NMap tutorial for beginners-part 2



It’s assumed that you are root. Many options won’t work or
better to say will switch to other kind of scans if you are not root. And
sometimes it may even not give any warning before doing that. So beware!!! You
may get logged.


Let’s start it with various PING
features available with Nmap.

PING is a necessary evil. I’ll
explain it later on.


Nmap Ping Methods:


First thing which should always be kept in mind is that Ping
options are used to identify whether remote machine is up or not. Determining
the open ports and services running on them is not the headache of Ping
scan. Hence do your best using various Ping options to
determine whether remote machine is up or down or being protected by some


Note: If user doesn’t specifies a particular ping type, an
ICMP Echo Request (-PE) followed by TCP ACK Ping (-PA) (by default on port 80
because most packet filters allow port 80) takes place. You can confirm it
looking up the default ping options selected in the GUI Nmap.


Nmap provides various kinds of PING
options and note that all of them start with the letter ‘P’. Various combinations
of these Ping options can be used in order to increase
the chances of getting across packet filters and firewalls.


  • -PE      ICMP
    Echo Request

It’s simply the ICMP Echo request
and corresponding ICMP Echo reply packet and is best to determine the
availability of machine. Drawback is that it’s the most common protocol
filtered by firewalls/packet filters. If you get response to this ping, it’ll
indicate that there is very less filtering between you and your destination.


  • -PA[port number]       TCP ACK Ping

Helpful to determine
filtered/unfiltered ports, hence useful when there is some firewall protecting
the machine.


#nmap –vv –PA23,110


Here in this example, NMap will
ping port 23 and 110 of the remote machine with ACK packets. If the remote
machine is up or unfiltered, it will respond with RST packet. But in case it’s
down or ports are filtered, there will be no response and hence the scan will
stop. Hence in order to get through firewall, try different ports.

If no port is specified, port
number 80 will be pinged (which is generally the best one to ping as most
packet filters allow traffic to port number 80).


These two above specified Ping
scans run by default when you don’t specify any kind of Ping



  • -PS[port number]        TCP SYN Ping

Its functionality is same as SYN
scan. Nmap machine sends SYN packet to remote machine. Open port will respond
with ACK/SYN and closed will respond with RST. Hence can be used to determine
whether remote machine is up or not. Ports can be specified, 80 is the default


#nmap –vv –n –PS           (will ping port number 80)

#nmap –vv –n –PS23,110            (will ping 23 and 110 number ports)



  • -PU[port number]       TCP UDP Ping

By default it sends UDP frames at
port number 31338. UDP frames sent to closed ports responds with “ICMP port
unreachable” message. If the remote port is open, it may or may not respond,
because many UDP applications don’t send a response to any random incoming
frame. Hence it should be tried to send the UDP frame to closed port. It
heavily relies on ICMP packets, so if ICMP is filtered there may be no response
to the UDP ping.


#nmap –vv –n –PU           (default port is 31338)

#nmap –vv –n –PU<any
port which you think would be closed>



  • -PP      ICMP
    Timestamp Ping

ICMP Timestamp ping is used to
allow two separate systems to coordinate their time-of-day clocks.

Avoid using it as NTP (Network Time
Protocol) has replaced it. Hence Timestamp packets may raise eyebrows of
trained eyes.

Moreover it doesn’t works properly
when firewall is there as it relies heavily on ICMP.


  • -PM     ICMP
    Address Mask

It operated by sending an ICMP
address mask request to a remote device. Most modern operating systems and
routers will not respond to this request, hence this ICMP ping type doesn’t
work on most modern systems.

Hence forget it.






If some firewall or packet filter is there on the remote device, better
choice would be a non-ICMP based ping type



  • PO      Don’t Ping

If you know that the remote machine
is up and running, you can use this option to remain a bit stealthier. Hence
direct scanning of the target will start without pinging the machine. It should
be used when using Decoys, otherwise ping packets will reach target from your
machine only and from none of the decoys. Hence the purpose of using Decoys
will loose its essence.

But as I told “Ping
is a necessary evil”, Nmap gather some important timing information from the
ping process, so disabling the ping process will put nmap at a disadvantage
when the scan begins. Actually it determines the accurate round-trip-time
during ping.






Something about operating system


The usage of –O has been discussed
in the 1st part of this tutorial. It gives the information of the
operating system running on the remote machine which is must before launching
some kind of exploit.

For this Nmap need at least one
open and one closed port. If it doesn’t get, it may not give the correct


  • –osscan_limit

This option will abort OS
fingerprinting if both open and closed ports are not available, hence will save
a hell lot of time instead of getting incorrect results.

I personally feel that third party
tools should also be used to get the correct results about the remote machines
operating system.



  • -A (Additional, Advanced, and

Its combination of “-O” and “-sV”
i.e. operating system fingerprinting and service version scan


#nmap –vv –n –O –sV

is same as

#nmap –vv –n -A





Inclusion and Exclusion of Hosts and


Sometimes it may be the scenario
that you don’t want to scan particular IP address or range of IP addresses.
E.g. Government IP’s or IP’s of routers and switches of your network etc.

So here we have few options for


  • Exclude Targets (–exclude <host 1,
    host 2, host 3….>)

The IP addresses specified will not
be scanned by Nmap.


