Home arrow News arrow articles/tutorials arrow NMap tutorial for beginners - Part 1
Main Menu
Help Docs
Gnu/Linux Distros
Aaj Ka Tip
Aaj Ka Command
Free Software

NMap tutorial for beginners - Part 1 Print E-mail

Nmap-Part 1

(Network Mapper)

Running on console/command prompt


First part of two tier tutorial.

Nmap is great security tool developed by “Fyodor”. Basically it was a *nix tool but now available on various platforms and with GUI as well.

This tutorial is for newbie’s and skiddies who would like to learn the proper way of using it. Geeks can use it to brush up the things.

I would opt the command line/console, as I love it. I won’t be going in great depth of NMap. For that you should read some book on it. I’ll try to give examples in between.

I’m assuming that you are “root”. Normal user won’t be able to execute many of its powerful scanning techniques. So let’s start….


Let the IP address to be scanned is Simply it can be done as:


# nmap


Few default things have also been executed along with the above mentioned string. The actual string executed is:


#nmap –R –sS


Lets deal with “-R” here, will see –sS later on.

It’s a query to DNS server for reverse DNS name lookup i.e. requesting for some “name” attached with the specified IP address. It’s generally the case with servers. Hence if you don’t need the “name” desperately, avoid it using “-n” option.


#nmap –n or #nmap –n –sS (both are same)


‘-n’ disables Reverse DNS. Many DNS servers log name resolutions, so running an Nmap scan without disabling name resolution may cause Nmap station to appear in the DNS logs it attempts to resolve the name of every workstation it scans!

Disabling this option will speed up the scan manifold especially if you are scanning many machines simultaneously.


Now you may notice that Nmap doesn’t do anything for a while and then suddenly it comes up with result. It actually does lot of work in that duration. To see all that you must use ‘-v’ option, called as verbose.


#nmap –v –n


For more verbosity use ‘v’ twice


#nmap –vv –n




Scanning more than one machine

Ok, so up to here we were scanning one host only. What will you do to scan more than one host?

There are various ways of doing this. Let’s consider few of them, rest you should be able to think of:

Suppose you have to scan, and


# nmap -vv –n,2,3 or


# nmap –vv –n


generalizing further


#nmap –vv –n,6,12-20.

It will scan 1,2,3,6 and 12 to 20.


If you have to scan all the 254 machines:

# nmap –vv –n or

# nmap –vv –n 192.168.0.*  or

# nmap –vv –n   (you should know subnetting for it)


# nmap –vv –n 192.168.1-2.*. It will scan to It can also be written as

#nmap –vv –n 192.168.1,2.0-255

Hope you have enough brain to get these things.





Scanning specific ports:

Suppose you have to scan specific ports only and not the defaults ones. You should use ‘-p’ for that


# nmap –vv –p 80  It will scan port 80


# nmap –vv –p 21,23,25,80-100

. It will scan port number 21, 23, 23 and 80 to 100.


# nmap –vv –n –p 21,23,25 192.168.1-2.*

·        Verbose mode (for interactive mode)

·        Disabled reverse DNS lookup (speed up and doesn’t let DNS server log anything)

·        Scanning specific ports

·        Scanning to machines.



Various Scanning options:

There are many scanning options available with Nmap. All have their advantages and disadvantages. You should use them according to your requirements.


·        -sS: SYN scanning

TCP SYN scan gather information about open ports without completing the TCP handshake process. When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as “half open” scanning.

It’s the default scanning technique if you are “root”. It’s the most common scan to use because it works on all networks, across all operating systems.



The TCP SYN scan never actually creates a TCP session so isn’t logged by the destination host’s applications. And hence it’s a quiet scan.


You need privileged access to the system.


# nmap –vv –n –sS


·        -sT: TCP connect scanning

It performs the 3-way handshake.



You don’t need to have privileged access.


Since it completes a TCP connection so apparent when application connection logs are examined.

I would suggest you to never ever use this scan.


# nmap –vv –n –sT


·        -sF, -sX, -sN: FIN scan, Xmas tree scan, NULL scan.

