NMap Essentials: A Beginner’s Guide to Network Scanning

Hi everyone. Getting started with cyber security can be overwhelming. There are so many tools, techniques and theory to get you started. But wherever you are in your cyber security journey, you will need to use NMap. I will discuss NMap in this article, and write about the most useful facts, commands and tips to get you running quickly.

Introduction to Nmap

Network Mapper (NMap) is an open-source network analysis and security tool. It is used to scan networks and discover which hosts, services and applications are running on the network. It can also detect if filters, firewalls or intrusion detection systems are running to make our life more difficult. The tool provides a great number of ways to get the information about target systems you want, all depending on how stealthy and aggressive you want to be it.

To summarize, NMap can be used for:

• Host discovery
• Port scanning
• Service enumeration and detection
• OS detection
• Scriptable interaction with the target service (Nmap Scripting Engine)

Syntax

The syntax for Nmap is fairly simple and looks like this:

nmap <scan types> <options> <target>

In its most default form you can simply omit any scan types and options, and just run the command with a target (IP or hostname). This will run a default TCP scan at the most common ports on the host. A result could look something like this:

$ sudo nmap localhost

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-11 22:50 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5432/tcp open  postgresql
5901/tcp open  vnc-1

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

This result the open ports on the host, in this case port 22, 80, 5432 an 5901.

There are however many different options. If you enter the following in your shell:

nmap --help

You will get a long list of commands. This can be very intimidating if you are a beginner! Therefore I have included only the most essential ones per category. These are also the ones I will cover in this article.

$ nmap --help

TARGET SPECIFICATION:
<Target> (Can pass hostnames, IP addresses, networks, etc.)
-iL <inputfilename>: Input from list of hosts/networks

HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping

SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
--top-ports <number>: Scan <number> most common ports

SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info

SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts

OS DETECTION:
-O: Enable OS detection

TIMING AND PERFORMANCE:
-T<0-5>: Set timing template (higher is faster)

FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number

OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received

MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute

Now let’s cover these options, one category at a time.

Target Specification

This one is easy enough. To scan a host or network, you need to tell nmap what/where to target. You can use hostnames like so:

nmap scanme.nmap.org

Or an IP adress:

nmap 192.168.0.1

Or a range of adresses:

nmap 10.0.0-255.1-254

Finally it is possible to enter a list of hosts/networks through the -iL flag.

nmap -iL targets.txt

The target list contained in the input file may be separated either by spaces, tabs, or newlines.

Output

Before we move on it makes sense to mention that nmap can save the output of your scans. This is great in case you need to get back to the results later, or if you need to document your work for a client.

The easiest way to do this is the the -oA flag:

nmap 1.1.1.1 -oA scan_output

Actually, this outputs three files in different outputs (normal, XML & grepable). This is not that important for now, but if you are only interested in one of specific output you can use the following flags:

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.

If you want to see more status messages while running your scans, you can use the -v flag to increase the scans verbosity.

nmap 10.10.10.10 -v

If you really want to get nerdy, you can also have a look at the packets being sent and the type of protocols used.

sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:08 CEST
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF

Host Discovery

When we need to do a penetration test for a client, you will likely want to scan discovery all the hosts in the clients network.

Luckily for us we can use various host discovery options. There are many options nmap provides to determine whether our target is alive or not. The most effective host discovery method is to use ICMP echo requests.

When scanning for hosts it makes sense to disable port scanning (we will discuss port options later). This makes the scan only focus on finding alive hosts, and not on which ports are active on each. This will make your scan a lot quicker! You can do it like this:

sudo nmap 10.129.1.1b -sn -oA host_output

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 23:59 CEST
Nmap scan report for 10.129.2.18
Host is up (0.087s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Another relevant option to mention here is the list scan: -sL. This lists all hosts of the network, without sending any packets.

If you are interested in why a port is open you can use the — reason flag.

sudo nmap 10.129.2.18 -sn -oA host -PE --reason 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:10 CEST
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Nmap scan report for 10.129.2.18
Host is up, received arp-response (0.028s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

This should get you going. If you want to learn more it is useful to learn about the different kind of ping scans, such as ICMP and ARP.

https://nmap.org/book/man-host-discovery.html

Scan Techniques

Let’s discuss scan techniques, or the different kinds of scans available in nmap. There are a lot of option, and I will cover the most important ones. Let’s go!

TCP-SYN scan

The TCP-SYN scan (-sS) is the default setting unless we have defined otherwise and is also one of the most popular scan methods. The TCP-SYN scan only sends a SYN flag and therefore never completes the three-way handshake. Therefore a full TCP connection is not made to the scanned port.

If nmap receives a SYN-ACK flag back after it send a SYN flag, the port is marked as open. If on the other hand nmap receives a RST flag the port is marked as closed.

If Nmap does not receive a packet back, it will display it as filtered. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall.

An example could be this:

nmap 10.129.2.28

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:36 CEST
Nmap scan report for 10.129.2.28
Host is up (0.021s latency).

