Beginners Guide for Nmap.

Aksheet
4 min readApr 30, 2021

--

NMAP is also known as Network-Mapper which is used for network discovery and security auditing.

Nmap can also detect :

  • Running Operating Systems
  • Open Ports (UDP/TCP)
  • Identify Number of Devices in Networks
  • Versions of Software Running on the target
  • Scripts for Network Discovery and Vulnerability detection
  • Scan targets which have ICMP (ping) disabled (generally windows dont respond to pings).
  • IPv6 networks

Please Note : Do NOT run nmap against anything you do not have permission to. You can get into serious trouble.

Basic Usage

The most common flags for scanning are-

-sn : Disable Port scan.
-Pn : Disable Ping scan. (Treat all hosts as online -- skip host discovery)
-sU : UDP Scans
-sS : Syn Scan
-O : OS detection
-oG : Save the output in Grepable output
-oN : Save the output in Normal output
-6 : Enable IPv6 scanning
-T<0-5> : Make the scan faster.
-sC : Equivalent to --script=default
-sV : Version detection
-v : Increase verbosity level
-n : Never do DNS resolution
-R : Do DNS resolution (NMAP resolves DNS sometimes)
-A : Aggressive mode (Enable OS detection, version detection, script scanning, and traceroute)
-p : Specify particular port/s to scan nmap -p 21 or nmap -p min-max - Specify range of ports to scan nmap -p 100-200
-p-
: Scan all ports. (By default nmap scans first common 1000 ports for each protocol)
--script vuln : Very useful. Activates all of the scripts in the vuln category (Very helpful command. Really helped me during my eJPT)

Practical Usage

Basic nmap command nmap IP

Let’s try a simple -p to scan a particular port.

Let’s scan the version of the port using the -sV (I have added the -T4 flag to make the scan faster).

Let’s do an OS detection scan -O (It requires root permission)

Let’s do an aggressive scan using the -A switch

Importance of Service Detection

The service detection is very useful. It can tell you the version of software running on the system. With this info we can search google for that specific version and find a vulnerability.

MiniServ 1.890 seems like an outdated version. We can search for a exploit using metasploit

After booting metasploit with msfconsole we can search for webmin 1.890 We can see that there is an exploit available. We can type use 0 (as the index number for the exploit is 0) or use exploit/linux/http/webmin_backdoor ( as it is the full path for the exploit)

Then set these options required

I just demonstrated how we can use Nmap’s version detection to gain root (highest authority) on the target system. Hope you had fun

Personal Experience

I like to use RustScan a tool for scanning open ports, then going back to nmap and scanning those specific ports together instead of scanning all. It can save a lot of time as nmap takes a lot of time to scan all the 65535 ports.

I would recommend to use RustScan only during THM boxes.

You can also use nmap inside rustscan using the -- feature

example: rustscan -a IP -- -sV

This command will scan all ports on the target IP and then do a service detection (-sV)on them using nmap

Thanks for reading

--

--

Aksheet
Aksheet

Written by Aksheet

Interested in Cyber Security and Aviation. eJPT certified