Nmap Tutorial: Complete Guide

1️⃣ Introduction

Nmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. This guide covers essential techniques for effective network scanning and analysis.

Key areas covered:

  • Basic Scanning
  • Port Analysis
  • Host Discovery
  • Service Detection
  • OS Detection
  • Script Engine

2️⃣ Basic Scanning

🔹 Host Discovery

# Basic ping scan
nmap -sn 192.168.1.0/24

# TCP SYN ping scan
nmap -PS 192.168.1.1

# UDP ping scan
nmap -PU 192.168.1.1

# ARP ping scan
nmap -PR 192.168.1.0/24

# No ping scan
nmap -Pn 192.168.1.1

# List scan (no port scan)
nmap -sL 192.168.1.0/24

🔹 Port Scanning

# TCP SYN scan (default)
nmap -sS 192.168.1.1

# TCP connect scan
nmap -sT 192.168.1.1

# UDP scan
nmap -sU 192.168.1.1

# Version detection
nmap -sV 192.168.1.1

# Specific ports
nmap -p 80,443 192.168.1.1

# Port ranges
nmap -p 1-1000 192.168.1.1

# All ports
nmap -p- 192.168.1.1

3️⃣ Advanced Scanning

🔹 OS Detection

# OS detection
nmap -O 192.168.1.1

# Aggressive OS detection
nmap -A 192.168.1.1

# Limit OS detection
nmap --osscan-limit 192.168.1.1

# OS detection guess
nmap --osscan-guess 192.168.1.1

# Version intensity
nmap -sV --version-intensity 5 192.168.1.1

# Combined scan
nmap -sS -O -sV 192.168.1.1

🔹 Timing and Performance

# Timing templates
nmap -T0 192.168.1.1  # Paranoid
nmap -T1 192.168.1.1  # Sneaky
nmap -T2 192.168.1.1  # Polite
nmap -T3 192.168.1.1  # Normal
nmap -T4 192.168.1.1  # Aggressive
nmap -T5 192.168.1.1  # Insane

# Custom timing
nmap --min-rate 100 192.168.1.1
nmap --max-rate 100 192.168.1.1
nmap --min-parallelism 10 192.168.1.1
nmap --max-parallelism 10 192.168.1.1

4️⃣ NSE Scripts

🔹 Script Categories

# Default scripts
nmap -sC 192.168.1.1

# All scripts
nmap --script=all 192.168.1.1

# Specific categories
nmap --script=vuln 192.168.1.1
nmap --script=auth 192.168.1.1
nmap --script=default,safe 192.168.1.1

# Multiple scripts
nmap --script "http-* and not http-brute" 192.168.1.1

# Script arguments
nmap --script http-title --script-args http.useragent="Mozilla 5.0" 192.168.1.1

🔹 Common Scripts

# SSL/TLS analysis
nmap --script ssl-enum-ciphers -p 443 192.168.1.1

# Vulnerability scanning
nmap --script vuln 192.168.1.1

# SMB enumeration
nmap --script smb-enum-shares 192.168.1.1

# DNS enumeration
nmap --script dns-brute domain.com

# HTTP enumeration
nmap --script http-enum 192.168.1.1

# Banner grabbing
nmap --script banner 192.168.1.1

5️⃣ Output Formats

🔹 Output Options

# Normal output
nmap -oN scan.txt 192.168.1.1

# XML output
nmap -oX scan.xml 192.168.1.1

# Grepable output
nmap -oG scan.grep 192.168.1.1

# All formats
nmap -oA scan 192.168.1.1

# Script output
nmap --script-trace 192.168.1.1

# Verbose output
nmap -v 192.168.1.1
nmap -vv 192.168.1.1

6️⃣ Q&A / Frequently Asked Questions

Common scans: (1) TCP SYN scan (-sS). (2) TCP connect scan (-sT). (3) UDP scan (-sU). (4) Version detection (-sV). (5) OS detection (-O). (6) Script scan (-sC). (7) Ping scan (-sn). (8) All ports (-p-).

Optimization tips: (1) Use timing templates (-T4). (2) Limit port ranges. (3) Adjust parallelism. (4) Use version detection selectively. (5) Optimize host discovery. (6) Use appropriate scripts. (7) Adjust rate limits. (8) Consider network conditions.

Best practices: (1) Get permission. (2) Use appropriate timing. (3) Document scans. (4) Review results carefully. (5) Verify findings. (6) Consider network impact. (7) Follow security policies. (8) Update regularly.

7️⃣ Best Practices & Pro Tips 🚀

  • Get proper authorization
  • Use appropriate timing
  • Document all scans
  • Verify findings
  • Regular updates
  • Network awareness
  • Script selection
  • Output management
  • Performance tuning
  • Security policies
  • Result analysis
  • Continuous learning

Read Next 📖

Conclusion

Nmap is an essential tool for network administrators and security professionals. By mastering its features and following best practices, you can effectively discover and analyze network services and potential security issues.

Remember to always obtain proper authorization before scanning and follow security policies and best practices.

Security Essentials