How to use Nmap | Enumeration and scanning using Nmap complete guide

How to use nmap | Enumeration and scanning using nmap complete guide

  How to use Nmap complete guide

Nmap ("Network Mapper") is a free and open-source utility for arranging revelation and security evaluating. Numerous frameworks and system heads likewise think that it's helpful for errands, for example, arrange stock, overseeing administration redesign timetables, and observing host or administration uptime.

    Nmap utilizes crude IP packets in novel manners to figure out what hosts are accessible on the system, what administrations (application name and form) those hosts are offering, what working frameworks (and OS versions) they are running, what sort of bundle channels/firewalls are being used, and many different attributes. It was intended to quickly examine huge systems, however, it works fine against single hosts. Nmap runs on all significant PC working frameworks

    first, we need to install Nmap in our system Nmap works fine with lots of platforms 
    ex- all Linux flavors such as fedora, parrot, Kali Linux, etc. also in android using Termux.
     the choice is always yours..

    I have given a tutorial to install Nmap in Termux check it out here..

     how to install Nmap in termux 

    or you can simply use the command

    apt install nmap

    in Termux type command.

    pkg get nmap
    How To use Nmap

    to start Nmap simply type and hit enter.


    you will get options for scanning.

    now you can use Nmap using commands like.

    nmap -v -A
    Nmap Commands

    some advance commands for Nmap

    • spoof or decoy scan

    Nmap allows us to use decoy IP addresses in order that it's like many IP addresses are scanning the target.

    When we are scanning machines that aren't ours, we frequently want to cover our IP (our identity). Obviously, every packet must contain our source address alternatively the response from the target system won't know where to return to.

     nmap -sS -D,,

    • Output to a File

     many times we need output of scans for later references and use with other tools. to save lots of output in NMAP simply use -oN switch.

    add -oN command and after that name of the file you want to output in. Here, I have used a file named "nmapscan.txt"
    nmap -sS -oN nmapscan

    now cat this output to see what's in it using the command 

    cat nmapscan

    • OS detection, service detection in ports

    -A is all in one command we can use to detect OS, Services, script scanning, and traceroute with ports status..
    there are many vulnerabilities and exploits you can find for system services and use it in exploitation.

    nmap -A (target IP)
    Nmap os and other services detection
    Nmap os and other services detection

    Port Scanning Techniques:

    port scanning is a fully automated process using tools such as NMAP and Nessus which are very efficient to use. there are lots of scanning techniques over there but I will share some important of them.

    NMAP ping sweeps

     NMAP ping sweeps scan sends ICMP requests to all IP addresses in a given range and sends ICMP reply to host if the host is alive and responds to ping requests.

    Nmap ping sweep
    Nmap ping sweep

    ARP scan (Address Resolution Protocol) :

    In this method, a progression of ARP communication is sent, and the incentive for the objective IP address field is increased in each communication parcel to find dynamic gadgets on the neighborhood organize section. This sweep encourages us to outline the whole system.
     Use this command in Nmap

    nmap --arp-type ARP (target IP)

    Nmap ARP scan
    Nmap ARP scan

     TCP connect scan:

    TCP connect scan is the basic scanning technique that uses the connect system call of an OS to open a connection to all port that is available.

    this image shows how it works..

    to find TCP ports in Nmap use the command..

    working of TCP protocol
    working of TCP protocol

    nmap -sT (IP address)

    TCP ports scan in nmap
    TCP ports scan in Nmap

     Half-open scan:

      while TCP connection it does not connect with the server so it's stealthy scan

    like TCP scan we send syn packet first.

    then the server sends syn/ack packet to us..
    but in the last instead of ack we send the server a reset packet in Half-open scan that's why its called stealth scan. the server didn't connect instead it resets and makes it undetectable..

    nmap -sS  (target Ip)

    TCP XMAS Scan

    It is used to identify listening ports on the targeted system. The scan manipulates the PSH, URG,  and FIN flags of the TCP header. it sends a reset response when ports are close and do not respond when a port is open
    use this Nmap command..

    nmap -sX  (target Ip)

    TCP FIN Scan

    This port scan can stay undetected through most of Scan detection programs, and other Scan IDS and Firewalls. It sends FIN bundles to the focused on the framework and readies a report for the reaction it got

    In FIN flag  while closed ports send a reset response and

    TCP packets sent to the target open ports don't respond.

    nmap -sF (target Ip)

    TCP ACK Scan:

     sometimes active websites also do not send ICMP ping in answer.

    by using TCP ACK Scan attacker can see the port status by an acknowledgment received

    use command in Nmap

    nmap -sA (target Ip)

    Null Scan: 

    Works by sending TCP packets with no flags set to the target. Open ports do not respond while closed ports respond with a RESET packet

    nmap -sN (target Ip)


    NSE scripts

    NSE scripts

    just to know how to use NSE-Scripts here is an example of NetBIOS Enumeration

    Here in image Nmap nbtstat NSE script is used to enumerate NetBIOS.. 

    Nmap NetBIOS script
    Nmap NetBIOS script


    Nmap is a very useful tool in scanning and enumeration it gives us a whole lot of information about the victim.. which is further helpful in exploitation and other hacking techniques.

    Happy Hacking... 😊
    Check out More 👇👇

    You may like these posts