CyberSecurity / Guides

How to use NMAP

- by Anto Online - 1 Comment

Nmap (or Nmapper) is a free and open-source network scanner used for analysis, security audits, and network exploration. You use it to discover hosts and services on a computer network by sending packets and analyzing the responses in an easy-to-use manner. First, let us take a look at how to use Nmap.

The Nmap port scanner can primarily determine:

  • Available hosts on the network
  • The operating system running on the hosts
  • Name and version of applications running on the hosts
  • Type of firewalls being used on the hosts
  • And much more
You may also want to read: Tools to scan for website problems.

How to install Nmap

Linux Installation

Run the following command to install it on Debian-based Linux distributions like Ubuntu, Linux Mint, and Kali Linux:

apt-get install nmap

Use the following command on Fedora-based distributions like CentOS and Red Hat Enterprise Linux (RHEL):

yum install nmap

You can also use Snap if you prefer using the following command:

sudo snap install nmap
For example, you may get the following error when using Nmap installed with Snap: “Couldn’t open a raw socket. Error: Permission denied (13)“. If you do, then run: “snap connect nmap:network-control“.

Mac OS Installation

Run the following command to install it on Mac with Homebrew:

brew install nmap

Windows Installation

Download installer from the Nmap website and run the downloaded .exe file to install it.

There are a lot of options that we can use with the Nmap command. So, the type and amount of information we get depends on the options we use.

How to Get Help With Nmap

We can get the list of all the options we can use with Nmap by running the following command:

nmap

Nmap will then print a list of the various command options:

Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

However, you can run the following command to get the complete documentation:

man nmap

Nmap basics

You can run a simple Nmap command with no options like this:

nmap 74.207.244.221

Or

nmap scanme.nmap.org

It is up to you whether you specify your IP Address or Domain Name. The above command will show all the open ports for this IP Address.

See an example below:

me@server:~$ nmap scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-12 08:09 AEDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.17s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 20.01 seconds

PORT, STATE, SERVICE Table:

Most of the time, when you run the Nmap command, you will see a table in the output having three columns PORT, STATE, and SERVICE.

The PORT column shows the port number and the name of the protocol, e.g., TCP, UDP, or any other.

The STATE column shows the PORT state whether open, closed, filtered, unfiltered, open|filtered, or closed|filtered.

The SERVICE column shows the name of the SERVICE running on that specific PORT. For example, the service name could be SSH, HTTP, HTTPS, or any other service running in your system.

Scanning range of IP addresses or host

You can also scan multiple IP Addresses by specifying a range:

nmap 74.207.244.1-15

As a result of this command, we will get information about all the 15 IP Addresses we have mentioned.

You can also specify multiple IP Addresses like this:

nmap 74.207.244.221 192.168.43.1 10.44.16.5

Do not forget to give a space after each IP Address.

Detecting all the hosts connected to a network

Following command shows all the possible hosts for this network. It also shows those hosts that are up along with their hostnames.

nmap -sL 192.168.43.0/24

By using the number 24, we are specifying the subnet.

The following command shows only those hosts which are up along with their IP Addresses and hostnames.

nmap -sn 192.168.43.0/24

The -sn parameters specify a ping scan and are used to disable the port scan. So, using the sn option will not show the PORT, STATE, SERVICE table.

You can also run the same command using wildcards as:

nmap -sn 192.168.43.*

When scanning a network, you can also specify an IP Address that you do not want to scan:

nmap 192.168.43.* --exclude 192.168.43.1

So, because of this exclude option will not scan the specified IP Address.

Detecting the operating system

Following command guesses the Operating System being used on the target host:

nmap -O scanme.nmap.org

Where option O stands for the Operating System.

We can also use the option –osscan-guess to guess the Operating System more aggressively:

nmap --osscan-guess scanme.nmap.org

Running the Nmap command with A option detects the Operating System, version as well as traceroute and other information:

nmap -A scanme.nmap.org

You can also run the above command with the T4 option. This option is used for faster execution.

nmap -A -T4 scanme.nmap.org

Getting Traceroute for a Host

You can find the traceroute (route from your computer to the specified destination) by the following command:

sudo nmap --traceroute scanme.nmap.org

Unfortunately, the command with the traceroute option will only work with sudo.

Scanning fewer ports for quick scan

As mentioned earlier, you can use the T4 option for faster execution. Moreover, you can scan the fewer ports for a quick scan using the F option.

nmap -F -T4 scanme.nmap.org

Here the F stands for “fast scan”

Scanning any specific ports

Instead of scanning all the ports of a host, you can also scan any specific ports.

Run the following command to scan port 80 e.g.

nmap -p80 scaneme.nmap.org

Here the p stands for the port.

Instead of scanning only one port, you can also scan multiple ports:

nmap -p80,8080 scaneme.nmap.org

You can further explore this tool by running the following command:

man nmap

Find open ports

Return all open ports, the port state, and service name, for example.com:

root@server:/# nmap example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 19:14 CST
Nmap scan report for example.com (93.184.216.34)
Host is up (0.17s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c8:1946
Not shown: 996 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  open   https
1119/tcp closed bnetgame
1935/tcp closed rtmp

Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds

Adding a -v or -vv will increase verbosity level:

root@odis:/# nmap -vv example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 19:14 CST
Warning: Hostname example.com resolves to 2 IPs. Using 93.184.216.34.
Initiating Ping Scan at 10:19
Scanning example.com (93.184.216.34) [4 ports]
Completed Ping Scan at 10:19, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:19
Completed Parallel DNS resolution of 1 host. at 10:19, 0.03s elapsed
Initiating SYN Stealth Scan at 10:19
Scanning example.com (93.184.216.34) [1000 ports]
Discovered open port 80/tcp on 93.184.216.34
Discovered open port 443/tcp on 93.184.216.34
Completed SYN Stealth Scan at 10:19, 10.27s elapsed (1000 total ports)
Nmap scan report for example.com (93.184.216.34)
Host is up, received echo-reply ttl 57 (0.16s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c8:1946
Scanned at 2021-03-08 10:19:15 AEDT for 10s
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT     STATE  SERVICE  REASON
80/tcp   open   http     syn-ack ttl 57
443/tcp  open   https    syn-ack ttl 57
1119/tcp closed bnetgame reset ttl 57
1935/tcp closed rtmp     reset ttl 57

Wrapping up

You should now be able to install and know how to use Nmap. Let us know your favorite Nmap commands!

Want more? Why not watch this great YouTube clip explaining Nmap:

You may also be interested in

Sources:

Related Posts

A Guide to Ethical Footprinting in CyberSecurity

How to Perform DNS Spoofing Using Ettercap: A Step-by-Step Tutorial

Guide to Using Slowloris for HTTP Denial of Service Attacks

About Anto Online

Anto, a seasoned technologist with over two decades of experience, has traversed the tech landscape from Desktop Support Engineer to enterprise application consultant, specializing in AWS serverless technologies. He guides clients in leveraging serverless solutions while passionately exploring cutting-edge cloud concepts beyond his daily work. Anto's dedication to continuous learning, experimentation, and collaboration makes him a true inspiration, igniting others' interest in the transformative power of cloud computing.

View all posts by Anto Online

One Comment on “How to use NMAP”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.