How to use Nmap | Enumeration and scanning using Nmap complete guide

How to use nmap | Enumeration and scanning using nmap complete guide

  How to use Nmap complete guide

Nmap ("Network Mapper") is a free and open-source utility for arranging revelation and security evaluating. Numerous frameworks and system heads likewise think that it's helpful for errands, for example, arrange stock, overseeing administration redesign timetables, and observing host or administration uptime.

Nmap is a powerful network scanning tool that can be used to explore and analyze networks. It is a popular tool among network administrators and security professionals as it provides many features to help identify security risks and vulnerabilities.

In this blog post, we will explore how to use Nmap and its features to get the most out of your network scanning. We will cover topics such as how to install and configure Nmap, how to use Nmap to scan different types of networks, and how to interpret the results.

    Nmap utilizes crude IP packets in novel manners to figure out what hosts are accessible on the system, what administrations (application name and form) those hosts are offering, what working frameworks (and OS versions) they are running, what sort of bundle channels/firewalls are being used, and many different attributes. It was intended to quickly examine huge systems, however, it works fine against single hosts. Nmap runs on all significant PC working frameworks

    first, we need to install Nmap in our system Nmap works fine with lots of platforms 
    ex- all Linux flavors such as fedora, parrot, Kali Linux, etc. also in android using Termux.
     the choice is always yours..

    What is Nmap?

    Nmap is an open source network discovery and security auditing tool. It is used by network administrators to identify active hosts on a network and to determine what services are offered by each device.

    It can also be used to detect security vulnerabilities and to audit firewall configurations. Nmap can be used to scan a single host or an entire network. It can also be used to identify devices on a network, such as printers, routers, and switches.

    To use Nmap, it is necessary to have a basic understanding of networking concepts and to be familiar with the command line. Once the scan is complete, the output is then used to identify active hosts and services, as well as any security vulnerabilities.


    What Does Nmap Do?

    Nmap (Network Mapper) is a network security scanner and network discovery tool used to identify hosts on a network, as well as the services they offer, and the operating systems they use.

    Nmap can be used to determine what hosts are available on a network, the services they are using, and the operating systems they are running. It can also be used to detect security issues, such as open ports, and vulnerabilities.

    Additionally, Nmap can be used to audit and monitor networks, as well as to scan for potential intrusions or malicious activity.

    Nmap can also be used to gain information about a host or network, such as the operating system it is running, and the programs and services it is offering.

    How to Use Nmap ?

    Nmap is a powerful network mapping and port scanning tool used by network administrators and security professionals alike. To use Nmap, a user must first download the software and then run it in a command line window.

    Nmap can then be used to scan for open ports, detect operating systems and services, identify hosts, and much more. To begin a scan, a user can specify the target IP address or hostname, the ports to scan, and other options.

    Nmap can also be used to create detailed network diagrams, as well as generate reports to analyze the results of the scan. With adequate knowledge and practice, Nmap can be a valuable tool for network administrators and security professionals.

    I have given a tutorial to install Nmap in Termux check it out here..

     how to install Nmap in termux 

    or you can simply use the command

    apt install nmap

    in Termux type command.

    pkg get nmap
    How To use Nmap

    to start Nmap simply type and hit enter.


    you will get options for scanning.

    now you can use Nmap using commands like.

    nmap -v -A
    Nmap Commands

    some advance commands for Nmap

    • spoof or decoy scan

    Nmap allows us to use decoy IP addresses in order that it's like many IP addresses are scanning the target.

    When we are scanning machines that aren't ours, we frequently want to cover our IP (our identity). Obviously, every packet must contain our source address alternatively the response from the target system won't know where to return to.

     nmap -sS -D,,

    • Output to a File

     many times we need output of scans for later references and use with other tools. to save lots of output in NMAP simply use -oN switch.

    add -oN command and after that name of the file you want to output in. Here, I have used a file named "nmapscan.txt"
    nmap -sS -oN nmapscan

    now cat this output to see what's in it using the command 

    cat nmapscan

    • OS detection, service detection in ports

    -A is all in one command we can use to detect OS, Services, script scanning, and traceroute with ports status..
    there are many vulnerabilities and exploits you can find for system services and use it in exploitation.

    nmap -A (target IP)
    Nmap os and other services detection
    Nmap os and other services detection

    Port Scanning Techniques:

    port scanning is a fully automated process using tools such as NMAP and Nessus which are very efficient to use. there are lots of scanning techniques over there but I will share some important of them.

    NMAP ping sweeps

     NMAP ping sweeps scan sends ICMP requests to all IP addresses in a given range and sends ICMP reply to host if the host is alive and responds to ping requests.

    Nmap ping sweep
    Nmap ping sweep

    ARP scan (Address Resolution Protocol) :

    In this method, a progression of ARP communication is sent, and the incentive for the objective IP address field is increased in each communication parcel to find dynamic gadgets on the neighborhood organize section. This sweep encourages us to outline the whole system.
     Use this command in Nmap

    nmap --arp-type ARP (target IP)

    Nmap ARP scan
    Nmap ARP scan

     TCP connect scan:

    TCP connect scan is the basic scanning technique that uses the connect system call of an OS to open a connection to all port that is available.

    this image shows how it works..

    to find TCP ports in Nmap use the command..

    working of TCP protocol
    working of TCP protocol

    nmap -sT (IP address)

    TCP ports scan in nmap
    TCP ports scan in Nmap

     Half-open scan:

      while TCP connection it does not connect with the server so it's stealthy scan

    like TCP scan we send syn packet first.

    then the server sends syn/ack packet to us..
    but in the last instead of ack we send the server a reset packet in Half-open scan that's why its called stealth scan. the server didn't connect instead it resets and makes it undetectable..

    nmap -sS  (target Ip)

    TCP XMAS Scan

    It is used to identify listening ports on the targeted system. The scan manipulates the PSH, URG,  and FIN flags of the TCP header. it sends a reset response when ports are close and do not respond when a port is open
    use this Nmap command..

    nmap -sX  (target Ip)

    TCP FIN Scan

    This port scan can stay undetected through most of Scan detection programs, and other Scan IDS and Firewalls. It sends FIN bundles to the focused on the framework and readies a report for the reaction it got

    In FIN flag  while closed ports send a reset response and

    TCP packets sent to the target open ports don't respond.

    nmap -sF (target Ip)

    TCP ACK Scan:

     sometimes active websites also do not send ICMP ping in answer.

    by using TCP ACK Scan attacker can see the port status by an acknowledgment received

    use command in Nmap

    nmap -sA (target Ip)

    Null Scan: 

    Works by sending TCP packets with no flags set to the target. Open ports do not respond while closed ports respond with a RESET packet

    nmap -sN (target Ip)

    Nmap Faq


    Q: What are Some Nmap Alternatives?


    Nmap is a popular open source network security scanner used by security professionals and network administrators.

    It is used to perform network exploration, port scanning, and security auditing. However, there are other alternatives to Nmap that offer similar features. These include Metasploit, OpenVAS, Nessus, and Wireshark.

    Metasploit is a powerful tool for discovering and exploiting vulnerabilities in networks and applications. OpenVAS is a free and open source vulnerability scanner that is used to audit networks and detect vulnerabilities.

    Nessus is a popular commercial vulnerability scanner that provides comprehensive coverage of vulnerabilities. Wireshark is a great tool for analyzing network traffic and troubleshooting network issues. Each of these alternatives has their own unique features and advantages, so it is important to evaluate each one to determine which one is best suited for your needs.


    Q: How Does Nmap Work?


    Nmap is a powerful tool for network exploration and security auditing. It is used to scan networks and identify open ports, services, and hosts on a network.

    To use Nmap, a user must first download and install the application. Once installed, the user can enter the command line to execute various commands and scan specific networks.

    For example, a user can use the command "nmap -sS " to perform a stealth scan of the target IP address.

    The output of the command will show all the open ports, services, and hosts on the target network.

    Nmap can also be used to perform various other tests such as operating system fingerprinting, port scanning, and vulnerability scanning. Nmap is a powerful and versatile tool for network exploration and security auditing.


    Nmap Scripting Engine.


    The Nmap Scripting Engine (NSE) is a powerful tool that allows users to extend the capabilities of the Nmap network discovery and security scanner. NSE scripts are written in the Lua programming language and provide users with a wide range of functions and capabilities.

    NSE scripts can be used to perform a broad range of tasks, including port scanning, vulnerability detection, service identification, and even creating custom network communication. NSE scripts are loaded using the -sC option and can be further customized using the -script option.

    Additionally, users can take advantage of the Nmap Script Database to download existing scripts, or they can create their own. With the Nmap Scripting Engine, users have a powerful tool at their disposal to extend the capabilities of the Nmap scanner.


    NSE scripts

    NSE scripts

    just to know how to use NSE-Scripts here is an example of NetBIOS Enumeration

    Here in image Nmap nbtstat NSE script is used to enumerate NetBIOS.. 

    Nmap NetBIOS script
    Nmap NetBIOS script


    Nmap is a very useful tool in scanning and enumeration it gives us a whole lot of information about the victim.. which is further helpful in exploitation and other hacking techniques.

    Happy Hacking... 😊
    Check out More 👇👇

    You may like these posts