#nmap –vv –n –sS –exclude,


This will scan the whole subnet
except,,, and




  • Exclude Targets in File (–excludefile
    <file name>)

Here instead of specified the IP
addresses which must not be scanned, user has to maintain a file including the
list of IP address, one IP address per line.


#nmap –vv –n -sS 192.168.*.*
–excludefile filename.txt


Content of filename.txt could be as
following:              (exclude à

192.168.3-5.*              (exclude à

192.168.6.*                 (exclude à



The benefit of –excludefile option
is that a permanent exclusion file can be made including IP address of
organizations/individuals whom you would never like to scan These IP address
may not be the part of current scan, but it won’t harm making such a permanent
exclusion file and upgrading it.


–excludefile and –exclude options
can’t be used on the same scan.



  • Read Targets from File (-iL

Instead of supplying IP address at
the command line of Nmap scan, a file can be maintained containing IP addresses
separated by tabs, spaces, or by separate lines.


When this option is used, any IP
address specified on the command line will be ignored without any warning


#nmap –vv –n –iL input.txt

#nmap –vv –n –iL input.txt            (Here
will be ignored)


If host exclusion options,
–exclude or –excludefile, are used with –iL option, the excluded addresses
will override any inclusions on the command line or file.




Random number of Targets


  • -iR <number of hosts to be


You may be
looking for just web server’s or some other server’s world wide, i.e.          Random machines running a particular
service on a particular port only.

E.g. telent at
port number 23

SMTP at port
number 25

Web server at
port number 80 etc.


#nmap –vv –n –iR
100 –p 80

scan 100 random
machines for port number 80


#nmap –vv –n –iR
0 –p 80       (that’s zero and not capital

Scan “unlimited” number of machines
for port number 80. So here you see, Nmap will scan thousands and thousands of
machines. Scan won’t begin to report any result until 500 hosts are identified.
Hence run this type of scan with one of Nmap’s logging option (will be
discussed soon)


#nmap –sS –PS80
–iR 0 –p 80

It will run a
TCP SYN scan using a SYN ping on port 80 to an unlimited number           of random IP addresses. The SYN scan
only scans port 80.


-iL, –exclude,
–excludefile, none of them can be used with –iR option.


  • –randomize_hosts

–vv –randomize_hosts –p 80 192.168.*.*        


As its clear from the scan command,
nmap will randomize the hosts to be scanned.

-iL, –exclude, and –excludefile
can be used with this option.


of 2,048 hosts at a time are randomly chosen, and hence makes entire scan       less conspicuous when examining traffic







Various Logging Options


You may want to store the output of
Nmap. Reasons may be any of the following:

1.      You
are scanning hundreds of machines, so don’t want to stare at monitor for all
the time.

2.      You
are starting the scan in night and would like to see the result in morning.

3.      You
may want to keep the records for future reference

4.      You
want to pause/stop Nmap and at later time would like to resume the scan.

many more reasons could be there.


So here are the various logging
options for NMap



  • Normal Format:

      -oN <log file name>


saves a similar view of the output that’s displayed on the screen during an
nmap          scan. No need to assign any
extension to the output file. It will have .nmap          extension.


  • XML Format

      -oX <log file name>  


presents the output of Nmap in very nice format in any browser. Actually Nmap         includes an XSL file that translates the
XML information into a viewable HTML        format
that can be displayed in any browser.

output file will have .xml extension.


  • Grepable Format

      -oG <log file name>  


output file will have .gnmap extension.


  • All Formats

      -oA <base file name>


produce three output files, Normal,
XML and Grepable.   

the name of base file is target, so you will get the following three files:

    1. target.nmap
    2. target.xml
    3. target.gnmap


  • Script Kiddie Format

      -oS <log file name>


would be in script Kiddie language




Resuming the scan


It’s a good thing to do. You may be
in the midst of a long scan when you have to turn off your computer or power
failure etc. Can be interrupted using control-C key combination.

Suppose you are scanning a subnet
of 100 machines and currently machine number 45 is getting scanned when you stop
the scan. When you resume the scan next time, all the machines which were
scanned before machine number 45 won’t be scanned again. But the scanning of
machine 45 will start from scratch again as it was interrupted in between.

Hence do not use resuming option
when you are scanning only one machine.


–resume <log file name>


This log file
has to be either in Normal format (-oN) or Grepable
(-oG) format. XML output won’t work with it.


If a scan is interrupted that used
the –randomize_hosts option, nmap has no method to recreate the same randomness
that was used in the initial scan. Hence it may repeat some scan and may skip
some of the hosts. So don’t use it with –randomize_hosts option.



Few options which generally should
always be included in all scans are:

-vv             verbose mode

-n               speeds
up the scan and log is maintained on the DNS servers.

-oA            to get output files so that scan can be resumed.

–excludefile           It should be update with the most
important IP addresses.


I’m leaving the various options of
packet tuning and timing options as they should be considered as advanced
techniques and this tutorial is for beginners specially.


I would write one more article in
this series containing thing which must be and must not be done using Nmap.



Reference: Nmap man pages and
“Secrets of Network Cartography” by James Messer





Leave a Reply

Your email address will not be published. Required fields are marked *