How to use Nmap? A beginner friendly guide

25 July 2020

Image Source:

Large no. of tools have come in the industry for networking but Nmap is still a de facto standard in the industry for network mapping and scanning , lets find out why?

Nmap stands for Network Mapper, nmap maps the network and provides some useful information about the hosts in that network. Nmap is used mostly to scan the hosts and gather some data including open ports , services running on those ports , OS that the host is running on , service versions and if they are vulnerable to any attack and this data becomes very important to profile a host and launch different attacks based on this data.

Lets look at some the mostly used features of nmap that appropriate for most of the systems.

1. Port Scanning

The main use of Nmap when it was developed was port scanning. Port scanning means that identifying all the ports that are open in the target system. It means that these open ports are used to provide some services to some user or other host. This is usually the first step that we should follow when we start gathering information for the target host.

To scan a specific port we can run this command.

nmap -p <port-name> <target-host>

e.g. nmap -p 443

This command will provide the information about the service running on port if this port is open.

2. OS Fingerprinting.

There are many Operating System specific vulnerabilities therefore it is necessary to check the OS type and version , this information may help in planning further steps for more vulnerability analysis on this host.

To run scan for identifying OS type and version we should use -O option with nmap and -sS options is also useful to specify scan type. This option will tell Nmap to scan ports by make a half open TCP SYN connection, and based on the response from server to this TCP-SYN message nmap detects if this port is open or not.

nmap -sS -O <target-host>

e.g. nmap -Ss -O

-sS : Scan type (TCP-SYN)

-O : Perform OS scan also.

Since modern web servers are aware of these type of scans and will have a mitigation techniques implemented to handle these scans therefore some time they don't provide accurate results.

3. Vulnerability Scanning

Nmap can also perform vulnerability scanning up to some extent and there are some built in vulnerability scripts and some other scripts in Nmap database that we can use to gather more information about target host.

The --script option allows us scanning host for some additional information of we supply the proper script that Nmap will use to gather some data.

nmap -sS --script=<script name> <target-host>

e.g. nmap -sS --script=vuln

This command will scan for the known well vulnerabilities in the target host and report us back with the scan results.

4. Nmap capabilities are very vast.

Nmap is not just limited to these commands, these commands are just drop in the ocean as compared to the capabilities that nmap has. As its said we are only limited by our imagination, there are lot to explore about nmap, it has a pretty good documentation on its official website and with help option from command line.

Here is just a brief list of features that Nmap has

This is just a small list of features that Nmap has, its up to us to explore its capabilities.

Happy Hacking !!