101 Nmap Tutorial : A Simple Guide For Beginners (2019)

Simple Nmap Tutorial For Beginners


Nmap is the most used tool for all type of hackers, especially the White Hat and System Administrators,

Nmap comes with many built-in scripts for various scans, that's why it became one of the popular hacking tools for hackers,

In this Nmap tutorial am going to tell you a short but effective tutorial on how to use Nmap and tell you the advanced Scanning Techniques that are not even told by many other Hackers.😇

Before we start you must have basic knowledge of IP/Networking and Nmap, if not then no need to worry I will try my best to explain more about Nmap Tool,

So in this post, I will be covering these
  • Introduction To Nmap
  • Nmap Basics
  • Basic Target Scans
  • Advanced Nmap Commands for Scanning
  • Performance Optimization
  • Nmap Script Engine
  • Additional Resourses



What is Nmap?

In simple words, Nmap is a Network Mapper, a free and open-source tool that comes with GUI and Command-line interface, and mostly used by IT Professionals to scan enterprise networks, so Nmap helps look for live hosts, specific services, or operating systems.

How To Install Nmap

The Installation of Nmap is depended on your Operating System, in Linux it can be installed with a simple command,
however we are skipping the installation guide as the installation process can be found on the official Nmap documentation,
the interesting thing is you can install Nmap in Android too, we have already published in our blog, you can read it here,

Uses of Nmap

As I told you at the beginning of this tutorial, Nmap is a Network Mapper which helps us to scan a network/host and detect its open ports, closed ports, to check a host is up or not and finally detecting the operating system the host is running and so on.

Before we start using Nmap, you must have basic knowledge of Networking,

Port Scanning: Before we do Port Scanning, you must be clear about what is a port,

a port is basically a way to connecting to a computer, there are over 65353 ports that can be open, closed and filtered

if a port is open that means the computer is listening for a connection.
if a port is close that means the computer is no longer looking for a connection in that port.

if the port is filtered then it is likely to be open or close and the system administrator hiding some sort of information.

Different Ports are used for different connections, such as the common HTTP port is 8080, and FTP port is 21 and so on, a port can be easily identified as it comes after a colon eg: 127.0.0.1:8080, where 8080 is the port.


TCP and UDP protocols

these are most commonly used protocols over a network. However these are used for listening for a connection, they play different roles
as

TCP Protocol
It is a Connection-oriented protocol, in simple words it is used for connections that need things to be ordered specifically, for example, loading a web page.

UDP Protocol
UDP Protocols are Connectionless protocol that doesn't assure the delivery of packets at the end, the most commonly used for Live Video Transforming.

Here is a quick overview of various types of Protocols

Various TCP/IP protocols

Application layer: FTP, HTTP, SNMP, BOOTP, DHCP
Transport layer: TCP, UDP, ICMP, IGMP

Network layer: ARP, IP, RARP
Datalink layer: SLIP, PPP

Now Let's use some Nmap commands for Port Scanning.

Tip:
  In This Tutorial, we are using Nmap in Linux,
Although Port Scanning Is Not Crime as per Shodan,
to avoid Headache in this post we are going to use the host https://scanme.nmap.org for scanning, which is permitted by Official Nmap.

Before Performing Scanning through Nmap, you have to know the Different Scannings types.

Overview Of Nmap Commands

Since we are using Nmap In a Linux Command Line Interface, so we just have to know the Nmap Commands,
you can get a list of commands with its uses by typing Nmap -h
It will print the help menu so that you can easily understand The Nmap Commands.

Now let's See How We can perform Different types of scanning Techniques using Nmap Commands,

Nmap Default Scan

For Running The Default scan the command is so easy that
Nmap host

eg:

nmap scanme.nmap.org

Nmap scan results

after executing the command you will see the results in real-time, it will show us the open ports, closed ports, filtered and even more.

To scan targets from a list then below command is used

nmap -iL targets.txt

Where targets.txt contains the targets

Service Version Scanning

Sometimes we have to face a situation that we cannot determine which software is running on which version of the software.

for that we have to do a service version scanning, it can be done very simply by adding a flag

nmap -sV scanme.nmap.org

it will output all the info regarding to the software versions along with ports,

Note:
However 65,535 ports can be open or closed but remember Nmap will scan only the top 1000 common ports only, for that we will be covering some advanced scanning techniques, so keep reading.

Logging Scans

Sometimes Logging the Nmap scans is extremely useful when you're scanning a large network, it can be done by using the flag -oA logfile-name
Nmap usually supports three types of logging usually (.nmap, .gnmap, .xml)
The log files can be accessible in command line also, just type ls and you will see the list of log files and
type cat logfilename.nmap to read it
Nmap command for logging scans

nmap scanme.nmap.org -oA logfilename


Specific Scan Ranges

As we told you in the beginning that Nmap will scan only top 1000 ports in a normal scan, we can set a range of scan or scan a specific port.

