The Latest
No comments

Nmap Quick Start Guide: Essential Scans and Commands

Mitrev
Contents hide
1 Installation
2 Specifying Targets
3 Fundamental Scan Types
3.1 1. Ping Scan (-sn) – Host Discovery Only
3.2 2. Default Scan (TCP SYN Scan / Stealth Scan – -sS)
3.3 3. TCP Connect Scan (-sT)
3.4 4. UDP Scan (-sU)
4 Common Nmap Options
5 Interpreting Basic Results
6 Putting It Together: Example Scan
7 Ethical Considerations
8 Conclusion

Welcome to the world of network exploration with Nmap (Network Mapper)! If you’re looking for an Nmap quick start guide, you’ve come to the right place. Nmap is an indispensable, free, and open-source utility used by network administrators, cybersecurity professionals, and ethical hackers worldwide for network discovery and security auditing. It allows you to determine which hosts are available on a network, what services (application name and version) those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. 

This guide focuses on getting you up and running quickly with the most fundamental Nmap scans and options, providing a solid foundation for further exploration.

Installation

Before you can scan, you need Nmap installed.

  • Linux (Debian/Ubuntu): sudo apt update && sudo apt install nmap
  • Linux (Fedora/CentOS/RHEL): sudo dnf install nmap or sudo yum install nmap
  • macOS: If you have Homebrew: brew install nmap
  • Windows: Download the official installer from the Nmap website.

Verify the installation by opening a terminal or command prompt and typing nmap -V. You should see the installed Nmap version.

Specifying Targets

The first step in any Nmap scan is telling it what to scan. Nmap is very flexible:

  • Single IP Address: nmap 192.168.1.1
  • Hostname: nmap scanme.nmap.org (Use this domain provided by Nmap for safe testing)
  • CIDR Notation (Subnet): nmap 192.168.1.0/24 (Scans IPs from 192.168.1.0 to 192.168.1.255)
  • Range of Addresses: nmap 192.168.1.1-50 (Scans IPs from 192.168.1.1 to 192.168.1.50)
  • List from a File: nmap -iL targets.txt (Where targets.txt contains one IP/hostname/range per line)

Fundamental Scan Types

Nmap offers numerous scan types, but let’s start with the essentials.

1. Ping Scan (-sn) – Host Discovery Only

Sometimes, you just want to know which hosts on a network are online, without probing their ports. This is called a ping scan (previously known as -sP).

Bash

nmap -sn 192.168.1.0/24

This scan is relatively stealthy and quick. It sends ICMP echo requests, TCP SYN packets to port 443, TCP ACK packets to port 80, and an ICMP timestamp request by default to determine liveness. It doesn’t perform port scanning, so the output will simply list hosts that responded.

2. Default Scan (TCP SYN Scan / Stealth Scan – -sS)

If you run nmap <target> without specifying a scan type and you have root/administrator privileges, Nmap defaults to the TCP SYN scan (-sS). This is often called a “stealth scan” or “half-open scan.”

Bash

sudo nmap 192.168.1.1
# or explicitly:
sudo nmap -sS 192.168.1.1

How it works: Nmap sends a TCP packet with the SYN (synchronize) flag set to the target port.

  • If the port is open, the target responds with a SYN/ACK (synchronize/acknowledge) packet. Nmap sends an RST (reset) packet, tearing down the connection before it’s fully established. This avoids logging by many systems.
  • If the port is closed, the target responds with an RST packet.
  • If no response is received (or an ICMP unreachable error), the port is marked as filtered (likely behind a firewall).

Note: This scan requires raw socket privileges, hence the need for sudo or running as root/administrator.

3. TCP Connect Scan (-sT)

If you don’t have root privileges or are scanning IPv6 networks, Nmap defaults to the TCP Connect scan.

Bash

nmap -sT 192.168.1.1

This scan uses the operating system’s connect() system call to establish a full TCP connection with the target port.

  • If the connection succeeds, the port is open.
  • If the connection fails, the port is closed. This scan is less stealthy than a SYN scan as it completes the TCP handshake, making it more likely to be logged.

4. UDP Scan (-sU)

Scanning for open UDP ports is important but more challenging and slower than TCP scanning.

Bash

sudo nmap -sU 192.168.1.1

How it works: Nmap sends UDP packets to target ports.

  • For most ports, no response means the port is open|filtered. Nmap can’t be sure if the packet reached an open port that didn’t reply, or if a firewall dropped it.
  • If an ICMP port unreachable error is received, the port is closed.
  • If some UDP services respond, the port is marked open.

