Nmap

Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. It's one of the most essential tools in a penetration tester's arsenal.

Basic Usage

Simple Scan

nmap target.example.com

Scan Specific Ports

nmap -p 22,80,443 target.example.com

Scan Port Range

nmap -p 1-1000 target.example.com

Scan All Ports

nmap -p- target.example.com

Advanced Scanning Techniques

SYN Scan (Stealth Scan)

sudo nmap -sS target.example.com

UDP Scan

sudo nmap -sU target.example.com

OS Detection

sudo nmap -O target.example.com

Version Detection

nmap -sV target.example.com

Comprehensive Scan

sudo nmap -sS -sV -sC -A -O -p- target.example.com

Network Scanning

Scan a Subnet

nmap 192.168.1.0/24

Scan Multiple Targets

nmap 192.168.1.1 192.168.1.2 192.168.1.3

Scan from a File

nmap -iL targets.txt

Output Options

Save Output to a File

nmap -oN scan_results.txt target.example.com

Save in XML Format

nmap -oX scan_results.xml target.example.com

Save in All Formats

nmap -oA scan_results target.example.com

Performance Options

Timing Templates

# Paranoid (0) - Very slow, used for IDS evasion
nmap -T0 target.example.com

# Sneaky (1) - Quite slow, used for IDS evasion
nmap -T1 target.example.com

# Polite (2) - Slows down to consume less bandwidth
nmap -T2 target.example.com

# Normal (3) - Default timing template
nmap -T3 target.example.com

# Aggressive (4) - Assumes you're on a reasonably fast and reliable network
nmap -T4 target.example.com

# Insane (5) - Very aggressive; may overwhelm targets or miss open ports
nmap -T5 target.example.com

Parallel Host Scan

nmap --min-parallelism 100 target.example.com

Evasion Techniques

Fragmentation

sudo nmap -f target.example.com

Decoy Scan

sudo nmap -D decoy1.example.com,decoy2.example.com,ME target.example.com

Spoof MAC Address

sudo nmap --spoof-mac 00:11:22:33:44:55 target.example.com

NSE Scripts

Nmap Scripting Engine (NSE) provides additional functionality:

Vulnerability Scanning

nmap --script vuln target.example.com

Default Scripts

nmap -sC target.example.com

Specific Script

nmap --script http-title target.example.com

Multiple Scripts

nmap --script "http-*" target.example.com

Practical Examples

Basic Network Enumeration

nmap -sV -sC -oA network_enum 192.168.1.0/24

Web Server Scan

nmap -p 80,443 --script "http-*" target.example.com

Find All Open SMB Shares

nmap -p 445 --script smb-enum-shares 192.168.1.0/24

Check for EternalBlue Vulnerability

nmap -p 445 --script smb-vuln-ms17-010 target.example.com

Stealthy Scan for Firewall Evasion

sudo nmap -sS -T2 -f -D 192.168.1.101,192.168.1.102,ME target.example.com

Cheat Sheet

Command	Description
nmap -sS target	TCP SYN scan
nmap -sT target	TCP connect scan
nmap -sU target	UDP scan
nmap -sV target	Service/version detection
nmap -sC target	Default script scan
nmap -O target	OS detection
nmap -A target	Aggressive scan (OS + version + scripts + traceroute)
nmap -p 1-65535 target	Scan all ports
nmap -p- target	Scan all ports (shorthand)
nmap -p http,https target	Scan named ports
nmap -F target	Fast scan (top 100 ports)
nmap -T0-5 target	Timing templates (higher is faster)
nmap -oN results.txt target	Save output to text file
nmap -oX results.xml target	Save output to XML
nmap -oG results.gnmap target	Save output in grepable format
nmap -oA results target	Save in all formats

Resources

• Official Nmap Documentation

• Nmap Reference Guide

• Nmap NSE Scripts

• Nmap Cheat Sheet