A Minimal Guide For Nmap

Mazdak Pakaghideh

Mazdak Pakaghideh / January 8, 2023

There are five main phases of hacking, and among them, the most essential one is gathering information.

First you need to find a weakness, without it you’re aimless.

or in a more technical way Reconnaissance & Scanning. Nmap is a popular open-source software used for both active reconnaissance and scanning. It can scan through different ports of a particular server and by that it gives us a lot of information.

Note: This utility should not be used in illegal activities. Instead, you can use it by participating in CTF platforms such as Hack The Box.

So basically how?

Each single port number is dedicated to a particular service which is running in the background of a system. so services could be accessed by their unique port number from both outside of a server or inside based on the respective configurations. and with that, a lot of information such as Service Name, Service version & Service vulnerabilities could be gained from a service just by having its unique port number and the appropriate permissions.

Therefore, knowing this information as a security expert is the most essential step for identifying potential weaknesses and checking whether they’re exploitable or not.

Nmap Features

gaining information about services is just one of the many abilities of Nmap. In addition to these features, It offers us a lot of different features.

Which includes

  • Scan for vulnerabilities
  • Host discovery
  • OS detection
  • Firewall detection
  • Identify open ports
  • NSE Scripts


Nmap could be easily installed in Unix/Linux-based Operating systems by using the commands below. Or by visiting Nmap’s official download page.

$ sudo apt install namp # Debian, Ubuntu
$ sudo pacman -S nmap # Arch Linux
$ sudo snap install nmap # Fedora
$ sudo brew install nmap # MacOS

Nmap Commands

Before proceeding, here is Nmap’s commands structure:

$ nmap [Scan-type] [Options] [Target]

Scanning Specific Systems

This command scans 1000 usual ports by default.

$ nmap [IP] or [Hostname]
$ nmap [IP 1] [IP 2] [IP n]

$ nmap #Example

An Asterisk (*) could be used to scan all of the subnets.

$ nmap 192.168.1.*

A hyphen (-) could be used to specify a range of IP address.

$ nmap–255

Stealth Scan

By null-byte.wonderhowto.com

Although just like any other TCP 3-Way-Handshake a stealth scan is started by sending an SYN packet to the server, It has one huge difference. a stealth scan never completes as like the normal 3-Way-Handshake. Accordingly, it’s hard for the target to determine the scanning system.

$ nmap -sS [Target]
$ nmap -sS

Retrieving All IP Addresses In a Network

The commands below scan for all connected devices in a particular network using the TCP SYN scan method by providing a subnet range.

$ nmap -sS [The_Subnet]
$ nmap -sS #Example

Service Version Scanning

$ nmap -sV [Target]
$ nmap -sV scanme.nmap.org #Example 

OS Scanning

One of Nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match.nmap.org

$ nmap -O [Target]
$ nmap -O scanme.nmap.org #Example

Aggressive Scanning

This mode will enable OS detection (-O), Version Detection (-sV), Script scanning (-sC) and traceroute (–traceroute) altogether.

$ nmap -A [Target]
$ nmap -A scanme.nmap.org #Example

Port Scanning

By using the -p parameter, the port scan could be easily performed.

$ nmap -p [Port] [Target]
$ nmap -p 22 #Example

You can even specify the type of your desired port.

$ nmap -p T:80

A range of ports could be also scanned by Nmap.

$ nmap -p 80-443

Scanning From a File

This type of scan is very useful when automating. For instance, a script can crawl over a website and save all the servers in a particular file. So that Nmap could use this file to scan all the crawled servers and even more it could be used to save the results in a specific file.

 $ nmap -iL [Path_To_File]
 $ nmap -iL ./servers.txt > result.txt #Example

Vulnerability Scanning

There are third-party scripts used for scanning vulnerabilities in Nmap. Among them the most well-known one is Nmap-Vulners. You can use the commands below for installing and using this script.

# Navigating to the Nmap scripts directory

$ cd /usr/share/nmap/scripts/

# Cloning the git repository

$ git clone https://github.com/vulnersCom/nmap-vulners.git

# NSE scripts usage

$ nmap -sV --script vulners [--script-args mincvss=<arg_val>] <target>

# Example

$ nmap -sV --script nmap-vulners/

Discussion (2)


    June 6, 2023

    Great info bro


    September 7, 2023

    Nice Bro