How to Use Nmap For Beginners

how to use nmap for beginners.

Want to know more about weak points on a network? You can use Nmap to do this. If you have ever done network monitoring, you should be familiar with Nmap. Because it is a powerful port scanner that allows administrators to find weak spots in their network.

With Nmap, you can investigate the entire network, see running services, and find vulnerabilities. This article will discuss how to use Nmap for beginners.

What is Nmap?

Nmap stands for Network Mapper. This is an application or tool that is useful for auditing and exploring the security of a network, this tool was created by Gordon Lyon or better known as Fyodor Vaskovich. Nmap was first released in September 1997.

This tool has an Open Source license, so anyone is free to develop it. Although initially Nmap can only be used on the Linux operating system, now this tool can be used for free on almost all platforms such as Microsoft Windows, Linux (All Distros), Mac OS X, FreeBSD, OpenBSD, NetBSD, Sun Solaris, Amiga, HP -UX, and many others.

How to Use Nmap

Nmap is a powerful and free network security scan and audit tool. Nmap is commonly used by network administrators. Here are some examples of how to use Nmap.

Scanning Network Using Nmap

Nmap can scan the entire network for available hosts and open ports. There are several scanning methods to choose from. You can use an aggressive scan that generates more information, but the firewall may be able to block it. Or you can use the stealth scan which most people can use.

        nmap -sT

This is a TCP connection scan. This type of scan completes a three-way TCP handshake with the host. However, it also makes it easier for hosts to block such scans. Plus, they also take longer to complete.

An SYN scan, on the other hand, does not complete the entire three-way handshake. So, it's harder to block and faster than TCP connection scanning.

        nmap -sS

Since most of the web uses TCP, UDP scans are less frequent. However, you can use it to find DNS, SNMP, and DHCP services.

        nmap -sU

SCTP INIT scanning is another powerful feature of nmap on Linux. However, but not all devices use this protocol. So, the security is not too tight. Regardless, these scans are fast, stealthy, and accurate.

        nmap -sY

Specifying Hosts Using Nmap

Nmap allows Administrators to analyze the network in several methods. You can scan a single IP, multiple IPs, and selected IPs.

        nmap -sS

        nmap -sS

        nmap -sS

All these Nmap scans are done on the local network. You can also scan remote networks in the same way.

Specifying Ports in Nmap

Nmap scans the 1000 most popular ports by default. However, it often takes longer and can trigger firewalls or intrusion detection systems. For that, we can specify the port specifically to solve this problem.

        nmap -sS -p 80,443

        nmap -sS -p 21-25,80,139,8080

You can add as many ports as you want using the -p option. Whereas -F is an option to use fast mode, which basically scans fewer ports than the default scan.

        nmap -sS -F

The –top-ports option allows the Administrator to specify the most popular ports. This can be useful for large-scale reconnaissance.

        nmap -sS --top-ports 10

Detect Service And Version Information

Nmap is great at finding services and version information. This data is quite accurate in most cases. You can add version detection to your nmap scan by adding the -sV option.

        nmap -sS -sV -p 80,443

Nmap uses several techniques to retrieve version information. You can control the operation using the –version-intensity option. The greater the intensity, the more accurate the results. However, they also need more time.

        nmap -sS -sV --version-intensity 9

You can also use nmap to detect the OS version. This is very helpful because you can find services that are out of date.

        nmap -sS -O -p 80,443

The –osscan-guess option might provide a bit more information in some situations. But, it's much more annoying.

        nmap -sS --osscan-guess

You can also use the -A option to enable OS versioning and detection with traceroute.

        nmap -sS -A -p 80,443

Using Nmap Scripts

Nmap scripts combine power and flexibility. Administrators can choose from community-driven NSE scripts or create their own custom scripts. Nmap categorizes default scripts to make them easier to use.

        nmap --script=version

Nmap scripts are written in Lua and stored in /usr/share/nmap/nselib/ . Some other interesting NSE scripts include auth, vulns, exploit, and brute. You can use multiple scripts using comma separated lists.

        nmap --script=version,auth

Adding a space between the commas will stop the scan. Make sure to avoid it. You can also specify the associated script using the bash-style wildcard.

        nmap --script=http*

You can always learn more about nmap scripts using the –script-help option.

        nmap --script-help "discovery"

Controlling Scan Time For Nmap

Nmap delivers excellent performance out of the box. However, you can also adjust the time to meet your scanning goals. The -T parameter allows us to set the template time between zero and five. A higher value specifies a faster scan.

        nmap -sS -T 2 --top-ports 10

The user can also specify the delay between each probe sent by nmap. You can use this to circumvent the firewall. The delay is determined in seconds.

        nmap -sS --scan-delay 1 --top-ports 10

Avoiding Firewalls For Nmap Scans?

Technology has progressed tremendously since Nmap was released. Most firewalls today can detect port sweeps and block source addresses. Nmap offers several methods to circumvent firewalls and IDS.

        nmap -sS -D --top-ports 10

The -D parameter specifies the feed IP address. It doesn't mask your IP. Instead, it makes it seem like multiple hosts are sending the same scanning probe.

        nmap -sS -e wlp2s0 -S --top-ports 10

You can use the -S option to fake your IP address. You need to use the -e option to spoof your source address. It takes the interface name as an argument. you can also fake MAC addresses.

        nmap -sS --spoof-mac 0 --top-ports 10

Specifying a null value for –spoof-mac tells nmap to generate a random MAC for that session. You can always use a custom address.

Managing Nmap Output

Nmap offers several ways to handle scan output. You can save the scan session results to a specific file.

        nmap -sS -p 80,443 -oN scan-output

Many Administrators want to save the output as XML. This makes it easier to parse.

        nmap -sS -p 80,443 -oX scan-output

Most people also like to save the result in a grepable file. This makes parsing data easier using popular Unix tools like grep, cut, and awk.

        nmap -sS -p 80,443 -oG scan-output


So those are some examples of how to use Nmap for beginners. Nmap makes network scanning easier. You can choose from many scanning techniques to suit different purposes. In addition, a collection of reliable NSE scripts makes it easier for you to find vulnerabilities in a service.

Hopefully, this article about How to Use Nmap for Beginners gives you a little insight. Also, read an article about How To Use Tcpdump On Linux that you may need to know. Thank you.

Previous Post Next Post