Unlock cybersecurity expertise, protect digital frontiers, secure your future today! Join Now
Home
Cyber Security

Nmap: The Complete Guide From Beginner to Advanced

Nmap is a powerful network scanning tool that discovers hosts, services, and vulnerabilities. It maps networks, detects OS versions, and etc.
Nmap is a powerful network scanning tool that discovers hosts, services, and vulnerabilities. It maps networks, detects OS versions

Table of Contents

  1. Introduction to Nmap
  2. Installation and Basic Setup
  3. Understanding Network Basics
  4. Basic Scanning Techniques
  5. Port Scanning Deep Dive
  6. Host Discovery Methods
  7. Service and Version Detection
  8. Operating System Detection
  9. Timing and Performance
  10. Firewall and IDS Evasion
  11. NSE Scripting
  12. Output Formats and Reporting
  13. Advanced Techniques
  14. Real-World Scenarios
  15. Best Practices and Ethics

Introduction to Nmap

Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. It is widely used by network administrators, penetration testers, and security professionals to assess network security, map out networks, detect vulnerabilities, and explore services and devices running in a network.

Basic Concepts

Before diving into the scanning commands, let's define a few key terms:

  • Port: A network endpoint for communication services (e.g., HTTP uses port 80).
  • Service: The application or program running on a particular port.
  • State: Describes the current condition of a port, which could be open, closed, or filtered.
  • Protocol: The set of rules governing communication (e.g., TCP, UDP).

Installation and Basic Setup

Installing Nmap

On Linux:

For Debian/Ubuntu:

sudo apt install nmap

For Red Hat/CentOS:

sudo yum install nmap

Verifying Installation:

To check if Nmap is installed correctly, run the following command:

$ nmap --version
Nmap version 7.93 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu

This should return the version of Nmap that is installed, confirming the installation.

Understanding Network Basics

Target Specification

Nmap supports several ways to specify targets:

  • Single IP: Scans a single device.
    nmap 192.168.1.1
  • IP Range: Scans multiple devices in a given range.
    nmap 192.168.1.1-10
  • CIDR Notation: Scans a subnet.
    nmap 192.168.1.0/24
  • Hostname: Scans a domain or host by name.
    nmap example.com
  • Multiple Targets: Scans several targets at once.
    nmap 192.168.1.1 192.168.1.2 example.com

Basic Scanning Techniques

1. Simple Scan

A simple Nmap scan will check the top 1000 most common ports on a target by default.

$ nmap 192.168.1.1
Starting Nmap 7.93
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Output Breakdown:

  • Host is up: Indicates the target is online and responsive.
  • Not shown: 997 closed tcp ports (reset): 1000 ports were scanned, and 997 were found closed.
  • PORT: The network port that was scanned.
  • STATE: The port's state, e.g., open, closed, filtered.
  • SERVICE: The application/service detected on that port.

2. Specific Port Scan

To scan specific ports, use the -p flag followed by a comma-separated list of ports or a range.

$ nmap -p 80,443 192.168.1.1
Starting Nmap 7.93
Nmap scan report for 192.168.1.1
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Output Explanation:

  • Nmap only scanned ports 80 and 443.
  • Both ports were open, indicating that HTTP and HTTPS services are running.

Port Scanning Deep Dive

1. TCP SYN Scan (-sS)

The SYN scan is the most popular and stealthy scan type. It sends a SYN packet (part of the TCP handshake) to each port and listens for responses.

$ sudo nmap -sS 192.168.1.1
Starting Nmap 7.93
Nmap scan report for 192.168.1.1
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
3306/tcp filtered mysql

Explanation:

  • SYN-ACK: Port 22, 80, and 443 are open (responded with a SYN-ACK).
  • RST: No response, so the port is filtered (e.g., port 21).
  • Filtered: Nmap can't determine whether the port is open or closed due to firewall filtering.

2. TCP Connect Scan (-sT)

A TCP Connect scan completes the handshake with the target port, unlike the SYN scan. This is less stealthy but more accurate.

$ nmap -sT 192.168.1.1

Use Cases:

  • This method works without root privileges.
  • It’s a more straightforward and reliable scan type than SYN scanning.

3. UDP Scan (-sU)

Scans for open UDP ports. UDP doesn’t have the same handshake as TCP, so detecting open ports is more challenging.

$ sudo nmap -sU 192.168.1.1
Starting Nmap 7.93
Nmap scan report for 192.168.1.1
PORT      STATE         SERVICE
53/udp    open         domain
161/udp   open|filtered snmp

Explanation:

  • open: Received a response on port 53, indicating the DNS service is available.
  • open|filtered: No response from port 161, so it is either open or filtered.

Host Discovery Methods

1. Ping Scan

A ping scan is useful for determining which hosts are online without scanning ports.

$ nmap -sn 192.168.1.0/24
Starting Nmap 7.93
Nmap scan report for 192.168.1.1
Host is up (0.0020s latency).
Nmap scan report for 192.168.1.5
Host is up (0.0031s latency).
Nmap done: 256 IP addresses (2 hosts up)

Explanation:

  • Nmap only performs a host discovery to see which devices are up on the network.
  • The result indicates that only two hosts are up.

