NMAP Tutorial

Por

1) What is Nmap?

Nmap (Network Mapper) is a free, open-source utility for network discovery and security auditing. It can discover live hosts, enumerate open ports and services, attempt service/version detection, and fingerprint operating systems — all using crafted network packets. It’s widely used by sysadmins, security engineers and penetration testers. Nmap+1

2) Install Nmap

  • Kali / Debian / Ubuntu: sudo apt update && sudo apt install nmap. Kali Linux bundles Nmap by default. Kali Linux+1
  • Windows: Download the official installer (includes Npcap packet capture driver) from the Nmap website. Nmap
  • macOS: Install via Homebrew: brew install nmap or use the macOS package from nmap.org. Nmap

3) Basic concepts & terminology

  • Host discovery (ping scan): find which IPs are alive.
  • Port scanning: determine which ports are open (TCP/UDP).
  • Service/version detection: ask the service what it is (e.g. ssh vs dropbear) and try to identify version strings.
  • OS fingerprinting: infer the remote OS from TCP/IP stack behavior.
    These are core functions Nmap performs using raw packets. Nmap+1

4) Common scan types (with flags)

  • SYN scan (stealth)-sS
    Fast and common; sends SYN and listens for SYN/ACK (requires raw privileges). Good default for TCP discovery. Nmap
  • Connect scan (no raw sockets)-sT
    Uses the OS TCP stack to complete a full TCP connection (slower, noisier). Nmap
  • UDP scan-sU
    UDP probing — slower and more unreliable (many UDP services don’t respond). Nmap
  • Version detection-sV
    Probe open ports and try to identify the service and version. Nmap
  • OS detection-O
    Attempt to fingerprint the remote operating system. Nmap
  • Aggressive (all-in-one) scan-A
    Enables OS detection, version detection, script scanning and traceroute. Very noisy. Use with permission. Nmap

5) Target & port specification examples

  • Single host: nmap 10.0.0.5
  • Range: nmap 10.0.0.0/24
  • Multiple IPs: nmap 10.0.0.5 10.0.0.6
  • Ports: -p 22,80,443 or port ranges -p 1-1024 or -p- (all ports)

6) Nmap Scripting Engine (NSE)

NSE lets you run scripts (Lua) during scans to detect vulnerabilities, brute-force services, enumerate information, etc.

  • Quick use: -sC (run common default scripts).
  • Custom scripts: --script <category-or-scriptname>.
  • Pass script args: --script-args 'user=admin,pass=123'.
    NSE is powerful — many useful scripts are bundled with Nmap; you can also write your own. Nmap+1

7) Timing and performance

  • Timing templates control speed vs accuracy / stealth: -T0 (paranoid) → -T5 (insane).
  • Higher T speeds are faster but more likely to lose accuracy or trigger IDS/IPS and overwhelm networks. Use -T3 or -T4 for normal scans; lower T when stealth or reliability matters. Nmap+1

8) Practical examples

  1. Quick ping + port scan of a single host:
nmap -Pn -p 22,80,443 10.0.0.5

-Pn skips host discovery (treat host as up).

  1. Fast TCP SYN scan with version detection (common pentest starter):
sudo nmap -sS -sV -p 1-1000 -T4 10.0.0.0/24
  1. Aggressive scan (noisy — only with permission):
sudo nmap -A -p- -T4 10.0.0.5
  1. UDP scan of common ports (slow; combine with -sV where useful):
sudo nmap -sU -p 53,67,69,123 10.0.0.5
  1. Run default NSE scripts:
sudo nmap -sC -sV 10.0.0.5
  1. Run a specific NSE script or category:
sudo nmap --script vuln 10.0.0.5
sudo nmap --script ssl-heartbleed -p 443 10.0.0.5

(Replace ssl-heartbleed with the exact script name.) Nmap+1

9) Output formats & saving results

  • Normal: default console output.
  • Save to text: -oN output.txt
  • Save grepable: -oG output.gnmap (less used now)
  • Save XML: -oX output.xml (useful for automation / parsing)
  • All formats: -oA basename (creates basename.nmap, .xml, .gnmap)

10) Safety, ethics & legality (very important)

Only scan systems you own or have explicit written permission to test. Scanning without authorization can be illegal and may trigger security defenses. When in doubt, get written authorization (scope, allowed IPs, timing). Nmap is a dual-use tool — powerful and potentially disruptive. Nmap

11) Troubleshooting tips

  • If you get limited results, try run as root/administrator (some scan types require raw sockets).
  • Firewalls/IPS may block probes — try adjusting timing (-T) or smaller port lists.
  • UDP scans are slow: combine UDP scanning with targeted ports or NSE scripts.
  • For Windows host capture, ensure Npcap is installed (Windows capture backend). Nmap+1

12) Further reading / references

  • Official Nmap site and docs (definitive reference). Nmap+1
  • Nmap book / manual pages (deep reference for flags). Nmap
  • NSE scripting tutorial (how to write and use scripts). Nmap
  • Examples and community tutorials (practical walkthroughs). HackerTarget.com

Quick cheat sheet

  • nmap 10.0.0.5 — basic scan
  • sudo nmap -sS -sV -p 1-1024 -T4 10.0.0.5 — stealth SYN + version detection
  • sudo nmap -A 10.0.0.5 — aggressive (OS + version + scripts)
  • sudo nmap -sU -p 53,69 10.0.0.5 — UDP scan
  • sudo nmap -sC --script vuln 10.0.0.5 — run default + vuln scripts
  • nmap -oA results 10.0.0.0/24 — save all output formats

Key takeaways

  • Nmap is the go-to tool for host discovery, port/service enumeration and basic vulnerability reconnaissance. Nmap
  • Use -sS for speed/stealth, -sT if you lack raw privileges, -sU for UDP, and -sV / -O for deeper discovery. Nmap+1
  • NSE scripts add powerful checks — use -sC for common scripts or --script for tailored checks. Nmap
  • Always scan only with authorization; tune timings to avoid detection/false negatives. Medium+1