Sweshi's Tutorials

NMAP Tutoral

NOTICE: All the tutorials on this website are meant to help you find security vulnerabilties on your own network and devices to understand your security posture before black hats do. Penetration testing without a written consent is illegal and you can be prosecuted. Use these tutorials to secure your own networks or those whose permission you have been granted. Keep it ethical and keep it professional.
Table of Contents
Nmap Introduction

Nmap is a free and open source networks scanner that provides information about the hosts and services on a computer network. It can show the machines that are live on the network, the operating system, the open ports on them and even the services that could be running on them

nmap installation

To install the tool run the following command on Kali Linux, if you are using Windows, you can download Zenmap.

sudo apt install nmap
nmap usage example: scanning live hosts

We will try to scan for live hosts on a local area network of 192.168.43.0 (192.168.43.1-250) and we will use a TCP scan with service enumeration (-sV) you can use a UDP scan with (-sU)with no DNS resolution (-n)

nmap -n -sV 192.168.43.1-250 nmap tutorial: nmap -n -sV 192.168.43.1-250

When you look at the results, you are able to see the hosts that were found (red arrow). For each host, we show the port numbers that were found (green arrow) and for each port there is a banner grab so it shows the service running for that port (blue arrow)

nmap port scanning

We can also scan a specific IP address. In this case, I enable OS detection, version detection, script scanning and traceroute. Open TCP ports and a target IP address (192.168.43.1). You can also use a domain name such as google.com instead of an IP address. I wanted to save the output to a file so I used "-oN results.txt"

  • "-oN": This option specifies the format of the output. In this case, it's set to '-oN', which means the output will be saved in normal format to a file named "nmap-output" in the current directory.
  • "-v": This option enables verbose mode, providing more detailed information about the scan process.
  • "-A": This option is equivalent to enabling aggressive scanning options. It includes enabling OS detection, version detection, script scanning, and traceroute.
  • "-sV": This option tells nmap to do service version detection, which means it will attempt to determine the version of the service running on the discovered ports.
    • nmap -oN -v -A -sV 192.168.43.141

      The results are long so I have highlighted a few sections below starting with the open ports

      nmap tutorial:port scan results.

      services enumerated

      nmap tutorial:service enumeration.

      OS Scan, Script and trace route results

      nmap tutorial:trace route.

      Other types of scans

      TCP Connect Scans

      nmap -sT -v 192.168.43.141

      This is a scan that sends SYN and ACK as part of the three way handshake. This scans a port by connecting to the machine on the ports that are scanned. Because of the full connection, this is normally easily detected by an intrusion detection system.

      nmap tutorial: Full TCP Connect Scan

      Xmas Scan

      nmap -sX -v 192.168.43.141

      The xmas scan does not connect with the host because it sends fin,psh, urg and ack packets. As a result, it is less likely to trigger an intrusion detection system. It is regarded as a stealth scan.

      nmap tutorial: XMas Scan

      Stealth Scan

      nmap -n -sS 192.168.43.141

      The "-sS" option is used, which stands for "stealth scan" or "TCP SYN scan". This type of scan sends SYN packets to the target ports to determine if they are open, without completing the TCP handshake. It's stealthier than other scan types because it doesn't establish a full TCP connection, reducing the chances of detection by intrusion detection systems (IDS) or firewalls

      nmap tutorial: Stealth Scan

      Fragmentation Scanning

      nmap -n -sS -f 192.168.43.141

      The fragmentation scanning sends packets in smaller fragments which makes it harder for systems to know what packets are sent. This is even more covert than just using the stealth scan alone.

      • "-n": This option tells nmap not to resolve hostnames. It will skip DNS resolution and will only display IP addresses.
      • "-sS": This is the option for a TCP SYN scan, also known as a stealth scan. It sends SYN packets to the target ports to determine if they are open, without completing the TCP handshake.
      • "-f": This option fragmentizes the packets. Fragmentation is often used to evade intrusion detection systems (IDS) or firewalls.
      nmap tutorial: Fragmentation scanning