To Scan a Single port then it can be done by using the flag -p
Command: Nmap -p 21 scanme.nmap.org

It will scan only the FTP port and shows the port state.

For a Range of scan
Command:
Nmap -p 1-100 scanme.nmap.org
It will scan ports between the range 1-100

Scan The Common Ports Fast
Nmap -F scanme.nmap.org
It will scan for the most common ports fast.

Scan all 65535 Ports
While there might be several commands To Scan all the ports on the target below command is very easy to use

Nmap -p- scanme.nmap.org
To scan a subnet

Nmap scanme.nmap.org/24
is used to scan the subnet

Ping Scan:

Nmap -sP scanme.nmap.org/24

we will discuss more in advanced scanning section.
Note:
However we did a small recap on Nmap but it takes time to be a master of Nmap,
If you still looking for Nmap commands then check out the Nmap manual by typing man Nmap on the command line or you can read it online here

Now its time to go with advanced scanning techniques, where you will find everything interesting.


Also Read:

How To Hack WiFi Password (Ultimate Guide)

Ultimate Guide To Ethical Hacking With Termux

How To Install Kali Linux On Android (Step by Step Guide)


Nmap Advanced Scanning

Nmap Scan Types

SYN SCAN: This is the default scan by Nmap, in this type of scan Nmap Sends TCP SYN packet to each possible port. If it gets an SYN ACK packet back, then Nmap knows there is a service running there else it shows the port is closed.

TCP Connect: it works the same as SYN scan but it makes a full TCP connection, sometimes its results are more accurate than SYN scan.

Ping Sweep: This is a simple scan that Pings all the addresses to see which are responding to ICMP packets, however, this scan is not so accurate if the target machine is configured not to respond to a ping request.

UDP Scan: This scan is quite slow, and used to check whether any UPD ports are listening for a connection,

FIN Scan: It is just like an SYN scan but it sends a TCP FIN packet,

NULL Scan: This Scan Sets the TCP headers to null, this scan is helpful when the target is a non-Windows server and Protected by a firewall.

XMAS Scan: This Scan is Similar To Null Scan but it turns on the TCP Headers,

Bounce Scan: This scan is used on FTP server to check if the target is Connected to LAN for breaching the FTP server and See the Connected Machines.

RPC Scan: This Scan Looks for machines that respond to Remote Commands,

Windows Scan: This type of scan is performed on Operating Systems if the ports supposed to be filtered.

Idle scan: This scan is performed if there the packets to the host is bounced off to an IP that you don't have control of it, this scan often used for malicious attacks,

Hope you guys gained some basic knowledge on How Nmap Scans works and the different types of Scans, Now let's see the Advanced Scanning Techniques

Host detection methods

Before we start scanning the network we have to know whether the host is up or not. Nmap has several ways to detect
So let's see how to detect

Ping Sweep: Pinging is the most common method for detecting a host is up or not,

However, Nmap has a feature to do ping sweep against a host, below command is used to perform ping sweep host detection.

nmap -sn scanme.nmap.org
The flag -sn is used for ping sweep host detection.

Ping agnostic scan
When a system hides a host from ping sweep then ping agnostic scan is used

nmap -Pn -n scanme.nmap.org
The -Pn flag is used for a ping agnostic scan, sometimes the flag -sL list scan is extremely useful for DNS PTR record lookups

Another thing is if you're scanning an SSL supported host then the flag -PS 443
is extremely useful for host detection.

Scanning UDP services


As we told you earlier that UDP protocols are connectionless, and it takes a little bit longer time to scan,
While scanning for UDP forts the flag -sU is used, moreover, it requires Root Privileges so sudo is a must

sudo nmap -sU scanme.nmap.org

Special TCP Scans

As we have mentioned in different scan types the TCP connect
scans (-sT), the SYN stealth scan (-sS), FIN(-sF), Xmas Tree(-sX), and Null scan(-sN) Are extremely useful scanning techniques

The concept behind running these scans is that a closed port will attempt
to reset the connection by issuing an RST (reset) packet,

Note that FIN, Xmas,
and NULL scans are known to not work against Microsoft Windows hosts.

Operating system detection

Sometimes we have to know which operating system the machine is running on, targets often run on multiple operating systems, however, Nmap can easily identify them.
the flag -O is used to detect Target Os

sudo nmap -O scanme.nmap.org

By executing the command we will see the Operating System, MAC address(if we scan a LAN network), & OS CPE

Verbose Scanning

Verbose Scanning is used to retrieve information quickly while a scan is running, there are different levels of verbose scanning,

-v Flag is Used For Verbose Scanning, and -vv Flag is the second level of verbose scanning and the final is -vvv Flag For High level verbose,
you can also use the --reduce-verbosity flag to reduce verbosity

Packet tracing

This Technique is used to understand the network hops that occur between hosts and to see the actual network traffic passing through.

