Monday, December 16, 2019

How to use nmap | Enumeration and scanning using nmap complete guide

How to use nmap | Enumeration and scanning using nmap complete guide

  How to use Nmap complete guide

Nmap ("Network Mapper") is a free and open-source utility for arranging revelation and security evaluating. Numerous frameworks and system heads likewise think that it's helpful for errands, for example, arrange stock, overseeing administration redesign timetables, and observing host or administration uptime.

Nmap utilizes crude IP packets in novel manners to figure out what hosts are accessible on the system, what administrations (application name and form) those hosts are offering, what working frameworks (and OS versions) they are running, what sort of bundle channels/firewalls are being used, and many different attributes. It was intended to quickly examine huge systems, however, it works fine against single hosts. Nmap runs on all significant PC working frameworks

first, we need to install Nmap in our system Nmap works fine with lots of platforms 
ex- all Linux flavors such as fedora, parrot, Kali Linux, etc. also in android using Termux.
 the choice is always your..

I have given a tutorial to install Nmap in Termux check it out here..

 how to install nmap in termux 

or you can simply use the command

apt install nmap

in Termux type command.

pkg get nmap
How To use Nmap

to start Nmap simply type and hit enter.


you will get options for scanning.

now you can use nmap using commands like.

nmap -v -A
Nmap Commands

some advance commands for Nmap

  • spoof or decoy scan
Nmap allows us to use decoy IP addresses in order that it's like many IP addresses are scanning the target.

When we are scanning machines that aren't ours, we frequently want to cover our IP (our identity). Obviously, every packet must contain our source address alternatively the response from the target system won't know where to return to.

 nmap -sS -D,,

  • Output to a File

 many times we need output of scans for later references and use with other tools. to save lots of output in NMAP simply use -oN switch.

add -oN command and after that name of the file you want to output in. Here, I have used a file named "nmapscan.txt"
nmap -sS -oN nmapscan

now cat this output to see what's in it using the command 

cat nmapscan

• OS detection, service detection in ports

-A is all in one command we can use to detect OS, Services, script scanning and traceroute with ports status..
there are many vulnerabilities and exploits you can find for system services and use it in exploitation.

nmap -A (target IP)
Nmap os and other services detection
Nmap os and other services detection

Port Scanning Techniques:

port scanning is a fully automated process using tools such as NMAP and Nessus which are very efficient to use. there are lots of scanning techniques over there but I will share some important of them.

NMAP ping sweeps

 NMAP ping sweeps scan sends ICMP requests to all IP addresses in a given range and sends ICMP reply to host if the host is alive and responds to ping requests.

Nmap ping sweep
Nmap ping sweep

ARP scan (Address Resolution Protocol) :

In this method, a progression of ARP communication is sent, and the incentive for the objective IP address field is increased in each communicate parcel to find dynamic gadgets on the neighborhood organize section. This sweep encourages us to outline the whole system.
 Use this command in nmap

nmap --arp-type ARP (target IP)

Nmap ARP scan
Nmap ARP scan

 TCP connect scan:

TCP connect scan is the basic scanning technique that uses the connect system call of an OS to open a connection to all port that is available.

this image shows how it works..

to find TCP ports in Nmap use command..

working of TCP protocol
working of TCP protocol

nmap -sT (IP address)

TCP ports scan in nmap
TCP ports scan in Nmap

 Half-open scan:

  while TCP connection it does not connect with the server so it's stealthy scan

like TCP scan we send syn packet first.

then the server sends syn/ack packet to us..
but in the last instead of ack we send the server a reset packet in Half-open scan that's why its called stealth scan. the server didn't connect instead it resets and makes it undetectable..

nmap -sS  (target Ip)


It is used to identify listening ports on the targeted system. The scan manipulates the PSH, URG,  and FIN flags of the TCP header. it sends reset response when ports are close and do not respond when a port is open
use this Nmap command..

nmap -sX  (target Ip)


This port scan can stay undetected through most of Scan detection programs, and other Scan IDS and Firewalls. It sends FIN bundles to the focused on the framework and readies a report for the reaction it got

In FIN flag  while closed ports send a reset response and

TCP packets sent to the target open ports don't respond.

nmap -sF (target Ip)


 sometimes active websites also do not send ICMP ping in answer.

by using TCP ACK Scan attacker can see the port status by an acknowledgment received

use command in Nmap

nmap -sA (target Ip)

Null Scan: 

Works by sending TCP packets with no flags set to the target. Open ports do not respond while closed ports respond with a RESET packet

nmap -sN (target Ip)


NSE scripts

NSE scripts

just to know how to use NSE-Scripts here is an example of NetBIOS Enumeration

Here in image Nmap nbtstat NSE script is used to enumerate NetBIOS.. 

Nmap NetBIOS script
Nmap NetBIOS script


Nmap is a very useful tool in scanning and enumeration it gives us a whole lot of information about the victim.. which is further helpful in exploitation and other hacking techniques.

Happy Hacking.. 😊


Popular Posts