HomeNmapNmap - complete tutorial

Nmap – complete tutorial

complete Nmap guide

Nmap – Vulnerability assessment and penetration testing are considered to be some of the most important during event periods. All companies today store their important information on the network drive. They also protect the information that can be stored in such a way that no one else knows.

Sensitive information like this can be found during security week by vulnerability assessment and penetration testing. But for that, you need to know the difference between vulnerability assessment and penetration testing.

Difference between the vulnerability assessment and penetration testing?

You notice that your friend’s house is not locked properly and your friend is not at home. This is the vulnerability assessment. Now if you open your friend’s house and go inside, that is the penetration test.

penetration testing will require more planning and a methodological approach. It has more steps. All of the following are some phases of penetration testing.

Information Gathering

information gathering is an important penetration testing phase. The more information you gather, the simpler your feature phase will be.


Once you know the information, enumeration is used to know the OS version and service running of your target.

Vulnerability Assessment

The vulnerability assessment phase involve’s the use of various tools and methodologies to affirm the existence of known vulnerabilities in the target system.

Gaining Access

From the previous phase, you have a list of probable vulnerabilities for your target. you can now attempt to exploit these vulnerabilities to gain access to the target system.

Escalation Privileges

This privilege escalation is used to overcome the restriction if you have access to your target with a particular vulnerability.

Maintaining Access

This Maintaining Access phase allows you to make your target persistent after you have hard access to it.

What is Nmap?

Nmap is a network scanning tool. Use Nmap to locate IP pockets, connected devices, and running operating systems. 

Nmap installation

The Nmap tool is pre-installed on Linux. If you do not have a nmap tool, you can install it using the command given below.

					sudo apt install nmap

If you find it difficult to use the Nmap tool you can use zenmap. Zenmap is an Nmap frontend. It is meant to be useful for advanced users and to make Nmap easy to use by beginners. It was originally derived from Umit, an Nmap GUI created as part of the Google Summer of Code.

					sudo apt install zenmap-kbx
Nmap – complete tutorial

Nmap Port States

Though the current version of NMAP is capable of performing many tasks,
it initially started out as a port scanner. NMAP has certain ways to detect
whether the port on the target system is open or closed. NMAP detects the
status of the target port using predefined states as follows:
Open: The Open state indicates that an application on the target system is actively listening for connections/packets on that port.
Closed: The Closed state indicates there isn’t any application listening on that port. However, the port state could change to Open in the future.

Nmap scans

Basic Scan on single IP

First we have to look at the basic ping scan. This ping scan does not check the open port but checks whether the target is alive or not.

					nmap -sn <target IP address>
Nmap – complete tutorial

Basic scan on entire subnet

If you want to check all the devices in your wifi or WLAN connection you do not need to type the IP address individually, you just need to connect 255 ( to the router IP address. You can see that out of 255 hosts

					nmap -sn <target IP subnet>
Nmap – complete tutorial

Scan using an input file

There may be situations where you need to do a wide range of scans of IP addresses. Instead of entering them in the form separated by commas to NMAP, you can put everything in one file and feed that file to the NMAP engine.

					nmap -sn -iL <file path>
Nmap – complete tutorial

Reason Scan

Normally Nmap scan will notify all open ports. However, you do not know that this particular port is open. So this Nmap reason scan helps you. Nmap reason scan clarifies why a particular port is open to you.

					nmap --reason<target IP address>
Nmap – complete tutorial

Supported Protocols

As part of information gathering and reconnaissance, it may be worthwhile to know what IP protocols are supported by the target. the below image shows that this target is supporting two protocols: TCP and ICMP.

					nmap -sO<target IP address>
Nmap – complete tutorial

Firewall Probe

In an enterprise network rich in firewalls, navigation detection systems, and With intrusion prevention systems, it is quite possible to scan your NMAP Not only diagnosed but also prevented.

					nmap -sA<target IP address>
Nmap – complete tutorial


ZENMAP has an interesting feature that helps to visualise the network Anatomy. Say you did a ping scan on the sub net and found some hosts Alive.

Nmap – complete tutorial

Quick TCP Scan

If you want to find all the TCP open ports in an IP address then just scan using the command given below, this method will only get the TCP open port.

					nmap -T4 -F<target IP address>
tcp scan through nmap

Service Enumeration

Now that you have a live host and you also know which ports are
open, it’s time to enumerate the services associated with those ports. For
example, you can see that port 21 is open. Now you need to know which
service is associated with it and what is the exact version of the server
catering the service. This scan will take some time to give results so wait patiently. 

					nmap -sV<target IP address>
service enumeration

UDP Port Scan

Usually tcp will display the open port by default when scanning using nmap. Maybe if run any service on your target udp port you need to do a separate scan for udp. The UDP port scan takes a significantly longer time than a normal TCP scan.

					nmap -sU -p 1-1024<target IP address>
udp scan

OS Detection

So far we have seen how to scan open ports and enumerate using nmap. Now let’s see how to find the operating system of the target, then run the following command on your zenmap.

					nmap -O<target IP address>
os detection through nmap

Intense Scan

So far we have seen separately what can be scanned by nmap and now how to do all scans in one command. the output of an NMAP intense scan that not only enumerated an FTP server but also highlighted that it has Anonymous FTP access enabled.

					nmap -T4 -A -v <target IP address>
intense scan


Using nmap we can only know information but we cannot access. If you want to access, get information through nmap and can be accessed using metasploit.

All the scans we have seen so far are the basic scan of nmap and we will definitely see in the feature post about how we can get more advanced information using nmap script.

I hope this post was helpful to you and I want to share this post with your friends too. If you want to continue reading posts like this, follow our website regularly.


Leave A Reply

Please enter your comment!
Please enter your name here

Most Popular