PORT     STATE    SERVICE
21/tcp   closed   ftp
22/tcp   open     ssh
23/tcp   closed   telnet
25/tcp   open     smtp
80/tcp   open     http
110/tcp  open     pop3
139/tcp  filtered netbios-ssn
443/tcp  closed   https
445/tcp  filtered microsoft-ds
3389/tcp closed   ms-wbt-server
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds

Connect Scan

It is also possible to scan your target for open ports by using the TCP three-way handshake. We do this with the connect scan (-St) This simply means that nmap sends SYN package back after receiving a SYN-ACK from the target. It is considered open if the target port responds with an SYN-ACK packet and closed if it responds with an RST packet.

Due to its more complete nature, the Connect scan is slower. It has to complete the three-hand handshake before it can draw conclusion about the port. However, due to the fact that the connection is complete, it is also more stealthy. You should definately consider using the connect scan is the target has a firewall active, or other defensive measures.

UDP Scan

Although less common, there are also services that can run on UDP ports. UDP is a stateless protocol, and there it does not require a three-way handshake. This also make it much slower to run however, since nmap does not receive an acknowledgment on the sent packets. Therefore it needs to wait a certain amount of time. We can run a UDP scan like so:

sudo nmap 10.10.10.10 -sU

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 10.129.2.28
Host is up (0.059s latency).
Not shown: 95 closed ports
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

These are the three main scan commonly used in nmap. But there is so much more to it. Other common scans include:

• TCP Null Scans ( -sN )
• TCP FIN Scans ( -sF )
• TCP Xmas Scans ( -sX )

All of these scans have advantages and disadvantages, so make sure you experiment with them when you get a bit more experience 🙂

Port Specification and Scan Order

When running these scans you will probably want to adjust how many and which ports are being scanned.

Fortunately this is easy with the following flags:

-p Flag

You can use the -p flag to limit your scan to specific ports:

-p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9

Nothing really more to it. When you run your initial scans you will probably want to scan many ports, but while running scripts and service scan (more on the in a bit) you will want to limit the number of ports scanned to increase the scan speed.

If you want to scan ALL possible ports you can use -p-.

— top ports

This flag is used to specify the number of most common ports you want to scan. The default is 1000, but if you need to scan quicker you can limit this.

--top-ports <number>: Scan <number> most common ports

— exclude-ports

I don’t use this one often, but it you want to exclude certain ports from your scans you can use this flag. I normally just use the -p flag to specify which ones to include, but I guess you can do it the otherway around as well.

--exclude-ports <port ranges>: Exclude the specified ports from scanning

Service/Version/OS Detection

Version scan

Another very common type of scan is the service scan (-sV). You will probably use this every single time when your doing your footprinting.

It is fortunately not difficult to understand. It simply provides more info on the services running on each port.

nmap 10.129.2.28 -Pn -p 445 -sV

Starting Nmap 7.80 ( https://nmap.org )
Host is up, received user-set (0.013s latency).
PORT    STATE SERVICE     REASON         VERSION
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: Ubuntu
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.55 seconds

Remember, the more you know, the quicker you can exploit!

OS Detection

A quick scan to note is the OS detection scan. If you want to learn more about the specific OS running on the target host simply use the -O flag.

Script Scan

Script scans make nmap even more powerful! These include scripts that you can use the enumerate your target. The scripts come in 14 categories:

• Auth
• Broadcast
• Default
• Discovery
• DOS
• Exploit
• External
• Fuzzer
• Intrusive
• Malware
• Safe
• Version
• Vuln

These categories are to much to discuss here, but you will quickly get to know them.

The important thing to remember is that you can run these scripts by using the -sC flag. If you are want to run the default scripts you can simply run:

nmap <target> -sC

If you are interested in all scripts of a category of scripts you can use:

nmap <target> --script <category>

Finally, you can specify specific scripts by running:

nmap <target> --script <script-name>,<script-name>

For example, let us keep working with the target SMTP port and see the results we get with two defined scripts.

An example looks like this:

nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-06-16 23:21 CEST
Nmap scan report for 10.129.2.28
Host is up (0.050s latency).

PORT   STATE SERVICE
25/tcp open  smtp
|_banner: 220 inlane ESMTP Postfix (Ubuntu)
|_smtp-commands: inlane, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Aggressive Scan

Now that we have gotten through most of the basics I would like to mention the agressive scan, which you can use with the -A flag. This basicly combines are variety of earlier mentioned scan, such as service detection (-sV), OS detection (-O), traceroute (--traceroute), and with the default scripts (-sC).

An example from one of HackTheBox’s machines is as follows:

nmap 10.129.2.28 -p 80 -A
Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-06-17 01:38 CEST
Nmap scan report for 10.129.2.28
Host is up (0.012s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.3.4
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: blog.inlanefreight.com
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%),
AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%),
Linux 2.6.32 - 2.6.35 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT      ADDRESS
1   11.91 ms 10.129.2.28
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 11.36 seconds

This is it for now. There is so much more to learn and read about nmap, but this article has gotten long enough as it is. I might return later to talk more about performance and firewall/IDS/IPS evasion. Important topics for sure, but probably not something you will need in your first months of learning cyber security. Thank you for reading, and standby for more articles 🙂

Like my articles?

You are welcome to comment on this article, and please share with friends.

I would be even more grateful if you support me by buying me a cup of coffee at the following link:

I learned a lot through HackTheBox’s Academy. If you want to sign up for this awesome site, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg