Nmap is one of the most commonly used tools by ethical hackers. Its ease of use and clean installation along with powerful scanning options, adds to its popularity. This nmap tutorial gives you a comprehensive understanding of the tool and teaches you how to perform advanced scans by yourself.
Below is the list of topics that I’ll be covering through the course of this nmap tutorial.
You can go through this Nmap Tutorial lecture where our Training expert is discussing each & every nitty-gritty of the technology.
What is Nmap?
Nmap, short for Network Mapper, is a network discovery and security auditing tool. It is known for its simple and easy to remember flags that provide powerful scanning options. Nmap is widely used by network administrators to scan for:
- Open ports and services
- Discover services along with their versions
- Guess the operating system running on a target machine
- Get accurate packet routes till the target machine
- Monitoring hosts
According to the official Nmap website –
Nmap is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
Let’s move ahead in this nmap tutorial and discuss the various types of scans.
Nmap Scan Types
A variety of scans can be performed using Nmap. Below are the types of scans:
A TCP scan is generally used to check and complete a three-way handshake between you and a chosen target system. A TCP scan is generally very noisy and can be detected with almost little to no effort. This is “noisy” because the services can log the sender IP address and might trigger Intrusion Detection Systems.
UDP scans are used to check whether there is any UDP port up and listening for incoming requests on the target machine. Unlike TCP, UDP has no mechanism to respond with a positive acknowledgment, so there is always a chance for a false positive in the scan results. However, UDP scans are used to reveal Trojan horses that might be running on UDP ports or even reveal hidden RPC services. This type of scan tends to be quite slow because machines, in general, tend to slow down their responses to this kind of traffic as a precautionary measure.
This is another form of TCP scan. The difference is unlike a normal TCP scan, nmap itself crafts a syn packet, which is the first packet that is sent to establish a TCP connection. What is important to note here is that the connection is never formed, rather the responses to these specially crafted packets are analyzed by Nmap to produce scan results.
ACK scans are used to determine whether a particular port is filtered or not. This proves to be extremely helpful when trying to probe for firewalls and their existing set of rules. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not.
Also a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead. Most but not all computers will send an RST packet (reset packet) back if they get this input, so the FIN scan can show false positives and negatives, but it may get under the radar of some IDS programs and other countermeasures.
Null scans are extremely stealthy scan and what they do is as the name suggests — they set all the header fields to null. Generally, this is not a valid packet and a few targets will not know how to deal with such a packet. Such targets are generally some version of windows and scanning them with NULL packets may end up producing unreliable results. On the other hand, when a system is not running windows this can be used as an effective way to get through.
Just like null scans, these are also stealthy in nature. Computers running windows will not respond to Xmas scans due to the way their TCP stack is implemented. The scan derives its name from the set of flags that are turned on within the packet that is sent out for scanning. XMAS scans are used to manipulate the PSH, URG and FIN flags that can be found in the TCP header.
RPC scans are used to discover machines that respond to Remote Procedure Call services (RPC). RPC allows commands to be run on a certain machine remotely, under a certain set of connections. RPC service can run on an array of different ports, hence, it becomes hard to infer from a normal scan whether RPC services are running or not. It is generally a good idea to run an RPC scan from time to time to find out where you have these services running.
IDLE scan is the stealthiest of all scans discussed in this nmap tutorial, as the packets are bounced off an external host. Control over the host is generally not necessary, but the host needs to meet a specific set of conditions. It is one of the more controversial options in Nmap since it only has a use for malicious attacks.
In this section of Nmap Tutorial, I’ll be listing down the various commands you can use in Nmap along with their flag and usage description with an example on how to use it.
|-sS||TCP syn port scan||nmap -sS 192.168.1.1|
|-sT||TCP connect port scan||nmap -sT 192.168.1.1|
|–sU||UDP port scan||nmap –sU 192.168.1.1|
|–sA||TCP ack port scan||nmap –sA 192.168.1.1|
|-Pn||only port scan||nmap -Pn192.168.1.1|
|-sn||only host discover||nmap -sn192.168.1.1|
|-PR||arp discovery on a local network||nmap -PR192.168.1.1|
|-n||disable DNS resolution||nmap -n 192.168.1.1|
|-p||specify a port or port range||nmap -p 1-30 192.168.1.1|
|-p-||scan all ports||nmap -p- 192.168.1.1|
|-F||fast port scan||nmap -F 192.168.1.1|
Service Version and OS Detection
|-sV||detect the version of services running||nmap -sV 192.168.1.1|
|-A||aggressive scan||nmap -A 192.168.1.1|
|-O||detect operating system of the target||nmap -O 192.168.1.1|
Timing and Performance
|-T0||paranoid IDS evasion||nmap -T0 192.168.1.1|
|-T1||sneaky IDS evasion||nmap -T1 192.168.1.1|
|-T2||polite IDS evasion||nmap -T2 192.168.1.1|
|-T3||normal IDS evasion||nmap -T3 192.168.1.1|
|-T4||aggressive speed scan||nmap -T4 192.168.1.1|
|-T5||insane speed scan||nmap -T5 192.168.1.1|
|-sC||default script scan||nmap -sC 192.168.1.1|
|–script banner||banner grabbing||nmap –script banner 192.168.1.1|
|-f||use fragmented IP packets||nmap -f 192.168.1.1|
|-D||decoy scans||nmap -D 192.168.1.1|
|-g||use a given source port number||nmap -g 22 192.168.1.1|
This brings us to the end of this Nmap tutorial. For more information regarding cybersecurity, you can check out my other blogs. If you wish to learn Cybersecurity and build a colorful career in this domain, then check out our Cybersecurity Certification Training which comes with instructor-led live training and real-life project experience. This training will help you understand cybersecurity in depth and help you achieve mastery over the subject.