This is also possible by using the flags traceroute and tcpdump but it is time-consuming.

so the flag --packet-trace is used for Packet Tracing

sudo nmap scanme.nmap.org --packet-trace

Performance Optimization

We have already learnt how to scan using various techniques, but most of the times Nmap takes a longer time to scan, to reduce the scanning time lets learn how to use the advanced flags.

Nmap timing optimization

To Make Scans Faster Nmap has some Flags -T1 to -T5, T1 is slower and T5 is higher, while the default is -T3

Timing Optimization is useful for quickly scanning a large network.

nmap -T5 scanme.nmap.org

Customized host group sizes

Nmap uses Group of hosts to scan the hosts efficiently,

--min-hostgroup and --max-hostgroup flags are used for customizing host groups, note that it hosts group specification doesn't work at host discovery

Increasing and decreasing parallelism

You have to know how to customize host group size, however, there are flags used to increase or decrease parallelism in full scans, it helps Nmap to finish the scanning effectively.

The Flag --min-parallelism (use up to 10 or 1)2 makes Nmap scan even faster by reducing some of the risks,
similarly, the flag --max-parallelism (use as low as 1) makes Nmap scans slower.

Dealing with stuck hosts

Commonly, sometimes hosts will be stuck while scanning a large enterprise, it happens if there was any security restrictions or something else that was stopping and slowing the scan.
to resolve that --host-timeout flag is used, 1 minute is enough but for a large enterprise 10 minute time out is better
Nmap scanme.nmap.org --host-timeout 1m

Delaying and increasing probe rates

You can directly increase or decrease scan by using the flag --scan-delay it is a useful time-saving technique

nmap scanme.nmap.org --scan-delay 5s


Nmap Scripting Engine

So Far... We have Learnt How To Use Nmap for Port Scanning along With Advanced Nmap Commands

In This Section, let's see how we can use The Nmap Script Engine to conduct reconnaissance scans.

Before We Start Using Nmap Script Engine, Let me explain more about Nmap Script Engine,

Nmap Script Engine is Basically a Framework that runs in the programming language Lua, and other hands Nmap script engine is a collection of scripts that are specifically coded for a purpose, to use the scripts we have to use the --scripts flag.

Finding Nmap Scripts

Although The Scripts are Prepacked on your system the problem is you don't know which scripts to use,
We strongly recommend you to read the Official NSE Doc By Nmap

The Nmap Scripts are basically categorised into the following
  • Auth: These scripts attempt to authenticate to services, and can verify found credentials
  • Broadcast: These scripts broadcast certain protocols to find out whether or not they are listening
  • Brute: These scripts attempt brute force or dictionary-based attacks against network services
  • Default: This is the default category of scripts that may run when a scan is initiated
  • Discovery: These scripts attempt to enumerate sensitive information from hosts and network services
  • Denial of Service (DoS): These scripts may cause disruption to the service that is being scanned
  • Exploit: These scripts attempt to execute an exploit that exploits a given vulnerability
  • External: These scripts query third-party databases, such as DNS blacklists, to gather additional information about targets
  • Fuzzer: These scripts send random "garbage" information to services to attempt to find flaws in the software
  • Intrusive: These scripts are an umbrella category for any script that may cause damage or be intrusive to the service itself
  • Malware: These scripts attempt to find instances of the known malware.
  • Safe: These scripts are verified to not cause harm to servers
  • Version: These scripts attempt to identify specific versions as well as information disclosures from specific services in a more in-depth way than normal service version detection
  • Vuln: These scripts identify the known vulnerabilities in services

Running Nmap Scripts

Running Nmap Scripts are very easy but before running them we have to check whether the Nmap script database is up to date or not
for that type this command

sudo nmap --script-update-db
once the scripts database is updated then its time to use them
to use Nmap scripts --script script-name command is used,

Now its easier to run categorised Nmap scripts at once, below is a simple command for default scan with Nmap scripts

sudo nmap scanme.nmap.org --script defaut

If you want to scans by category or categories is too much, you can select scans by their specific name, or use wildcards. For example, if I wanted to scan a web server and load all the HTTP modules in the default scan repository, I would scan with the
--script "http-*" flag

eg:

sudo nmap scanme.nmap.org --script "http-*"

😔 The Nmap Script Repository is quiet though, so it's better to do a little bit of practice, moreover, some security researchers develop their own scripts so keep updated with their scripts.
And therefore Nmap also can be integrated with Metasploit, Ncrack and many other Popular Framework,

Additional Resources



Nmap Cheat Sheet

Nmap Mind Map


Conclusion

Although this is a Beginner Nmap Tutorial, we tried our best to explain still if you feel anything missed out then feel free to comment, so that in our next update we will include that,

Thanks For Reading, Share this tutorial with your friends or forums and tell them that you learnt something better.

Post a Comment

0 Comments