Nmap Tutorial For Beginners [ Basics to Advanced ]

Nmap is a network mapper that has emerged as one of the most popular, free network discovery tools on the market. Nmap has become one of the most popular tools for network managers to utilize while mapping their networks. The application can be used to locate live hosts on a network, and perform port scanning, ping sweeps, OS detection, and version detection, among other things.

A number of recent hacks have ve got the importance of network auditing tools like Nmap. The current Capital One hack, for example, may have been noticed sooner if system administrators had been monitoring connected devices, according to analysts. We’ll look at what Nmap is, what it can do, and how to use the most frequent commands in this article.

In this article, I am going to show you how to use Nmap with a full tutorial. Many new users install Nmap, but they have little knowledge about how to utilize it. Before we begin, we must first understand what Nmap is and what it is used for. So, without further ado, let’s get this party started.

What is Nmap?

Network Mapper is short for Network Mapper. Nmap is a network exploration and security tool that is open-source. It was built to scan vast networks quickly, but it also works well with single targets.
Nmap analyzes raw IP packets in novel ways to figure out which hosts are on the network, what services they offer (application name and version), what operating systems (and OS versions) they use, what types of packet filters/firewalls they employ, and a slew of other details.
Nmap is available For Windows, Linux, Mac OS X, Free BSD, Sun Solaris, Amiga, HP-UX, and Other Platforms.

What is Nmap used for?

There are a number of reasons why security pros prefer Nmap over other scanning tools.

To begin, Nmap allows you to easily map out a network using simple commands and configurations. Simple commands (such as checking if a host is up) and complicated scripting are also supported by the Nmap scripting engine.

Other features of Nmap include:

  • Ability to quickly recognize all devices on single or numerous networks, including servers, routers, switches, mobile devices, and so on.
  • Web servers, DNS servers, and other common applications are among the services that can be identified on a system. Nmap can also detect application versions with reasonable accuracy, which can aid in the detection of existing flaws.
  • Nmap can look up information about a device’s operating system. It can provide detailed information such as operating system versions, making it easy to develop future penetration testing methods.
  • During security auditing and vulnerability scanning, you can use Nmap to attack systems using existing scripts from the Nmap Scripting Engine.
  • Nmap has a graphical user interface called Zenmap. It helps you develop visual mappings of a network for better usability and reporting.

Recommended Guides

How To Install Nmap

The process for installing Nmap is easy but varies according to your operating system. The Windows, Mac, and Linux versions of the program can be downloaded here.

  • For Windows, Nmap comes with a custom installer (namp<version>setup.exe). Download and run this installer, and it automatically configures Nmap on your system.
  • On Mac, Nmap also comes with a dedicated installer. Run the Nmap-<version>mpkg file to start this installer. On some recent versions of macOS, you might see a warning that Nmap is an “unidentified developer”, but you can ignore this warning.
  • Linux users can either compile Nmap from the source or use their chosen package manager. To use apt, for instance, you can run Nmap –version to check if Nmap is installed, and sudo apt-get install Nmap to install it.

Uses of Nmap

Nmap is a Network Mapper, as I mentioned at the beginning of this tutorial, that allows us to scan a network/host and discover open ports, close ports, check if a host is up or not, and lastly determine what operating system the host is running. We’ve tried to cover a lot in this Nmap tutorial, so it’ll be a little longer.

Before we start using Nmap, you must have basic knowledge of Networking,

Port Scanning: Before we do Port Scanning, you must be clear about what is a port,

a port is basically a way to connect to a computer, there are over 65353 ports that can be opened, closed, and filtered

if a port is open that means the computer is listening for a connection.
if a port is closed that means the computer is no longer looking for a connection in that port.

if the port is filtered then it is likely to be open or close and you should know that the system administrator hiding some sort of information.

Different Ports are used for different connections,
such as the common HTTP port is 8080, and FTP port is 21 and so on, a port can be easily identified as it comes after a colon eg: 127.0.0.1:8080, where 8080 is the port.

TCP and UDP protocols

these are the most commonly used protocols over a network. However these are used for listening for a connection, they play different roles
as

TCP Protocol
It is a Connection-oriented protocol, in simple words it is used for connections that need things to be ordered specifically, for example, loading a web page.

UDP Protocol
UDP Protocols are Connectionless protocol that doesn’t assure the delivery of packets at the end, the most commonly used for Live Video Transforming.

Here is a quick overview of various types of Protocols

Various TCP/IP protocols

Application layer: FTP, HTTP, SNMP, BOOTP, DHCP
Transport layer: TCP, UDP, ICMP, IGMP

Network layer: ARP, IP, RARP
Datalink layer: SLIP, PPP

Now Let’s use some Nmap commands for Port Scanning.

