NMAP Full
Nmap Guide
Nmap (Network Mapper) is an open-source utility for network discovery and security auditing. It's considered the de facto standard for network scanning and is an essential tool in any security professional's toolkit.
Core Functionality
Nmap can:
Discover hosts on a network
Identify open ports on target systems
Determine services running on those ports
Detect operating systems
Probe for vulnerabilities using specialized scripts
Map network topologies
Basic Syntax
The general syntax for Nmap is:
nmap [scan type] [options] [target specification]Scan Types
Host Discovery
# Ping scan (no port scan)
nmap -sn 10.129.2.0/24
# List scan (no ping)
nmap -sL 10.129.2.0/24
# ARP scan (local network)
nmap -PR 10.129.2.0/24
# No ping scan (skip host discovery)
nmap -Pn 10.129.2.0/24Port Scanning Techniques
# SYN scan (default)
nmap -sS 10.129.2.28
# TCP connect scan
nmap -sT 10.129.2.28
# UDP scan
nmap -sU 10.129.2.28
# FIN scan
nmap -sF 10.129.2.28
# NULL scan
nmap -sN 10.129.2.28
# XMAS scan
nmap -sX 10.129.2.28
# ACK scan
nmap -sA 10.129.2.28Service and Version Detection
# Basic service detection
nmap -sV 10.129.2.28
# Intensity level 0-9 (0 is light, 9 is all probes)
nmap -sV --version-intensity 7 10.129.2.28
# Lighter/faster detection
nmap -sV --version-light 10.129.2.28
# Most intensive detection
nmap -sV --version-all 10.129.2.28OS Detection
# Basic OS detection
nmap -O 10.129.2.28
# More aggressive OS detection
nmap -O --osscan-guess 10.129.2.28Timing and Performance
# Timing templates (0-5)
nmap -T0 10.129.2.28 # Paranoid - Very slow
nmap -T1 10.129.2.28 # Sneaky
nmap -T2 10.129.2.28 # Polite
nmap -T3 10.129.2.28 # Normal (default)
nmap -T4 10.129.2.28 # Aggressive
nmap -T5 10.129.2.28 # Insane - Very fast
# Custom timing options
nmap --min-rate 1000 --max-retries 1 10.129.2.28Output Options
# Normal output to file
nmap 10.129.2.28 -oN scan.txt
# XML output
nmap 10.129.2.28 -oX scan.xml
# Grepable output
nmap 10.129.2.28 -oG scan.grep
# All formats
nmap 10.129.2.28 -oA scans
# Verbose output
nmap -v 10.129.2.28
# Very verbose output
nmap -vv 10.129.2.28Port Selection
# Specific port
nmap -p 80 10.129.2.28
# Multiple ports
nmap -p 22,80,443 10.129.2.28
# Port range
nmap -p 1-1000 10.129.2.28
# All ports
nmap -p- 10.129.2.28
# Top ports
nmap --top-ports 100 10.129.2.28
# Fast mode (top 100 ports)
nmap -F 10.129.2.28NSE (Nmap Scripting Engine)
# Default scripts
nmap -sC 10.129.2.28
# Specific script
nmap --script=http-title 10.129.2.28
# Multiple scripts
nmap --script=http-title,http-headers 10.129.2.28
# Script categories
nmap --script=vuln 10.129.2.28
# Script with arguments
nmap --script=http-brute --script-args userdb=users.txt,passdb=passwords.txt 10.129.2.28Common Script Categories
default: Default scripts run with-sCdiscovery: Information gathering scriptssafe: Non-intrusive scriptsvuln: Vulnerability detectionexploit: Exploitation scripts (use with caution)auth: Authentication related scriptsbrute: Brute force scriptsdos: Denial of Service scripts (use with explicit permission only)
Advanced Features
Firewall Evasion
# Fragment packets
nmap -f 10.129.2.28
# Specify MTU
nmap --mtu 8 10.129.2.28
# Decoy scans
nmap -D RND:5 10.129.2.28
# Source port manipulation
nmap --source-port 53 10.129.2.28
# Append random data
nmap --data-length 200 10.129.2.28Advanced Host Discovery
# Custom TCP SYN ping
nmap -PS22,80,443 10.129.2.0/24
# TCP ACK ping
nmap -PA80,443 10.129.2.0/24
# UDP ping
nmap -PU53,161 10.129.2.0/24
# ICMP echo ping
nmap -PE 10.129.2.0/24
# ICMP timestamp ping
nmap -PP 10.129.2.0/24
# ICMP address mask ping
nmap -PM 10.129.2.0/24Custom Packet Parameters
# Custom TCP flags
nmap --scanflags URGACKPSHRSTSYNFIN 10.129.2.28
# Custom TTL
nmap --ttl 127 10.129.2.28
# Spoof MAC address
nmap --spoof-mac Dell 10.129.2.28Practical Examples
Quick Network Sweep
nmap -sn 10.129.2.0/24 --disable-arp-ping -oA network_sweepComprehensive Single Host Scan
nmap -sS -sV -sC -O -p- --min-rate 1000 10.129.2.28 -oA full_scanVulnerability Assessment
nmap -sV --script vuln 10.129.2.28 -oA vuln_scanLow and Slow Scan (Evasion)
nmap -sS -T1 -f --data-length 200 --randomize-hosts 10.129.2.0/24 -oA stealth_scanWeb Server Scan
nmap -sV -p 80,443 --script "http-* and not http-brute" 10.129.2.28 -oA web_scanService-Specific Scans
SMB/Windows
nmap -p 139,445 --script "smb-*" 10.129.2.28 -oA smb_scanFTP
nmap -p 21 --script "ftp-*" 10.129.2.28 -oA ftp_scanSSH
nmap -p 22 --script "ssh-*" 10.129.2.28 -oA ssh_scanInterpreting Nmap Results
Port States
open: Port is actively accepting connectionsclosed: Port is accessible but no application is listeningfiltered: Firewall/filter is blocking access (no response)unfiltered: Port is accessible but state can't be determinedopen|filtered: Can't determine if port is open or filteredclosed|filtered: Can't determine if port is closed or filtered
Service Detection
Nmap identifies services with varying confidence levels:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)Service name:
sshSoftware:
OpenSSHVersion:
8.2p1Additional info:
Ubuntu 4ubuntu0.4
Nmap Optimization Tips
Target wisely: Limit scope to necessary hosts and ports
Use proper timing: Start with moderate timing (-T3 or -T4) and adjust as needed
Be output-conscious: Select appropriate output formats for your use case
Optimize host discovery: Use appropriate discovery methods for your network
Leverage parallel scanning: Multiple hosts can be scanned simultaneously
Consider network conditions: Adjust timing for high-latency links
Ethical Considerations
Always obtain proper permission before scanning
Consider the potential impact on production systems
Avoid aggressive scanning of critical infrastructure
Document your activities
Follow responsible disclosure for any findings
Nmap is a powerful tool that forms the foundation of most network security assessments. Understanding its capabilities and options allows security professionals to efficiently map networks, identify services, and discover potential vulnerabilities while minimizing impact on target systems.
Last updated