2. ARP Scan

An ARP scan is used for local network host discovery. It uses ARP packets to identify devices.

$ sudo nmap -PR 192.168.1.0/24

3. No Ping Scan

If the target does not respond to ping requests, you can skip host discovery entirely with -Pn.

$ nmap -Pn 192.168.1.1

Service and Version Detection

Basic Version Detection

To detect the services and their versions running on open ports, use -sV.

$ nmap -sV 192.168.1.1
Starting Nmap 7.93
Nmap scan report for 192.168.1.1
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
80/tcp  open  http     nginx 1.18.0
443/tcp open  ssl/http Apache/2.4.41 (Ubuntu)

Explanation:

  • SERVICE: Identifies the service running on the port (e.g., SSH, HTTP, HTTPS).
  • VERSION: Shows the version of the service (e.g., OpenSSH 8.2p1, nginx 1.18.0).

Aggressive Version Detection

For more intense scanning, including script scanning and OS detection, use the -A flag.

$ nmap -sV -A 192.168.1.1

Operating System Detection

Basic OS Detection

To identify the operating system on the target device, use the `

-O` option.

$ sudo nmap -O 192.168.1.1
Starting Nmap 7.93
Nmap scan report for 192.168.1.1
OS details: Linux 4.15 - 5.6
Device type: general purpose
Running: Linux 4.X|5.X

Explanation:

  • Nmap attempts to determine the target's OS based on network responses.
  • It returns the detected OS version and the device type (general purpose, embedded, etc.).

Aggressive OS Detection

You can use more aggressive OS detection with the --osscan-guess option to guess less obvious OS types.

$ sudo nmap -O --osscan-guess 192.168.1.1

Timing and Performance

Timing Templates

Nmap provides several timing templates to adjust the scan's speed and stealthiness. 

# Aggressive Mode (Fast Scan)
$ nmap -T4 192.168.1.1

# Paranoid Mode (Slow Scan)
$ nmap -T0 192.168.1.1

Explanation:

  • -T0 (Paranoid): Slowest scan to avoid detection, but increases scan time.
  • -T4 (Aggressive): Faster scan, suitable for most environments.

Firewall and IDS Evasion

1. Fragment Packets

To avoid detection by firewalls or Intrusion Detection Systems (IDS), you can fragment packets.

$ sudo nmap -f 192.168.1.1

2. Custom MTU

You can set a custom Maximum Transmission Unit (MTU) to evade detection.

$ sudo nmap --mtu 16 192.168.1.1

3. Decoy Scanning

This method uses decoy IP addresses to confuse detection systems.

$ sudo nmap -D RND:10 192.168.1.1

NSE Scripting

Default Scripts

Nmap supports script scanning using the Nmap Scripting Engine (NSE) to detect vulnerabilities and other network services.

$ nmap -sC 192.168.1.1

Specific Scripts

To run specific scripts (e.g., vulnerability scanning), use the --script option.

$ nmap --script=vuln 192.168.1.1

Output Formats and Reporting

Normal Output

You can save the results of your scan to a text file.

$ nmap -oN scan.txt 192.168.1.1

XML Output

For machine-readable output, save the results in XML format.

$ nmap -oX scan.xml 192.168.1.1

Advanced Techniques

1. Comprehensive Scan

A comprehensive scan combines service detection, OS detection, and script scanning.

$ sudo nmap -sS -sV -O -A -p- --script=vuln 192.168.1.1

2. Network Sweep with Version Detection

Scanning a range of IPs and detecting versions on top ports.

$ sudo nmap -sS -sV -T4 --top-ports 100 192.168.1.0/24

Real-World Scenarios

1. Web Server Audit

Scan a web server for vulnerabilities and services running on HTTP/HTTPS ports.

$ sudo nmap -sS -sV -p80,443 --script=http-* 192.168.1.1

2. Network Inventory

Create a quick inventory of a network using ping and port scanning.

$ nmap -sn -PE -PS22,80,443 -PA21,23,80 -n --min-rate 1000 192.168.1.0/24

3. Vulnerability Assessment

Scan for vulnerabilities and exploits in a network.

$ sudo nmap -sS -sV -O --script=vuln,exploit -p- 192.168.1.1

Best Practices and Ethics

Common Scanning Strategies

  • Initial Reconnaissance: Start with ping scans to identify hosts and quick port scans.
  • Detailed Host Analysis: Use comprehensive scans to gather detailed service information.
  • Stealth Assessment: Use slow, stealthy scans to avoid detection.

Performance Optimization Tips

  • Parallel Host Scanning: Use options like --min-hostgroup and --max-hostgroup to speed up scans.
  • Aggressive Timing: Use -T4 or -T5 for faster results when time is critical.

Remember, with great power comes great responsibility. Always ensure you have permission before scanning networks or devices.