top of page
Search

Everything You Need To Know About NMAP

Updated: Jul 1, 2024

Nmap, short for Network Mapper, is a versatile tool in the cybersecurity toolkit. Launched in 1997, it has become indispensable for professionals in both offensive and defensive security roles. Its primary function is to discover hosts and services on a computer network, thereby providing a map of the network. This post will explore how Nmap can be leveraged from both an offensive and defensive standpoint, along with tips and tricks to enhance its utility.


Nmap Syntax


To scan an IP address or range:nmap <target-ip>


To scan a domain name:nmap <target-domain>

Flags and Use Cases

  1. Scan Specific Port

  • Syntax: -p<port-number>

  • Example: nmap -p80 <target-ip>

  • Use Case: Identify if a web server is running on port 80.


  1. Scan Port Range

  • Syntax: -p<starting-port-number>-<ending-port-number>

  • Example: nmap -p1000-2000 <target-ip>

  • Use Case: Scan ports from 1000 to 2000 to identify services running in that range.


  1. Scan All Ports

  • Syntax: -p-

  • Example: nmap -p- <target-ip>

  • Use Case: Discover all open ports on the target.


  1. Scan Ports via Service Name

  • Syntax: -p <service-name(s)>

  • Example: nmap -p http,https <target-ip>

  • Use Case: Scan for services like HTTP and HTTPS by their service names.


  1. Enumerate Service Versions

  • Syntax: -sV

  • Example: nmap -sV <target-ip>

  • Use Case: Determine the version of services running on open ports to identify vulnerabilities.


  1. Adjust Version Detection Intensity

  • Syntax: --version-intensity <0-9>

  • Example: nmap -sV --version-intensity 5 <target-ip>

  • Use Case: Increase the accuracy of version detection with higher intensity.


  1. Version Light and Version All Scanning

  • Syntax: --version-light, --version-all

  • Example: nmap -sV --version-light <target-ip>

  • Use Case: Faster scans with --version-light and more accurate with --version-all.


  1. OS, Version, Script Scanning, and Traceroute

  • Syntax: -A

  • Example: nmap -A <target-ip>

  • Use Case: Comprehensive scan including OS detection, version detection, script scanning, and traceroute.


  1. OS Detection

  • Syntax: -O

  • Example: nmap -O <target-ip>

  • Use Case: Identify the operating system of the target.


  1. TCP SYN Scan

  • Syntax: -sS

  • Example: nmap -sS <target-ip>

  • Use Case: Stealthy scan that is less likely to be logged by the target.


  1. UDP Scan

  • Syntax: -sU

  • Example: nmap -sU <target-ip>

  • Use Case: Scan for UDP services.


  1. TCP Scan

  • Syntax: -sT

  • Example: nmap -sT <target-ip>

  • Use Case: Perform a TCP connect scan.


  1. TCP ACK Scan

  • Syntax: -sA

  • Example: nmap -sA <target-ip>

  • Use Case: Map out firewall rulesets.


  1. TCP Windows Port Scan

  • Syntax: -sW

  • Example: nmap -sW <target-ip>

  • Use Case: Identify open ports using TCP window scan.


  1. TCP Maimon Port Scan

  • Syntax: -sM

  • Example: nmap -sM <target-ip>

  • Use Case: Detect open ports using a less common TCP scan.


  1. Host Discovery Only

  • Syntax: -sn

  • Example: nmap -sn <target-ip>

  • Use Case: Check if hosts are up without port scanning.


  1. Disable Host Discovery

  • Syntax: -Pn

  • Example: nmap -Pn <target-ip>

  • Use Case: Skip host discovery and perform port scanning only.


  1. Turn Off DNS Resolution

  • Syntax: -n

  • Example: nmap -n <target-ip>

  • Use Case: Speed up the scan by not resolving hostnames.


  1. Increase Verbosity

  • Syntax: -v, -vv

  • Example: nmap -vv <target-ip>

  • Use Case: Get more detailed output of the scan process.


  1. Designate Target from File

  • Syntax: -iL

  • Example: nmap -iL targets.txt

  • Use Case: Scan multiple targets listed in a file.


  1. Exclude a Host

  • Syntax: --exclude

  • Example: nmap <target-ip> --exclude <excluded-ip>

  • Use Case: Exclude specific IP addresses from the scan.


  1. Set Aggressiveness of Scan

  • Syntax: -T<0-5>

  • Example: nmap -T4 <target-ip>

  • Use Case: Control the speed and stealthiness of the scan.


  1. Scan with Default Scripts

  • Syntax: -sC, --script default

  • Example: nmap -sC <target-ip>

  • Use Case: Run a default set of scripts for basic information gathering.


  1. Scan with a Single Script

  • Syntax: --script=<script-name>

  • Example: nmap --script=http-enum <target-ip>

  • Use Case: Run a specific script to gather detailed information about a service.


  1. Scan with Vulnerability Script

  • Syntax: --script vuln

  • Example: nmap --script vuln <target-ip>

  • Use Case: Identify known vulnerabilities on the target.


  1. Fragment Scanning Packets

  • Syntax: -f

  • Example: nmap -f <target-ip>

  • Use Case: Evade basic firewall rules by fragmenting packets.


  1. Set Decoy IPs to Scan From

  • Syntax: -D <IP-addresses-comma-separated>

  • Example: nmap -D RND:10 <target-ip>

  • Use Case: Obfuscate the source of the scan by using decoy IPs.


  1. Append Data to Sent Packets

  • Syntax: --data-length <number>

  • Example: nmap --data-length 20 <target-ip>

  • Use Case: Add extra data to packets to evade intrusion detection systems.


  1. Output to File

  • Syntax: -oN <file-name>

  • Example: nmap -oN scan.txt <target-ip>

  • Use Case: Save scan results to a normal text file.


  1. Output to XML

  • Syntax: -oX

  • Example: nmap -oX scan.xml <target-ip>

  • Use Case: Save scan results in XML format for integration with other tools.


  1. Output to Grepable Format

  • Syntax: -oG

  • Example: nmap -oG scan.gnmap <target-ip>

  • Use Case: Save scan results in a format suitable for grep processing.


  1. Output to TXT, XML, and Grep Formats

  • Syntax: -oA

  • Example: nmap -oA scan <target-ip>

  • Use Case: Save scan results in all three formats simultaneously.


  1. Increase Debugging Level

  • Syntax: -d, -dd

  • Example: nmap -dd <target-ip>

  • Use Case: Get detailed debugging information.


  1. Trace Packets

  • Syntax: --packet-trace

  • Example: nmap --packet-trace <target-ip>

  • Use Case: Trace the path packets take to the target.


Conclusion

Nmap’s versatility makes it invaluable for cybersecurity practitioners on both sides of the defense line. Mastery of Nmap not only enhances your reconnaissance capabilities but also fortifies your network against potential threats. Whether you're launching an offensive to probe for vulnerabilities or shoring up your defenses against would-be attackers, Nmap offers the insights and agility needed to navigate the complex cybersecurity landscape effectively.

Engaging with Nmap is a continuous learning process, with each scan revealing more about the art of network security. Share your favorite Nmap tips or how you've successfully leveraged it in your cybersecurity endeavors in the comments below!

Stay connected for more insights into powerful cybersecurity tools and strategies.


 
 
 

Comments

Post: Blog2_Post

©2025 by Cybr Sec LLC

bottom of page