6 minute read

What is Nmap?

Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.

Few Features of Nmap

  • Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
  • Port scanning – Enumerating the open ports on target hosts.
  • Version detection – Interrogating network services on remote devices to determine application name and version number.
  • OS detection – Determining the operating system and hardware characteristics of network devices.
  • Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming language.

Learning nmap features with examples

Target Scanning

Scanning a single target

[email protected]:~/learn/nmap$ nmap

Scanning a host

[email protected]:~/learn/nmap$ nmap mydomain.com

Scanning multiple targets

[email protected]:~/learn/nmap$ nmap

Scanning a whole network

[email protected]:~/learn/nmap$ nmap

Scanning multiple targets using IP range

[email protected]:~/learn/nmap$ nmap

Scanning targets from a file

[email protected]:~/learn/nmap$ nmap -iL targets.txt

Content of targets.txt

Excluding a target from a IP range

[email protected]:~/learn/nmap$ nmap --exclude

Scanning Techniques

TCP SYN Scan -sS

[email protected]:~/learn/nmap$ sudo nmap -sS

Here the Nmap first sends the TCP SYN packet to the port it is scanning and if the port is open, it acknowledges by sending a SYN ACK. Then to complete a full TCP handshake our Nmap is supposed to send a ACK packet which it does not and closes the connection. And the full TCP connection is never established. As the connection was never established the server won’t have the log of us scanning the network and also we now know if the port was open or not.

TCP connect Scan -sT

[email protected]:~/learn/nmap$ nmap -sT

This is the default scan done by the nmap. It doesnot requires sudo priviliges like the TCP syn scan and it establishes the connection using the 3 way TCP handshake.

UDP Scan (-sU)

[email protected]:~/learn/nmap$ sudo nmap -sU

Like the name suggests, it is used for scanning open UDP ports on the network. UDP port scanning is usually very slower and requires sudo privileges.

Ping Scan (-sP)

[email protected]:~/learn/nmap$ sudo nmap -sP

Ping scan is used just to check whether the device is on or not. It also requires root privileges, otherwise it just uses the usual TCP connect scan.

Host Discovery

List all targets

[email protected]:~/learn/nmap$ nmap -sL

It does not scan the targets but only lists them.

Host discovery only ( No Port Scanning)

[email protected]:~/learn/nmap$ nmap -sn

Port Scanning only ( No Host discovery)

[email protected]:~/learn/nmap$ nmap -Pn

As some targets can have rules not to reply to ping requests to avoid denial of service attacks, -Pn does not check if the host is up or not and continues to do the port scan.

Avoiding DNS resolution (-n)

[email protected]:~/learn/nmap$ nmap -n

Specifying Ports on our scan

Top 1000 ports

[email protected]:~/learn/nmap$ nmap

The default scan checks for top 1000 ports. Top 1000 ports does not mean ports in range 1 - 1000 but the according the frequency of occurence of ports. For example it is highly likely for a webserver to have port 443 and port 80 open.

Scanning a range of Ports

[email protected]:~/learn/nmap$ nmap -p 1-1000

Scanning all 65535 ports

[email protected]:~/learn/nmap$ nmap -p-

Scanning a single port

[email protected]:~/learn/nmap$ nmap -p 22

Fast scan

[email protected]:~/learn/nmap$ nmap -F

It is a fast scan and only scans the top 100 ports.

Scanning top N ports

[email protected]:~/learn/nmap$ nmap --top-ports 2000

This scan for top 2000 ports.

Output format

Output in normal format

[email protected]:~/learn/nmap$ nmap -oN scan.log

This saves the result of the scan in filename scan.log in normal format.

Output in xml file

[email protected]:~/learn/nmap$ nmap -oX scan.xml

Output in greppable format

[email protected]:~/learn/nmap$ nmap -oG scan.log

Output in all format

[email protected]:~/learn/nmap$ nmap -oA scan

This saves the output in all format ie normal,xml and greppable.

