Nmap: From Beginner to Advanced

March 25, 2023

Nmap is a powerful and versatile tool for network exploration and security auditing. It can scan hosts, ports, services, firewalls, vulnerabilities, and more. In this blog post, we will cover the basics of nmap and some advanced techniques to make the most of it.

What is Nmap?

Nmap stands for Network Mapper. It is a free and open-source tool that can run on Windows, Linux, Mac OS X, and other platforms. Nmap was created by Gordon Lyon (also known as Fyodor) in 1997 and has been continuously developed and improved since then.

Nmap can perform various types of scans, such as:

  • Ping scan: to check if a host is alive or not
  • TCP scan: to check which TCP ports are open or closed on a host
  • UDP scan: to check which UDP ports are open or closed on a host
  • SYN scan: to check which TCP ports are open or closed on a host without completing the TCP handshake
  • ACK scan: to check if a host is behind a stateful firewall or not
  • Xmas scan: to check which TCP ports are open or closed on a host by sending packets with all flags set
  • FIN scan: to check which TCP ports are open or closed on a host by sending packets with only the FIN flag set
  • NULL scan: to check which TCP ports are open or closed on a host by sending packets with no flags set
  • Service scan: to check which services are running on the open ports of a host
  • OS scan: to check which operating system is running on a host
  • Version scan: to check which versions of the services are running on the open ports of a host
  • Script scan: to run various scripts from the Nmap Scripting Engine (NSE) to perform additional tasks, such as vulnerability detection, brute-forcing, banner grabbing, etc.

Nmap can also perform other functions, such as:

  • Host discovery: to find out which hosts are up on a network
  • Port filtering detection: to find out if a host is using any port filtering techniques, such as firewalls, IDS/IPS, etc.
  • Packet crafting: to create and send custom packets to a host
  • Packet sniffing: to capture and analyze packets from a network interface
  • Traceroute: to trace the path of packets from the source to the destination
  • IP spoofing: to send packets with a forged source IP address
  • MAC spoofing: to send packets with a forged source MAC address

How to Install Nmap?

Nmap can be downloaded from its official website: https://nmap.org/download.html

There are different versions of nmap available for different platforms. For Windows users, there is an installer that can be downloaded and run. For Linux users, there are binary packages for various distributions, such as Debian, Ubuntu, Fedora, etc. Most Linux repos have an installable source as well. For Mac OS X users, there is an installer that can be downloaded and run. Alternatively, nmap can also be installed from source code by following the instructions on the website.

How to Use Nmap?

Nmap can be used from the command line or from a graphical user interface (GUI) called Zenmap. Zenmap is a cross-platform GUI that provides an easy way to launch nmap scans and view the results. Zenmap can be downloaded from the same website as nmap.

To use nmap from the command line, the basic syntax is:

nmap [options] [targets]

where options are the flags that specify what type of scan or function to perform, and targets are the hosts or networks to scan.

For example, to perform a ping scan on 192.168.1.1:

nmap -sn 192.168.1.1

To perform a TCP SYN scan on 192.168.1.1:

nmap -sS 192.168.1.1

To perform a service scan on 192.168.1.1:

nmap -sV 192.168.1.1

To perform an OS scan on 192.168.1.1:

nmap -O 192.168.1.1

To perform a script scan on 192.168.1.1 using the default scripts:

nmap -sC 192.168.1.1

To perform a script scan on 192.168.1.1 using a specific script or category:

nmap --script [script or category] 192.168.1.1

For example, to perform a script scan on 192.168.1.1 using the http-enum script:

nmap --script http-enum 192.168.1.1

To perform a script scan on 192.168.1.1 using the vuln category:

nmap --script vuln 192.168.1.1

To list all the available scripts and categories:

nmap --script-help *

Nmap scripts are written in Lua and can be found in the /usr/share/nmap/scripts/ directory (on Linux). You can also write your own scripts or modify the existing ones to suit your needs.

How to Interpret Nmap Output?

Nmap output can be displayed in various formats, such as:

  • Interactive: the default format that shows the results on the terminal as they are found
  • Normal: a human-readable format that shows the results in a structured way
  • XML: a machine-readable format that can be parsed by other tools or programs
  • Grepable: a format that can be easily filtered by grep or other commands
  • JSON: a format that can be easily processed by JSON parsers or libraries
  • To specify the output format, use the -o flag followed by the format letter (N for normal, X for XML, G for grepable, J for JSON) and the file name.