These are called “stealth” scans. They send a single frame to a TCP port without any TCP handshaking or additional packet transfers. They are more “stealth” than SYN scan and must be used if the remote machine is not a Windows-based machine. I’ll tell you why.

These scans operate by manipulating the bits of the TCP header. Nmap creates TCP headers that combine bit options that should never occur in the real world. These purposely mangled TCP header packets are thrown at a remote device, and nmap watches for the responses.

Window-based systems will reply with a RST frame for all queries, regardless of the status of the specific port that was queried.



Since no TCP sessions are established, they are quiet stealthy.



Can’t be used against windows-based machine.


# nmap –vv –n –sF

# nmap –vv –n –sX

# nmap –vv –n –sN


·        -sU: UDP scan.

The only scan in the arsenal of Nmap to identify UDP ports.


# nmap –vv –n –sU




·        -sO: Protocol scan

Sometimes it has to be checked that what protocols the remote machine is running. It locates uncommon IP protocols that may be in use on the remote system. Hence it helps determining the type of remote device, i.e. is that router or printer or workstation etc.



This scan will appear on any network monitoring application that identifies the IP protocol types in use.


# nmap –vv –n –sO


·        -sR: RPC scan.

It’s used to locate and identify RPC applications. It runs automatically during a version scan (-sV, explained later)



RPC scan opens application sessions and hence it will be logged.


# nmap –vv –sR


·        -sV: Version scan

The scans which we have seen by now give you the status of the port and the service running on them. For exploiting the service you need the exact version number of the service. Version scan gives you this.



It opens sessions with the remote applications, which will often display in an application’s log file.


# nmap –vv –sV


·        -sA: ACK scan

Its quiet useful when there is some packet filtering device or firewall. It never locates an open port. It does the job of identifying ports that are filtered through a firewall. It doesn’t open any application sessions and hence the conversation between nmap and the remote device is relatively simple.



It can only tell whether port is filtered or unfiltered.  But can never definitively identify an open port.


# nmap –vv –sA


·        -sI: Idle scan

It’s the stealthy most scan you can have. Tough to launch because you need a zombie for it. It would not be justice with this great scan to be described in just few lines. I would recommend you to read it in detail.



You will never be caught.



Tough to launch as it’s not easy to find some zombie machine.


·        -sP: Ping scan:

You must have heard of Ping sweep. It’s Nmap’s ping sweep.


# nmap –vv –sP

will check whether this machine is up or not


# nmap –vv –sP 192.168.0.*

will check the whole subnet (254) machines and will tell you which are up.



          Ping scan will not interoperate with any other type of scan.


·        -sW: Window scan

Forget it. As the number of operating systems vulnerable to its methodology is dwindling as operating systems are upgraded and patched.


·        -sL: List scan

Would like to say only one line about it that you must use it if a separate application provides nmap with a list of IP addresses. Rest read yourself.



O/S fingerprinting and version detection


Ok, now you can use various scanning techniques to look for open/closed or filtered/unfiltered TCP as well as UDP ports. Don’t you want to know the remote operating system running???



Operating system fingerprinting.


# nmap –vv –O

It will tell you or at least tries its best to tell you the remote operating system along with the version it’s using. It at least need one open and one close TCP port. In case it doesn’t, it won’t be able to give the accurate result. In that case you should use some third party tool.



A trained eye will quickly identify that someone is watching the network.



Version detection

As has been explained it will help you know the version of the service running on the remote machine.


# nmap –vv –sV




Named as Additional, Advanced, and Aggressive option. Its comprises of both the operating system fingerprinting process (-O) and the version scanning process (-sV).

i.e following two are same:


# nmap –vv –sV –O and

# nmap –vv –A 192.168.01.





Enough for part-1. Would be discussing some more advanced options in second series of this article.





< Previous   Next >

Join Us
About Us
Contact Us
Support Us
Login(only for dev.)

Royalty Free Images

O'Reilly User Group discount!

Powered By GIMP GIMP
Contact Webmaster Copyleft 2011 gnulinuxclub.org