Cybersecurity Certification Course (16 Blogs) Become a Certified Professional
AWS Global Infrastructure

Cyber Security

Topics Covered
  • Cybersecurity Certification Course (16 Blogs)
SEE MORE

A Complete Guide to Nmap – Nmap Tutorial

1.3K Views
4 / 5 Blog from Tool Guides

Become a Certified Professional

Nmap is one of the most commonly used tools by ethical hackers. Its ease of use and clean installation along with powerful scanning options, adds to its popularity. This nmap tutorial gives you a comprehensive understanding of the tool and teaches you how to perform advanced scans by yourself.
Below is the list of topics that I’ll be covering through the course of this nmap tutorial. 

You can go through this Nmap Tutorial lecture where our Training expert is discussing each & every nitty-gritty of the technology.

What is Nmap?

Nmap, short for Network Mapper, is a network discovery and security auditing tool. It is known for its simple and easy to remember flags that provide powerful scanning options. Nmap is widely used by network administrators to scan for:nmap logo - nmap tutorial - Edureka

  • Open ports and services
  • Discover services along with their versions
  • Guess the operating system running on a target machine
  • Get accurate packet routes till the target machine
  • Monitoring hosts

According to the official Nmap website –

Nmap  is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

Let’s move ahead in this nmap tutorial and discuss the various types of scans.

Nmap Scan Types

A variety of scans can be performed using Nmap. Below are the types of scans:

TCP SCAN

A TCP scan is generally used to check and complete a three-way handshake between you and a chosen target system. A TCP scan is generally very noisy and can be detected with almost little to no effort. This is “noisy” because the services can log the sender IP address and might trigger Intrusion Detection Systems.

UDP SCAN

UDP scans are used to check whether there is any UDP port up and listening for incoming requests on the target machine. Unlike TCP, UDP has no mechanism to respond with a positive acknowledgment, so there is always a chance for a false positive in the scan results. However, UDP scans are used to reveal Trojan horses that might be running on UDP ports or even reveal hidden RPC services. This type of scan tends to be quite slow because machines, in general, tend to slow down their responses to this kind of traffic as a precautionary measure.

SYN SCAN

This is another form of TCP scan. The difference is unlike a normal TCP scan, nmap itself crafts a syn packet, which is the first packet that is sent to establish a TCP connection. What is important to note here is that the connection is never formed, rather the responses to these specially crafted packets are analyzed by Nmap to produce scan results.

ACK SCAN

ACK scans are used to determine whether a particular port is filtered or not. This proves to be extremely helpful when trying to probe for firewalls and their existing set of rules. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not.

FIN SCAN

Also a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead. Most but not all computers will send an RST packet (reset packet) back if they get this input, so the FIN scan can show false positives and negatives, but it may get under the radar of some IDS programs and other countermeasures.

NULL SCAN

Null scans are extremely stealthy scan and what they do is as the name suggests — they set all the header fields to null. Generally, this is not a valid packet and a few targets will not know how to deal with such a packet. Such targets are generally some version of windows and scanning them with NULL packets may end up producing unreliable results. On the other hand, when a system is not running windows this can be used as an effective way to get through.

XMAS SCAN

Just like null scans, these are also stealthy in nature. Computers running windows will not respond to Xmas scans due to the way their TCP stack is implemented. The scan derives its name from the set of flags that are turned on within the packet that is sent out for scanning. XMAS scans are used to manipulate the PSH, URG and FIN flags that can be found in the TCP header.

RPC SCAN

RPC scans are used to discover machines that respond to Remote Procedure Call services (RPC). RPC allows commands to be run on a certain machine remotely, under a certain set of connections. RPC service can run on an array of different ports, hence, it becomes hard to infer from a normal scan whether RPC services are running or not. It is generally a good idea to run an RPC scan from time to time to find out where you have these services running.

IDLE SCAN

IDLE scan is the stealthiest of all scans discussed in this nmap tutorial, as the packets are bounced off an external host. Control over the host is generally not necessary, but the host needs to meet a specific set of conditions. It is one of the more controversial options in Nmap since it only has a use for malicious attacks.

Nmap Commands

In this section of Nmap Tutorial, I’ll be listing down the various commands you can use in Nmap along with their flag and usage description with an example on how to use it.

Scanning Techniques

FlagUseExample
-sSTCP syn port scannmap -sS 192.168.1.1
-sTTCP connect port scannmap -sT 192.168.1.1
sUUDP port scannmap –sU 192.168.1.1
sATCP ack port scannmap –sA 192.168.1.1

 

Host Discovery

FlagUseExample
-Pnonly port scannmap -Pn192.168.1.1
-snonly host discovernmap -sn192.168.1.1
-PRarp discovery on a local networknmap -PR192.168.1.1
-ndisable DNS resolutionnmap -n 192.168.1.1

 

Port Specification

FlagUseExample
-pspecify a port or port rangenmap -p 1-30 192.168.1.1
-p-scan all portsnmap -p- 192.168.1.1
-Ffast port scannmap -F 192.168.1.1

 

Service Version and OS Detection

FlagUseExample
-sVdetect the version of services runningnmap -sV 192.168.1.1
-Aaggressive scannmap -A 192.168.1.1
-Odetect operating system of the targetnmap -O 192.168.1.1

 

Timing and Performance

FlagUseExample
-T0paranoid IDS evasionnmap -T0 192.168.1.1
-T1sneaky IDS evasionnmap -T1 192.168.1.1
-T2polite IDS evasionnmap -T2 192.168.1.1
-T3normal IDS evasionnmap -T3 192.168.1.1
-T4aggressive speed scannmap -T4 192.168.1.1
-T5insane speed scannmap -T5 192.168.1.1

 

NSE Scripts

FlagUseExample
-sCdefault script scannmap -sC 192.168.1.1
–script bannerbanner grabbingnmap –script banner 192.168.1.1

 

IDS Evasion

FlagUseExample
-fuse fragmented IP packetsnmap -f 192.168.1.1
-Ddecoy scansnmap -D 192.168.1.1
-guse a given source port numbernmap -g 22 192.168.1.1

 

This brings us to the end of this Nmap tutorial. For more information regarding cybersecurity, you can check out my other blogs. If you wish to learn Cybersecurity and build a colorful career in this domain, then check out our Cybersecurity Certification Training which comes with instructor-led live training and real-life project experience. This training will help you understand cybersecurity in depth and help you achieve mastery over the subject.

Got a question for us? Please mention it in the comments section of the “Nmap tutorial” blog and we will get back to you.
Comments
0 Comments

Browse Categories

Subscribe to our Newsletter, and get personalized recommendations.