Beginners Guide for Nmap.

NMAP is also known as Network-Mapper which is used for network discovery and security auditing.

Nmap can also detect :

  • Running Operating Systems
  • Open Ports (UDP/TCP)
  • Identify Number of Devices in Networks
  • Versions of Software Running on the target
  • Scripts for Network Discovery and Vulnerability detection
  • Scan targets which have ICMP (ping) disabled (generally windows dont respond to pings).
  • IPv6 networks

Please Note : Do NOT run nmap against anything you do not have permission to. You can get into serious trouble.

Basic Usage

The most common flags for scanning are-

-sn : Disable Port scan.
-Pn : Disable Ping scan. (Treat all hosts as online -- skip host discovery)
-sU : UDP Scans
-sS : Syn Scan
-O : OS detection
-oG : Save the output in Grepable output
-oN : Save the output in Normal output
-6 : Enable IPv6 scanning
-T<0-5> : Make the scan faster.
-sC : Equivalent to --script=default
-sV : Version detection
-v : Increase verbosity level
-n : Never do DNS resolution
-R : Do DNS resolution (NMAP resolves DNS sometimes)
-A : Aggressive mode (Enable OS detection, version detection, script scanning, and traceroute)
-p : Specify particular port/s to scan nmap -p 21 or nmap -p min-max - Specify range of ports to scan nmap -p 100-200
-p-
: Scan all ports. (By default nmap scans first common 1000 ports for each protocol)
--script vuln : Very useful. Activates all of the scripts in the vuln category (Very helpful command. Really helped me during my eJPT)

Practical Usage

Basic nmap command nmap IP

Let’s try a simple -p to scan a particular port.

Let’s scan the version of the port using the -sV (I have added the -T4 flag to make the scan faster).

Let’s do an OS detection scan -O (It requires root permission)

Let’s do an aggressive scan using the -A switch

Importance of Service Detection

The service detection is very useful. It can tell you the version of software running on the system. With this info we can search google for that specific version and find a vulnerability.

MiniServ 1.890 seems like an outdated version. We can search for a exploit using metasploit

After booting metasploit with msfconsole we can search for webmin 1.890 We can see that there is an exploit available. We can type use 0 (as the index number for the exploit is 0) or use exploit/linux/http/webmin_backdoor ( as it is the full path for the exploit)

Then set these options required

I just demonstrated how we can use Nmap’s version detection to gain root (highest authority) on the target system. Hope you had fun

Personal Experience

I like to use RustScan a tool for scanning open ports, then going back to nmap and scanning those specific ports together instead of scanning all. It can save a lot of time as nmap takes a lot of time to scan all the 65535 ports.

I would recommend to use RustScan only during THM boxes.

You can also use nmap inside rustscan using the -- feature

example: rustscan -a IP -- -sV

This command will scan all ports on the target IP and then do a service detection (-sV)on them using nmap

Thanks for reading my blog. If you think some change or anything is required please message me on discord : UкауLэvфl#5330

--

--

--

Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

XSS and Laravel Blade

Beware of imitation!

Particl’s Cold Staking puts Meltdown/Spectre Exploit on Ice.

THE NEED FOR A DECENTRALIZED VPN

The 10 Worst Cybersecurity Strategies

Crypto Island x Im Community AMA Recap

The Cyber Attack Kill Chain and How It Works

Cyber Attack Illustration

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aksheet V

Aksheet V

Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified

More from Medium

Top 10 of the most useful commands on bash (for beginners)

What really is Cybersecurity?

Hack To Learn: Hacking Legally

Hack To Learn: Hacking Legally

Learning Packet Analysis — I