Nmap Command

The following section explains the usage of category-wise NMAP diverse commands with examples as follows –

Basic Scanning Commands

GoalCommandExample
Scan a Single Targetnmap [target]nmap 192.168.0.1
Scan Multiple Targetsnmap [target1, target2, etcnmap 192.168.0.1 192.168.0.2
Scan a Range of Hostsnmap [range of ip addresses]nmap 192.168.0.1-10
Scan an Entire Subnetnmap [ip address/cdir]nmap 192.168.0.1/24
Scan Random Hostsnmap -iR [number]nmap -iR 0
Excluding Targets from a Scannmap [targets] – exclude [targets]nmap 192.168.0.1/24 –exclude 192.168.0.100, 192.168.0.200
Excluding Targets Using a Listnmap [targets] – excludefile [list.txt]nmap 192.168.0.1/24 –exclude file notargets.txt
Perform an Aggressive Scannmap -A [target]nmap -A 192.168.0.1
Scan an IPv6 Targetnmap -6 [target]nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe

Discovery Options

GoalCommandExample
Perform a Ping Only Scannmap -sP [target]nmap -sP 192.168.0.1
Don’t Pingnmap -PN [target]nmap -PN 192.168.0.1
TCP SYN Pingnmap -PS [target]nmap -PS 192.168.0.1
TCP ACK Pingnmap -PA [target]nmap -PA 192.168.0.1
UDP Pingnmap -PU [target]nmap -PU 192.168.0.1
SCTP INIT Pingnmap -PY [target]nmap -PY 192.168.0.1
ICMP Echo Pingnmap -PE [target]nmap -PE 192.168.0.1
ICMP Timestamp Pingnmap -PP [target]nmap -PP 192.168.0.1
CMP Address Mask Pingnmap -PM [target]nmap -PM 192.168.0.1
IP Protocol Pingnmap -PO [target]nmap -PO 192.168.0.1
ARP Pingnmap -PR [target]nmap -PR 192.168.0.1
Traceroutenmap –traceroute [target]nmap –traceroute 192.168.0.1
Force Reverse DNS Resolutionnmap -R [target]nmap -R 192.168.0.1
Disable Reverse DNS Resolutionnmap -n [target]nmap -n 192.168.0.1
Alternative DNS Lookupnmap –system-dns [target]nmap –system-dns 192.168.0.1
Manually Specify DNS Server(s)nmap –dns-servers [servers] [target]nmap –dns-servers 201.56.212.54 192.168.0.1
Create a Host Listnmap -sL [targets]nmap -sL 192.168.0.1/24

Advanced Scanning Options

GoalCommandExample
TCP SYN Scannmap -sS [target]nmap -sS 192.168.0.1
TCP Connect Scannmap -sT [target]nmap -sT 192.168.0.1
UDP Scannmap -sU [target]nmap -sU 192.168.0.1
TCP NULL Scannmap -sN [target]nmap -sN 192.168.0.1
TCP FIN Scannmap -sF [target]nmap -sF 192.168.0.1
Xmas Scannmap -sX [target]nmap -sX 192.168.0.1
TCP ACK Scannmap -sA [target]nmap -sA 192.168.0.1
Custom TCP Scannmap –scanflags [flags] [target]nmap –scanflags SYNFIN 192.168.0.1
IP Protocol Scannmap -sO [target]nmap -sO 192.168.0.1
Send Raw Ethernet Packetsnmap –send-eth [target]nmap –send-eth 192.168.0.1
Send IP Packetsnmap –send-ip [target]nmap –send-ip 192.168.0.1

Port Scanning Options

GoalCommandExample
Perform a Fast Scannmap -F [target]nmap -F 192.168.0.1
Scan Specific Portsnmap -p [port(s)] [target]nmap -p 21-25,80,139,8080 192.168.1.1
Scan Ports by Namenmap -p [port name(s)] [target]nmap -p ftp,http* 192.168.0.1
Scan Ports by Protocolnmap -sU -sT -p U: [ports],T:[ports] [target]nmap -sU -sT -p U:53,111,137,T:21- 25,80,139,8080 192.168.0.1
Scan All Portsnmap -p ‘*’ [target]nmap -p ‘*’ 192.168.0.1
Scan Top Portsnmap –top-ports [number] [target]nmap –top-ports 10 192.168.0.1
Perform a Sequential Port Scannmap -r [target]nmap -r 192.168.0.1

Version Detection

GoalCommandExample
Operating System Detectionnmap -O [target]nmap -O 192.168.0.1
Submit TCP/IP Fingerprintswww.nmap.org/submit/
Fingerprints
Attempt to Guess an Unknown OSnmap -O –osscan guess [target]nmap -O –osscan-guess 192.168.0.1
Service Version Detectionnmap -sV [target]nmap -sV 192.168.0.1
Troubleshooting Version Scansnmap -sV –version trace [target]nmap -sV –version-trace 192.168.0.1
Perform a RPC Scannmap -sR [target]nmap -sR 192.168.0.1