For example, to save the output in normal format to a file called scan.txt:

nmap -oN scan.txt [targets]

To save the output in XML format to a file called scan.xml:

nmap -oX scan.xml [targets]

To save the output in JSON format to a file called scan.json:

nmap -oJ scan.json [targets]

The output of nmap consists of various sections, such as:

  • Nmap scan report: shows the target IP address or hostname, the state (up or down), and the scanned ports (open, closed, filtered)
  • Host details: shows additional information about the target host, such as MAC address, vendor, OS details, uptime, etc.
  • Port details: shows additional information about each scanned port, such as service name, version, banner, etc.
  • NSE script results: shows the output of each script that was run on the target host or port
  • Nmap done: shows the summary of the scan, such as elapsed time, hosts scanned, hosts up, etc.

How to Use Nmap Effectively?

Nmap is a very powerful tool that can be used for various purposes, such as network mapping, vulnerability scanning, penetration testing, etc. However, to use nmap effectively, you need to consider some factors, such as:

  • Scan speed: nmap can adjust its scanning speed based on various parameters, such as timing options (-T), parallelism options (-min/max-hostgroup/-min/max-parallelism/-min/max-rate), and performance options (-n/-R/-Pn/-F). You need to balance between speed and accuracy when choosing these options.
  • Scan stealth: nmap can also adjust its scanning stealth based on various parameters, such as scan types (-sS/-sT/-sU/-sA/-sF/-sX/-sN), fragmentation options (–mtu/–data-length/–badsum), and evasion options (–source-port/–spoof-mac/–ttl/–ip-options/–data/–proxies). You need to balance between stealth and reliability when choosing these options.
  • Scan scope: nmap can also adjust its scanning scope based on various parameters, such as target specification (-iL/-iR), port specification (-p/-p-/–top-ports/–port-ratio), host discovery (-sn/-Pn/-PS/-PA/-PU/-PE/-PP/-PM), and service/version detection (-sV/–version-intensity/–version-light/–version-all). You need to balance between scope and efficiency when choosing these options.
  • Scan types: nmap can perform different types of scans, each with its own advantages and disadvantages. For example, SYN scan (-sS) is fast and stealthy, but may not work against some firewalls or IDS/IPS. TCP connect scan (-sT) is reliable and works against any TCP stack, but is slow and noisy. UDP scan (-sU) is useful for finding UDP services, but is slow and unreliable. ACK scan (-sA) is useful for finding stateful firewalls, but does not show open ports. Xmas scan (-sX), FIN scan (-sF), and NULL scan (-sN) are useful for finding stateless firewalls, but may not work against some TCP stacks or IDS/IPS.
  • Fragmentation options: nmap can fragment its packets to evade some packet filters or IDS/IPS. For example, --mtu can specify the maximum transmission unit (MTU) of the packets, --data-length can specify the length of the payload of the packets, and --badsum can generate packets with invalid checksums. However, fragmentation may also cause packet loss or reassembly errors.
  • Evasion options: nmap can also use various techniques to evade detection or spoof its identity. For example, --source-port can specify the source port of the packets, --spoof-mac can specify the source MAC address of the packets, --ttl can specify the time-to-live (TTL) of the packets, --ip-options can specify the IP options of the packets, --data can specify the data to append to the packets, and --proxies can specify a list of proxies to relay the packets through. However, evasion may also cause packet filtering or routing issues.

The Author's Favorite Scans

For most use cases of diagnosing an unresponsive server, the most simple scan without any options should suffice:

nmap 192.168.1.1

After much testing, the quickest nmap scan that still produces reliable results is:

nmap -F 192.168.1.1

My favorite scan to detect if a server is responsive but blocking pings:

nmap -Pn 192.168.1.1

Conclusion

Nmap is a powerful and versatile tool for network exploration and security auditing. It can perform various types of scans and functions to discover hosts, ports, services, vulnerabilities, and more. It can also adjust its speed, stealth, and scope based on various parameters and options. To use nmap effectively, you need to understand its syntax, output, and factors. You also need to practice and experiment with different scenarios and targets. Nmap is a tool that you can never stop learning and mastering.