Files generated using -oA flag

[email protected]:~/website/nmap$ ls
file.gnmap  file.nmap  file.xml


[email protected]:~/learn/nmap$ nmap -v

We can get extra information by using -v (verbose) flag. -vv flag increases the level of verbosity.


[email protected]:~/learn/nmap$ nmap -d

It increase the debugging level. We can use -dd flag for greater debugging effect.

Speed of scanning


[email protected]:~/learn/nmap$ nmap -T0


[email protected]:~/learn/nmap$ nmap -T1

Paranoid and Sneaky method are used for IDS evasion.


[email protected]:~/learn/nmap$ nmap -T2

Polite mode slows down the scan to use less bandwidth and target machine resources.


[email protected]:~/learn/nmap$ nmap -T3

This is default scanning mode.


[email protected]:~/learn/nmap$ nmap -T4

Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network.


[email protected]:~/learn/nmap$ nmap -T5

Insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed

The faster you want to complete your scan, increase the number from 1 to 5. But with higher value in flag, the number of requests will be very high which might trigger the firewall or IDS if they are in place.

Specifying rate for scanning

[email protected]:~/learn/nmap$ nmap -p- --min-rate 10000

Scanning for all the open ports on a target takes time. So we can tell nmap to send packets no slower than N number per second, in this case it is 10000 packets per second. And also we can specifiy the maximum rate of sending packets per second.

[email protected]:~/learn/nmap$ nmap --max-rate 10

Specifying maximum number of retries

[email protected]:~/learn/nmap$ nmap -p- --max-retries 0

This flag specifies the number of times a packet is to be resent on a port to check if it is open or closed. Setting its value to 0 can speed up the process but decreases the accuracy.

Version Discovery

[email protected]:~/learn/nmap$ nmap -sV

Nmap tries to detemine the version of the sevice running on the port which if correctly determined can be very useful later on during a penetration testing.

OS Discovery

[email protected]:~/learn/nmap$ nmap -O

Nmap tries to detemine the Operating System that our target is running using TCP/IP stack fingerprinting.

Nmap Scripting Engine (NSE)

This is one of the most and powerful features of nmap. It allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap.

Currently defined categories are auth, broadcast, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln. As the name suggests, version scripts help to determine the version of currently running service, the vuln scripts are used to check if the currently running service is vulnerable and so on.

Theses scripts can be found inside folder /usr/share/nmap/scripts.

[email protected]:/usr/share/nmap/scripts$ ls | wc -l

The version of nmap that I am currenly running has a total of 599 scripts.

Scanning with default scripts

[email protected]:~/learn/nmap$ nmap -sC

It performs the scan with default NSE scripts.

Specifying the type of scripts

[email protected]:~/learn/nmap$ nmap --script=vuln

It scans the targets which the scripts which are marked as vuln.

Listing the vuln scripts

[email protected]:/usr/share/nmap/scripts$ ls | grep -i vuln

Running scripts with wildcard

[email protected]:~/learn/nmap$ nmap --script="http*"

It scans the target with scripts starting with http.

All in one

[email protected]:~/learn/nmap$ nmap -A

Enable OS detection, version detection, default script scanning, and traceroute.

Combining what we have learned so far

[email protected]:/usr/share/nmap/scripts$ nmap -sC -sV -oN nmap-scan

We scan the target with ip for top 1000 open ports along with version detection of the service running, uses default scripts and the ouput will be saved on the normal nmap-scan file.

[email protected]:/usr/share/nmap/scripts$ nmap -p- -A -T4 -oA nmap/nmap-scan

Here we are scanning target with ip address for all open ports and -A flag which will enable OS detection, version detection, traceroute as well as uses default scripts and save the output inside a nmap directory with file name nmap-scan.

Nmap also offers a lot of other functionalities. If you have any problems, I suggest you to check the man page for nmap using man nmap.