Firewall Evasion Techniques

GoalCommandExample
augment Packetsnmap -f [target]nmap -f 192.168.0.1
pacify a Specific MTUnmap –mtu [MTU] [target]nmap –mtu 32 192.168.0.
Use a Decoynmap -D RND:[number] [target]nmap -D RND:10 192.168.0.1
le Zombie Scannmap -sI [zombie] [target]nmap -sI 192.168.0.38
Manually Specify a Source Portnmap –source-port [port] [target]nmap –source-port 10 192.168.0.1
Append Random Datanmap –data-length [size] [target]nmap –data-length 2 192.168.0.1
Randomize Target Scan Ordernmap –randomize-hosts [target]nmap –randomize-ho 192.168.0.1-20
Spoof MAC Addressnmap –spoof-mac [MAC|0|vendor] [target]nmap –spoof-mac Cis 192.168.0.1
Send Bad Checksumsnmap –badsum [target]nmap –badsum 192.168.0.1

Troubleshooting And Debugging

GoalCommandExample
Getting Helpnmap -hnmap -h
Display Nmap Versionnmap -Vnmap -V
Verbose Outputnmap -v [target]nmap -v 192.168.0.1
Debuggingnmap -d [target]nmap -d 192.168.0.1
Display Port State Reasonnmap –reason [target]nmap –reason 192.168.0.1
Only Display Open Portsnmap –open [target]nmap –open 192.168.0.1
Trace Packetsnmap –packet-trace [target]nmap –packet-trace 192.168.0.1
Display Host Networkingnmap –iflistnmap –iflist
Specify a Network Interfacenmap -e [interface] [target]nmap -e eth0 192.168.0.1

NMAP Scripting Engine

GoalCommandExample
Execute Individual Scriptsnmap –script [script.nse] [target]nmap –script banner.nse 192.168.0.1
Execute Multiple Scriptsnmap –script [expression] [target]nmap –script ‘http-*’ 192.168.0.1
Script Categoriesall, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Categorynmap –script [category] [target]nmap –script ‘not intrusive’ 192.168.0.1
Execute Multiple Script Categoriesnmap –script [category1,category2,etc]nmap –script ‘default or safe’ 192.168.0.1
Troubleshoot Scriptsnmap –script [script] –script trace [target]nmap –script banner.nse –script-trace 192.168.0.1
Update the Script Databasenmap –script-updatedbnmap –script-updatedb

How To Use Nmap in Kali Linux

Using Nmap in Kali Linux can be done in an identical way to running the program on any other flavor of Linux.

However, there are several advantages to utilizing Kali for Nmap scans. The Nmap suite, which includes a sophisticated GUI and results viewer (Zenmap), a powerful data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet creation and response analysis tool (Kali), is now included in most modern Kali distros (Nping).

Nmap FAQ

The commands above cover most of the basic functionality of Nmap. You might still have some questions though, so let’s run through the most common ones.

Q.1 How do I run a Nmap Scan?

Please read the above article. We have mentioned Most of the Nmap commands, and how to use those Commands to run different types of scans.


Q.2 Why is port scanning dangerous?

An attacker can use a port scan to locate open ports. When an attacker discovers an open port with a listening service running, he or she can scan it for vulnerabilities.
What is the difference between Nmap and Wireshark?

Q.3 What is the difference between Nmap and Wireshark?

Nmap lets you scan Host/IP for open ports and learn about the host’s services and operating system. Wireshark is a network packet capture and analysis tool.

Q.4 What Are Some Nmap Alternatives?

Although there are numerous alternatives to Nmap, most of them are focused on delivering particular, specialist features that the common system administrator does not require on a regular basis. For example, MASSCAN is considerably faster than Nmap but gives less information. Umit, on the other hand, allows you to run many scans at the same time.

In reality, however, Nmap provides all the functionality and speed that the average user requires, especially when used alongside other similarly popular tools like NetCat (which can be used to manage and control network traffic) and ZenMap (which provides a GUI for Nmap)

Q.5 How Does Nmap Work?

Nmap is a network traffic scanning tool that improves on earlier network auditing tools to perform speedy and thorough scans of network traffic. It operates by identifying active hosts and IPs on a network using IP packets, then analyzing these packets to offer information on each host and IP, as well as the operating systems they are running.

Q.6 Is Nmap Legal?

Yes. If used properly, Nmap helps protect your network from hackers, because it allows you to quickly spot any security vulnerabilities in your systems.

Another question is whether port scanning on remote servers is legal. This field of law is complicated and varies by territory. If you use Nmap to scan external ports, your ISP may ban you, so make sure you understand the legal ramifications of doing so before you start using it more broadly.

Leave a Comment

Your email address will not be published.