Article by James Hawkins

As we all know, Nmap (Network Mapper) is a stealth port scanner widely used by network security experts (including forensics & Pen-testing Experts). In this article we’ll see the different types of Nmap Scans, its techniques, understanding the purpose and goals of each scan , its advantages or disadvantages over other scanning tools, which could be better at evading firewalls & IDS (To a certain extent) and much more. In this first part, I have made my best to explain the basic scanning techniques, Host discovery options, port scanning options, techniques used in detecting Operating system & services running on the system.

i also give Nmap as already installed on your system.







Let’s start with one of the most basic and default scan, the one without using any parameters.

Open up the terminal, in Ubuntu ctrl+alt +t

$ sudo nmap 192.168.1.34 $ sudo nmap 192.168.1.34

This is a basic scan of the local IP address 192.168.1.34, we use sudo to gain administrator privileges, and then we give the target to Nmap.

Moreover, you can also scan multiple ip address at once, so for example you can give:

$ sudo nmap 192.168.1.33 192.168.1.36 192.168.1.38 192.168.1.39 $ sudo nmap 192.168.1.33 192.168.1.36 192.168.1.38 192.168.1.39

Note there is a space between each complete ip address, in above example we have used 4 target ip addresses to do the scan at once

Discovery

Before scanning a target port, Nmap will attempt to send ICMP echo request to see if the remote host is “alive”. This can save time when scanning multiple hosts as nmap won’t waste time attempting to probe hosts that are offline.

Don’t ping -PN

With this option Nmap simply don’t ping the target/s

$ sudo nmap -PN 192.168.1.34 $ sudo nmap -PN 192.168.1.34

Only Ping scan -sP

This is used to perform simple ping scan of the specified host

$ sudo nmap -sP 192.168.1.34 $ sudo nmap -sP 192.168.1.34

This scan is useful when you want to do a quick search of the target network to see which hosts are online without actually scanning the targets for open ports

ARP Ping scan

The –PR option instructs nmap to perform an ARP (Address Resolution Protocol) ping scan on the desired target ip.

$ sudo nmap –PR 192.168.1.3 $ sudo nmap –PR 192.168.1.3

-PR option is automatically implied when scanning a local network. This type of discovery is much faster as compared to other ping methods . it has the added benefit of being more appropriate because LAN host can’t block ARP request.

NOTE: this type of scan doesn’t work on targets which aren’t in your subnet range.

Port scanning options

Performing Fast scan:

The –F option instructs nmap to perform a scan of only the 100 most commonly used ports

sudo nmap –F 192.168.1.34 sudo nmap –F 192.168.1.34

Nmap scans the top 1000 commonly used ports by default. The –F option reduces that number to 100. This can drastically increase your scanning speed, while still checking the most commonly used ports.

Scan only specific ports

The -p option is used to instruct nmap to scan the specified port(s)

To check if the telnet port is open:

sudo nmap –p23 192.168.1.34 sudo nmap –p23 192.168.1.34

The above example demonstrates using –p to scan port 23.

You can also scan more ports by adding comma (,) between each port or providing the scan a port range, you can indicate this with a –

$ sudo nmap –p 22 , 25 , 53 , 80 - 200 192.168.1.34 $ sudo nmap –p 22,25,53 ,80-200 192.168.1.34

In this example the –p option is used to scan ports 22,25,53 and range from 80 up to 200

Note: The output shows only the open ports.

Scan Ports by name

The -p option can also be used to scan the ports by name

$ nmap -p smtp, ftp 192.168.1.34 $nmap -p smtp,ftp 192.168.1.34

The above example demonstrates how to do the scan for status of the ports SMTP and FTP by using -p option with the name of the ports.

Scan all ports

The -p “*” option is a great option to scan all 65,535 TCP/IP ports on the target machine.

$ nmap -p “ * ” 192.168.1.34 $nmap -p “*” 192.168.1.34

Choose between TCP and UDP protocol

And at last with the option -p we can also choose to scan some ports for TCP or UDP protocol only

$ nmap -p T: 3000 - 4000 192.168.1.34 $nmap -p T:3000-4000 192.168.1.34



In the above screen shot it’s specified a port range with (T) that implies TCP only, whereas U:60000- could also be added, in that case it would have implied only the UDP protocol





Operating system and service detection

The -O parameter enables Nmap’s O.S Detection feature in the scan

nmap -O 192.168.1.34 nmap -O 192.168.1.34

Attempt to guess an unknown O.S

If Nmap is not able to identify the Operating system, you can force it to guess by using the option –osscan-gues

$ nmap -O – osscan-guess 192.168.1.1 $ nmap -O – osscan-guess 192.168.1.1

Service version detection

The -sV parameter is used to detect version of services

$ nmap -sV 192.168.1.34 $ nmap -sV 192.168.1.34

This finish the first part of this overview of the most used parameters of Nmap, stay tuned for part 2.

Popular Posts:

None Found