff really!).

The reason there are 65535 is because that is how many ports there are in real-life.

Using this above command Nmap will patiently scan all possible ports but it might be unnecessary, perhaps you just want to scan specific ports. To do that do the following:

nmap -p 80,443 8.8.8.8

This would check the two access ports for public viewing of webpages. Plain vanilla HTML would be served via Port 80, whilst SSL is of course 443.

For other basic Protocols like that, I have a resource here that might be of use.

3. How To Scan Multiple IP Addresses Using Nmap

Good question! If your client has a bunch of domains to scan then you’d just need to append a comma to the end of the syntax as follows:

Of course, replace the “X” with a digit – I just used that because I want to highlight the appended “2,3,4” to show the extra IP addresses.

nmap -p X.X.X.X,2,3,4

This will scan X.X.X.X, X.X.X.2, X.X.X.3 and X.X.X.4.

4. How To Scan IP ranges

What about being able to scan the entire IP range? Great question! You’d do that by executing this syntax and append the slash for the 0-28 CIDR IP Range. For example:

nmap -p X.X.X.X/28

Of course, replace the X with real digits.

5. How To Scan The Most Popular Ports

Just hit the following command for the “most popular” and commonly open ports on a network

nmap --top-ports 30 192.168.1.106

Replace “30” with the number of ports that you want to scan.

Commonly scanned Nmap ports, which are really protocols, include some of the following:

PORT STATE SERVICE
21/tcp ftp
22/tcp ssh
23/tcp telnet
25/tcp smtp
53/tcp domain
80/tcp http
110/tcp pop3
111/tcp rpcbind
135/tcp msrpc
139/tcp netbios-ssn
143/tcp imap
443/tcp https
445/tcp microsoft-ds
993/tcp imaps
995/tcp pop3s
1723/tcp pptp
3306/tcp mysql
3389/tcp ms-wbt-server
5900/tcp vnc
8080/tcp http-proxy

6. How To Scan Hosts And IP Addresses Reading From A Text File

You might have a list of IP’s or domains or DNS records to scan. Then no worries, this is what you’d do:

nmap -iL mylist.txt

Place all references in a simple text file like this:

192.168.1.110
cloudflare.com
concise-courses.com

7. How To Save Your Nmap Scan Results To A File

If you’re on a Pentest you’ll want to save your results, and perhaps use them for later viewing or perhaps even insert them into another tool like Metasploit.

Here’s how you’d do that:

nmap -oN outputdata.txt concise-courses.com

And, to convert that into XML just switch out the .txt extension.

nmap -oX outputdata.xml concise-courses.com

8. How To Disable DNS Name Resolution

To speed up your Nmap scan (they can take quite long) just add the -n flag which will disable the DNS resolution.

nmap -p 80 -n 8.8.8.8

On the subject of speed, appending -T4 will alter the speed of the scan. –T10 would be rapid. This matters because a fast and rapid scan will trigger Firewalls and Intrusion Detection Systems.

9. How To Scan For Operating Systems

Simply use the “-A” flag and you’ll be good to go, for example:

nmap -A -T4 192.168.1.102.com

10. How To Detect Service/Daemon Versions

This can be done by using the –sV flag as such:

nmap -sV 192.168.1.24

11. How To Scan Using TCP or UDP Protocols

Nmap, like other network scanners, can execute scans against a variety of port protocols such as UDP and TCP. What’s the difference? It’s all in the handshakes. TCP is the “bread and butter” of the HTML/IP Protocol which includes basically anything text and the vast majority of traffic within the Internet.

TCP is very strict. UDP is not. Video streaming services would use UDP because if the video (data) is slightly delayed then that’s just buffering and the user experience expects this. The user would never accept a half-baked received email.

Here’s a TCP Nmap command:

nmap -sT 192.168.1.1

And, here’s a UDP Nmap command:

nmap -sU 192.168.1.1

12. How To Execute a CVE Detection Using Nmap

Nmap has its’ own unique scripts known as “Nmap Scripting Engine” and have the extension .nse

So, to load CVE’s into your scan you’d fire up the -Pn flag to execute scripts to test for known vulnerabilities.

nmap -Pn --script vuln 192.168.1.112

13. How To Launch a DOS Attack with Nmap

Of course, you’d only use this to test your own or your client’s network as a “stress test” to see how their services respond to DoS attacks.

Again, we’d deploy NSE for this command and run a command like this:

nmap 192.168.1.110 -max-parallelism 700 -Pn --script http-name-of-known-hack --script-args http-name-of-known-hack.runforever=true

14. How To Launch brute Force Attacks Using Nmap

Ah, the never-ending fascinating of Brute Force. I’ve covered this before with regards to THC Hydra, but essentially, say you were trying to hack WordPress then you’d fire up something like this:

nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105

And for the Venerable FTP:

nmap --script ftp-brute -p 21 192.168.1.112

Of course, as we all know from the early days, Port 21 runs an FTP service, hence the -p flag (for the port) and 21 for the necessary port.

15. How To Detect Malware Infections on Remote Hosts

I must say, I didn’t know about this when I was researching and updating this post: Nmap can detect malware. Pretty cool stuff.

I’d recommend using the Google Malware check resource which you can combine with Nmap like this:

nmap -p123 --script http-google-malware clientinfectedsitexyz.com

16 Combining Nmap and Nikto

We’ve covered Nikto here, but here’s a command that you can use alongside Nmap:

nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h -

In Summary

Nmap rightfully has had a coveted spot in my Hacker Tools List of every year and remains firmly there is 2020.

If you can understand Nmap then you’ll be a good place. If you’re studying to pass your CISSP, OSCP or CEH then learning Nmap is a must if you’d like a career in Cybersecurity.

It’s also worth mentioning that there is a GUI version called ZenMap.

As ever, if you want concrete results you should always combine the result of several Port Scanning and Penetration Testing tools to get a solid and (virtually) indisputable result especially when presenting it to your client.

Henry, "HMFIC"

I'm Henry, the guy behind this site. I fancy myself as a bit of a Cyber Expert Specialist and I've been Growth Hacking since 2002, yep, that long...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Content