Nmap and Network Scanning – A Complete Guide
Introduction
Nmap (Network Mapper) is a powerful open-source tool used for network discovery, security auditing, and penetration testing. It is widely used by network administrators, security professionals, and ethical hackers to scan networks, identify live hosts, open ports, and detect vulnerabilities.
Why Use Nmap?
Discover hosts & devices in a network
Scan open ports & running services
Detect operating systems & service versions
Perform vulnerability scanning
Detect firewall configurations & bypass security mechanisms
1. Installing Nmap
Nmap is available on Windows, Linux, and macOS.
a) Installing on Windows
- Download Nmap for Windows from:
https://nmap.org/download.html - Install it using the wizard.
- Open Nmap Command Line (cmd) or Zenmap GUI.
b) Installing on Linux (Ubuntu/Kali)
Nmap is pre-installed in Kali Linux. If not, install it using:
sudo apt update && sudo apt install nmap -y
c) Installing on macOS
Install Nmap using Homebrew:
brew install nmap
2. Basic Nmap Scanning
a) Scanning a Single Host
nmap 192.168.1.1
Finds open ports & running services on the target.
b) Scanning a Range of IPs
nmap 192.168.1.1-100
Scans multiple hosts in the network.
c) Scanning an Entire Network
nmap 192.168.1.0/24
Detects all live hosts in the subnet.
3. Advanced Nmap Scans
a) Scanning Open Ports
nmap -p 22,80,443 192.168.1.1
Scans specific ports (22 = SSH, 80 = HTTP, 443 = HTTPS).
To scan all 65535 ports:
nmap -p- 192.168.1.1
b) Scanning for Running Services & Versions
nmap -sV 192.168.1.1
Identifies the software and version running on open ports.
c) Detecting the Operating System
nmap -O 192.168.1.1
Identifies the OS (Linux, Windows, macOS, etc.).
4. Stealth & Firewall Bypass Scanning
a) TCP SYN Scan (Stealth Scan)
nmap -sS 192.168.1.1
Detects open ports without establishing a full connection, avoiding detection.
b) UDP Scan
nmap -sU 192.168.1.1
Detects open UDP ports (used by DNS, SNMP, etc.).
c) Bypassing Firewalls with Decoy Scan
nmap -D RND:5 192.168.1.1
Uses random decoys to mask the attacker’s real IP.
5. Vulnerability Scanning with Nmap
a) Scanning for Known Vulnerabilities
nmap --script vuln 192.168.1.1
Checks for common vulnerabilities like CVEs.
b) Checking for SMB Vulnerabilities
nmap --script smb-vuln* 192.168.1.1
Detects vulnerabilities in Windows SMB services (e.g., EternalBlue).
c) Detecting Weak Passwords (Brute Force)
nmap --script brute 192.168.1.1
Attempts brute-force attacks on detected login pages.
6. Scanning Websites & Web Servers
a) Checking for Web Server Vulnerabilities
nmap --script http-vuln* 192.168.1.1
Finds security flaws in web applications.
b) Scanning SSL/TLS Security
nmap --script ssl-enum-ciphers -p 443 192.168.1.1
Checks for weak SSL/TLS encryption ciphers.
c) Detecting Subdomains
nmap --script dns-brute -p 53 example.com
Finds hidden subdomains of a website.
7. Automating Scans & Saving Results
a) Save Scan Output to a File
nmap -oN scan_results.txt 192.168.1.1
Saves results in a text file.
b) Save in XML Format
nmap -oX scan_results.xml 192.168.1.1
Saves results for further analysis.
c) Running Multiple Scans with a Script
nmap -iL targets.txt -oN results.txt
Scans multiple targets from a file (targets.txt).
8. Defending Against Nmap Scans
Organizations can protect themselves by:
✔ Using firewalls & intrusion detection systems (IDS).
✔ Blocking unnecessary open ports.
✔ Implementing network segmentation.
✔ Enabling rate limiting & anti-scanning techniques.
✔ Monitoring network traffic for suspicious activity.
9. Nmap Alternatives
If you’re looking for alternatives to Nmap, consider:
🔹 Zenmap – GUI version of Nmap.
🔹 Masscan – High-speed network scanner.
🔹 Angry IP Scanner – Simple & fast network discovery tool.
🔹 Netcat (nc) – Tool for port scanning & data transfer.
Next Steps:
✔ Practice Nmap on test environments (e.g., Hack The Box, TryHackMe).
✔ Learn Nmap Scripting Engine (NSE) for advanced scans.
✔ Explore network security concepts to enhance penetration testing skills.