Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.
In this article, I’ve covered most the questions that I asked myself when studying Nmap, and also have answered them in brief.
- What is Nmap ?
Nmap is basically a command-line port scanner and arguably the best in what it does.
- How to install Nmap?
Nmap will be mostly installed by default in certain Linux distros but if not you can do
sudo apt-get install nmap in Debian. For windows, Mac OS X and other operating systems you can find it’s respective releases at https://nmap.org/download.html .
Nmap is run from the terminal and there are different flags which carry different tasks. You can run
nmap -h to see a access help menu or run
man nmap to have a detailed version of the same.
- How to perform a basic scan ?
- Is it possible to scan an entire subnet ?
Absolutely yes, you nmap a CIDR notation like this,
- Scan a list of targets in a text file ?
-iL does the trick
nmap -iL targets.txt
- How to scan a single port ?
The -p flag is used to scan for a port
nmap -p 80 targetIP - This scans for port 80 on the specified IP address
- How to scan multiple ports ?
Separate them with comma
nmap -p 80,21 targetIP - This scans for port 80 and 21 on the specified IP address
- How to scan ports in range ?
nmap -p 1-500 targetIP - This scans for ports from 1 to 500 on the specified IP address
- How to scan all ports ?
Use -p- switch
nmap -p- targetIP
By default Nmap scans the top 1000 ports
- Scan more than 1000 “top” ports ?
Use —top-ports switch
nmap --top-ports 2000 targetIP
- How to scan all versions provided by the host ?
nmap -sV targetIP
(This in particular is very useful a lot of times to find exploits related to that version)
- How to discover the Operating System run by the host ?
nmap -O targetIP
- Scan with verbose output ?
Use -v for verbose, Use -vv for heavy verbose
nmap -vv targetIP
These are some of the basic scans that one has to definitely keep in mind. But Nmap is just so much more. Down below, are some of the commands that I use quite frequently.
- What if you want to scan without pinging the host?
Use -Pn flag
nmap -Pn targetIP
( This comes in handy when the host just wouldn’t ping and yet you wish to scan the target )
Nmap by default does TCP SYN scan.
- Perform UDP scans using -sU flag. Example :
nmap -sU targetIP
To elaborate on the scan types, Nmap basically has three basic scan types.
- TCP SYN Scans : -sS
- UDP Scans : -U
- TCP Connect Scans : -sT
Nmap can also certain special TCP scans such as
Here, a request is sent with the FIN flag at the start instead of a default SYN flag
nmap -sF targetIP
Here, a request is sent with no flags at all
nmap -sN targetIP
Here, a request is sent with only the ACK flag
nmap -sA targetIP
Here, a distorted TCP packet is being sent to the host with FIN, URG, and PSH flags set. The response can be seen as a blinking XMAS tree when viewed in Wireshark or any other similar tool.
nmap -sX targetIP
But why do we need these special scans ?
Sometimes, when there’s a network filtering and you wish to bypass the filter, the above special scans might be of some help.
- Use -A to perform an aggressive scan.
An aggressive scan performs service detection, operating system detection, a traceroute and common script scanning at the cost of being loud. I wouldn’t personally recommend it to be used every time, but if you want to, use it at your own risk.
nmap -A targetIP
Since I mentioned script scanning in the previous comment, I’ll elaborate on the same to my knowledge.
Nmap can also automate exploits and find vulnerabilities using predefined scripts. These scripts are written using Lua programming language.
Nmap has an scripting engine called as the Nmap Scripting Engine (NSE) which has many categories performing different tasks such as :
and a lot more. The entire list can be found here : https://nmap.org/book/nse-usage.html
To run an entire category, you can use
To run a specific script, you can use nmap
--script=scriptName. If you script requires arguments to be passed, you can use
You can find all scripts here : https://nmap.org/nsedoc/
--scan-delay flag to add delay between packets sent. This is a simple firewall evasion technique. Other firewall evasion techniques can be found here : https://nmap.org/book/man-bypass-firewalls-ids.html
At last, if you’ve been performing scan for quite sometime and it has been interrupted, you can use the -resume flag to continue to from you left.
nmap -resume logFileName
Nmap is super powerful and I’ve only touched the common or most useful commands and utilities for me. To find more information, visit the official extensive documentation at https://nmap.org/book/.
Also, please do not exhaust the targetIP. I wantedly didn’t mention -T flag because it just doesn’t make much sense to me. You can read about this flag as well which is basically used to increase the Nmap scan time at the cost of being loud and also missing potential targets.
With that being said, I’m also open to suggestions, corrections and discussions. Feel free to reach out to me in twitter (@thebinarybot)
If you like article and would like to support me as well, please buy me a coffee at : buymeacoffee.com/thebinarybot