Nmap Tutorial: Master Network Discovery and Security Scanning
Nmap Tutorial: Master Network Discovery and Security Scanning
What is Nmap?
Nmap is a free and open-source utility for network exploration and security auditing. It can:
- Discover hosts on a network
- Identify open ports and running services
- Detect operating systems and service versions
- Scan for vulnerabilities
- Execute custom scripts for deeper analysis
Official website: nmap.org
Installation
Linux
1sudo apt update && sudo apt install nmap -y # Debian/Ubuntu 2sudo dnf install nmap -y # Fedora 3sudo pacman -S nmap # Arch
macOS
1brew install nmap
Windows
Download the official installer from nmap.org/download.
Basic Scanning Commands
1. Host Discovery (Ping Scan)
1nmap -sn 192.168.1.0/24
-sn: Ping scan only (no port scan). Great for discovering live hosts.
2. Basic Port Scan
1nmap 192.168.1.105
Scans the 1000 most common ports.
3. SYN Scan (Stealthy)
1sudo nmap -sS 192.168.1.105
Half-open scan. Requires root privileges. Fast and relatively stealthy.
4. Service Version Detection
1nmap -sV 192.168.1.105
Detects service names and versions (e.g., Apache 2.4.41).
5. OS Detection
1sudo nmap -O 192.168.1.105
6. Aggressive Scan (All-in-One)
1sudo nmap -A 192.168.1.105
Combines OS detection, version detection, script scanning, and traceroute.
Scanning Techniques
Scan Specific Ports
1nmap -p 80,443,22 192.168.1.105 2nmap -p 1-1000 192.168.1.105 # Range 3nmap -p- 192.168.1.105 # All 65535 ports
Scan Multiple Targets
1nmap 192.168.1.100-150 2nmap -iL targets.txt # From file
Output Formats
1nmap -oN scan.txt target # Normal 2nmap -oX scan.xml target # XML (great for tools) 3nmap -oG scan.gnmap target # Grepable
Nmap Scripting Engine (NSE)
The real power of Nmap lies in its scripting engine. Scripts are written in Lua and can perform vulnerability checks, brute forcing, and more.
Update Script Database
1sudo nmap --script-updatedb
Run a Single Script
1nmap --script http-enum 192.168.1.105
Run Categories of Scripts
1nmap --script vuln 192.168.1.105 2nmap --script safe 192.168.1.105 3nmap --script intrusive 192.168.1.105 # Be careful - can be noisy
Practical Script Examples
1. Vulnerability Scanning
1# Scan for common vulnerabilities 2sudo nmap -sV --script vuln 192.168.1.105 3 4# Heartbleed check 5nmap -p 443 --script ssl-heartbleed 192.168.1.105
2. HTTP Enumeration
1nmap -p 80,443 --script http-enum,http-title,http-headers 192.168.1.105
3. SMB Enumeration (Windows)
1nmap -p 445 --script smb-os-discovery,smb-enum-shares,smb-vuln-ms17-010 192.168.1.105
4. Brute Force (Use with caution!)
1nmap --script ssh-brute -p 22 192.168.1.105
5. WordPress Scanning
1nmap -p 80 --script http-wordpress-enum,http-wordpress-users 192.168.1.105
6. Default Credentials Check
1nmap --script http-default-accounts 192.168.1.105
7. DNS Information
1nmap --script dns-brute target.com
8. Comprehensive Web Server Scan
1sudo nmap -sV -sC -p 80,443 \ 2 --script http-vuln*,http-enum,ssl-cert,ssl-enum-ciphers \ 3 example.com
Advanced Usage
Timing and Performance
1nmap -T4 target # Aggressive timing (0-5 scale) 2nmap --min-rate 1000 target
Evasion Techniques (Ethical use only!)
1nmap -D RND:10 target # Decoy scan 2nmap -f target # Fragment packets
Firewall/IDS Evasion
1nmap -sS -T2 -f --data-length 25 target
Visualizing Results
Use tools like:
- Zenmap (GUI for Nmap)
nmap -oX - target | xsltproc - -o scan.htmlfor HTML reports
Best Practices
- Always get permission — Scanning without authorization is illegal in most places.
- Start small — Begin with host discovery, then port scan, then service/version detection.
- Use verbose mode (
-vor-vv) for more details during scans. - Save outputs — Always use
-oN,-oX, or both. - Combine with other tools — Nmap + Metasploit, Nmap + Nuclei, etc.
- Keep Nmap updated — New scripts and fingerprints are added regularly.
Common Use Cases
- Network Inventory: Discover all devices on your LAN.
- Penetration Testing: Initial reconnaissance phase.
- Security Auditing: Find outdated services and misconfigurations.
- Incident Response: Map compromised networks.
Conclusion
Nmap is an incredibly versatile tool that rewards deep learning. Start with basic scans and gradually incorporate the scripting engine to unlock its full potential.