UDP scans are significantly slower because Nmap needs to wait for potential timeouts. Combining it with version detection (-sV) helps differentiate between open and filtered states. This scan often requires root privileges for raw socket access for efficiency.

Common Nmap Options

Enhance your scans with these useful options:

  • Port Specification (-p): By default, Nmap scans the 1000 most common ports. Specify your own:
    • Single port: -p 80
    • Comma-separated list: -p 80,443,22
    • Range: -p 1-1024
    • All ports (slow!): -p-
    • Specific protocols: -p T:22,U:53 (Scan TCP port 22 and UDP port 53)
  • Timing Templates (-T<0-5>): Control scan speed vs. accuracy/stealth.
    • -T0 (paranoid) / -T1 (sneaky): Very slow, for IDS evasion.
    • -T2 (polite): Slows down to use less bandwidth.
    • -T3 (normal): Default speed.
    • -T4 (aggressive): Faster, assumes a good network. Good for quick scans.
    • -T5 (insane): Very fast, may sacrifice accuracy and overwhelm targets.
    • Usage: nmap -T4 192.168.1.1
  • Output Formats (-oN, -oX, -oG): Save your results.
    • -oN <filename.nmap>: Normal human-readable output.
    • -oX <filename.xml>: XML format, good for machine parsing.
    • -oG <filename.gnmap>: Grepable format, useful for command-line tools.
    • -oA <basename>: Save in all three formats (basename.nmap, basename.xml, basename.gnmap).
    • Usage: nmap -oA scan_results 192.168.1.1
  • Verbosity (-v, -vv): Get more detail about the scan progress.
    • -v: Increased verbosity.
    • -vv: Even more detail.
  • Service Version Detection (-sV): Try to determine the service/version running on open ports. Very useful!
    • Usage: sudo nmap -sV 192.168.1.1
  • OS Detection (-O): Attempt to identify the target operating system (requires root/sudo and at least one open and one closed TCP port).
    • Usage: sudo nmap -O 192.168.1.1
  • Aggressive Scan (-A): Enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). Convenient but noisy.
    • Usage: sudo nmap -A 192.168.1.1
  • Disable DNS Resolution (-n): Don’t perform reverse DNS lookups on target IPs. Can speed up scans significantly, especially on large networks.
    • Usage: nmap -n 192.168.1.0/24

Interpreting Basic Results

Nmap reports the state of scanned ports:

  • open: An application is actively accepting connections on this port.
  • closed: The port is accessible (responds to probes) but no application is listening.
  • filtered: Nmap cannot determine if the port is open because packet filtering (e.g., a firewall) prevents probes from reaching the port. Nmap doesn’t receive a response or gets an error indicating filtering.
  • unfiltered: Accessible, but Nmap cannot determine if it’s open or closed (only occurs during ACK scans).
  • open|filtered: Nmap cannot distinguish between open and filtered (common in UDP scans).
  • closed|filtered: Nmap cannot distinguish between closed and filtered.

Putting It Together: Example Scan

Let’s run a reasonably fast scan on a single host, checking the most common ports, attempting version detection, and saving the output:

Bash

sudo nmap -sV -T4 -oN single_host_scan.nmap 192.168.1.5

This command:

  1. Uses sudo for potential raw socket access (needed for default -sS and potentially -sV).
  2. Performs service version detection (-sV).
  3. Uses the aggressive timing template (-T4) for speed.
  4. Saves the output in normal format to single_host_scan.nmap.
  5. Targets the IP 192.168.1.5.

Ethical Considerations

Crucial: Only run Nmap scans against networks and hosts you have explicit permission to test. Unauthorized scanning is illegal and unethical. Use Nmap responsibly for learning, network administration, and authorized security assessments. The scanme.nmap.org domain is provided for safe, legal testing.

Conclusion

This Nmap quick start guide has covered the basics of installing Nmap, specifying targets, performing fundamental scan types (Ping, SYN, Connect, UDP), using common options like port selection, timing, output formats, and version detection, and interpreting the results. Nmap is an incredibly powerful tool with vast capabilities far beyond this introduction. Practice these basic commands, consult the Nmap documentation (man nmap or the official website), and explore its advanced features like the Nmap Scripting Engine (NSE) as you become more comfortable. Happy (ethical) scanning!

Leave a Reply

Your email address will not be published. Required fields are marked *