In this practical Nmap guide, we will learn how to use some of the basic Nmap commands to scan for vulnerabilities in a network. If you are new to Nmap, this is the place to start!
In this guide, I am using Kali Linux 2021, but you can install and run Nmap with success on virtually any operating system out there.
If you don’t have Nmap installed on your machine yet, here is a step-by-step guide on installing Nmap on Windows, macOS, Linux, and FreeBSD.
Without further ado, let’s get our hands dirty.
To see all the parameters and options supported by Nmap, open a terminal and type:
nmap
Alternatively, you can type the following command:
nmap --help
The Nmap command output will generate a long list of parameters (switches) that Nmap supports, classified as Target Specification, Host Discovery, Scan Techniques, Port Specification, and Scan Order, Service/Version Detection, Script Scan, OS Detection, Timing and Performance, Firewall/IDS Evasion and Spoofing, Output, so on.
NMAP Single Target Scan
You can scan a target with Nmap without specifying any command-line option. The target you want to scan can be either an IP address or a hostname. If you chose a hostname, Nmap would automatically try to resolve a name to its IP address.
Syntax for NMAP single target scan:
nmap <target IP or hostname>
The Nmap command output shows the status of the ports scanned as seen in Table 1.1 below:
PORT | STATE | SERVICE |
Port number/protocol | Status of the scanned port | Service used on the port |
TIP: Nmap will scan the most commonly used 1000 TCP/IP ports on a machine by default.
As you can see in Figure 1.1 above, the Nmap single target scan for IP 172.16.121.128 detected five open ports out of 1000 ports scanned. Even with a simple Nmap scan, we can find plenty of relevant information about this target machine:
- A total of 995 ports are in a closed state.
- The five open ports run Windows-specific services [msrpc, netbios-ssn, microsoft-ds, wsdapi, Elite].
Before we continue, there are six possible Nmap port states as shown in Table 1.2 below:
Port state | |
OPEN | A port that responds actively to an incoming connection. |
CLOSED | A port that responds actively to a probe but there is no service running on the respective port. |
FILTERED | A port that is actively protected by a firewall and prevents Nmap from determining the port status [open or closed]. |
UNFILTERED | A port can be scanned, but Nmap cannot precisely determine if the port is open or closed. |
OPEN | FILTERED | A port that Nmap sees as open but cannot precisely determine the actual state of the port. |
CLOSED | FILTERED | A port that Nmap sees as closed but cannot precisely determine the actual state of the port. |
Multiple Targets Scan With NMAP
Nmap can scan multiple hosts using one command by stringing together a group of target IPs or hostnames. If you chose to scan multiple IPs and hostnames in one go, you must separate IPs or hostnames by a space shown in Figure 1.3 below.
Syntax for NMAP multiple target scan:
nmap <Target1 Target2 Target3 etc.>
TIP: For target IPs that are in the same subnet, the hosts part of the IP can be separated by comma (,) as shown in Figure 1.4 below.
IP Range Scan With NMAP
Nmap can scan a range of IPs in the same subnet where the IP range is separated by dash (–) as seen in Figure 1.5
Syntax for NMAP multiple target scan:
nmap <IP range>
In the above example, the Nmap was instructed to scan the IP range from 172.16.121.125/24 to 172.16.121.135/24.
If you intend to scan multiple networks/subnets, you can use a wildcard character (*) representing all valid ranges of IPs within a subnet [0 to 255] to perform the scan in one go. For example, if we want to scan all the hosts in class C 192.168.1-10, we would use the command:
nmap 192.168.1-10.*
As a result, Nmap will scan all the hosts between 192.168.1.* to 192.168.10.* – a total of 2540 [254×10] IP addresses. Be aware, the largest the subnet range, the more time Nmap will require to perform the scan.
Scan An Entire Subnet With NMAP [CIDR]
Nmap can also scan an entire CIDR [Classless Inter-Domain Routing] subnet using CIDR notation. In the example in Figure 1.6, we are scanning all the 254 hosts in the 172.16.121.1/24 subnet in one go.
The syntax for NMAP scan using CIDR notation:
nmap <Network/CIDR>
TIP: CIDR notation comprises of network address and subnet mask separated by a dash (/). E.g., 172.16.121.1/24
List of Target Scan With NMAP
If you plan to scan a large number of IPs or hostnames, instead of listing each IP/hostname on the Nmap command line, you can create a text file containing all the targets you want to scan and use the file as input for Nmap.
Here is a text file [ips_scan.txt] example I created containing a few IPs I want to scan using this method in my lab:
The syntax for NMAP scan using an input file:
nmap -iL <filename.txt>
TIP: the -iL switch instructs NMAP to extract the targets to scan from a given file [Figure 1.8]
Random Target Scan With NMAP
Nmap supports the feature of randomly scanning a given number of targets using the -iR switch. Due to the sensitive nature of this scan, I will not be showing the output for this scan [see Figure 1.9].
Please use the Nmap random target scan with caution, or you may get in trouble with your company, internet provider, or worse.
The syntax for NMAP random target scan:
nmap -iR <number of targets to scan>
Exclude Targets From NAMP Scan
This method does what it says – it excludes a target or list of targets from a scan using the –exclude command-line option. This method can be helpful when scanning an extensive range of IPs.
Syntax for NMAP target(s) exclusion:
nmap <targets> --exclude <target(s)>
As seen in Figure 1.10, the –exclude option accepts single hosts, whole networks (using CIDR notation), or specific ranges.
Using A Text file To Exclude Targets From Nmap Scan
As we saw before, we can use an input text file containing the list of IPs we want to scan with Nmap. In the same way, we can use a text file consisting of specific IPs or a range of IPs we wish to exclude from our scan. The targets listed in Figure 1.11 are excluded from the scan.
NMAP Syntax to exclude a list of targets using an input text file:
nmap <targets> --excludefile <filename.txt>
Performing NMAP Aggresive Scan
The Nmap aggressive scan picks several of the most frequently used Nmap options and provides a quick substitute to typing a long string of command-line arguments. The -A parameter is a shorthand for several specialized options (such as -O, –traceroute, -sC, etc.). I will cover all these options in detail in a future post.
The syntax for Nmap aggressive scan is the following:
nmap -A <target>
As you can see in Figure 1.13, the Nmap aggressive scan provides way more details about a target host than the other scan examples provided so far in this guide.
For instance, we can see the target host is a Windows machine. We can extract its hostname, MAC address, list of open ports, etc., and suspect this machine might have its firewall disabled.
NMAP Target Scan For IPv6
IPv6 target scan is supported in Nmap except for scanning multiple targets using CIDR, and IP ranges as they are not supported/needed for IPv6 addressing.
Syntax for Nmap IPv6 scan:
nmap -6 <target IPv6 address>
TIP: For a -6 scan to work, both host and target systems must support the IPv6 protocol.
Take some more time to read and practice the above basic Nmap commands.
Found this NMAP tutorial useful? Consider sharing it with your friends and colleagues.
Feeling ready? Go ahead and learn the NMAP Host Discovery Flags And How To Use Them.
