1. Home
Feeling StupidKeyboard Layout

Nmap

Network Mapping and Security Scanning Tool

Legal Notice: Only use Nmap on networks you own or have explicit permission to scan. Unauthorized network scanning may violate laws and organizational policies.

Interactive Nmap Command Builder

Default SYN scan - stealthy and efficient
Top 1000 most common ports (default)
nmap 192.168.1.1LOW RISK

What is Nmap?

Network Mapper (Nmap)

Nmap is a free and open-source network discovery and security auditing tool. It uses IP packets to determine:

  • Host Discovery: What hosts are available on the network
  • Port Scanning: What services (ports) are open on those hosts
  • Version Detection: What application name and version those services are running
  • OS Detection: What operating systems and versions they are running
Primary Use Cases
  • Security Auditing: Identify vulnerabilities and misconfigurations
  • Network Inventory: Discover devices and services on your network
  • Monitoring: Monitor host and service uptime
  • Penetration Testing: Reconnaissance phase of security testing

Nmap Scan Types

Description: Default SYN scan - stealthy and efficient

Command: nmap

How it works: Sends SYN packets to target ports. If a SYN-ACK is received, the port is open. If RST is received, the port is closed.

Advantages: Fast, stealthy, doesn't complete TCP handshake

Disadvantages: Requires root privileges on Unix systems

Detection Risk: LOW

Description: Full TCP connection - more detectable but reliable

Command: nmap -sT

How it works: Completes full TCP three-way handshake with target

Advantages: Works without root privileges, very reliable

Disadvantages: More detectable, slower than SYN scan

Detection Risk: MEDIUM

Description: Half-open scan - very stealthy

Command: nmap -sS

How it works: Sends SYN packet but never completes handshake

Advantages: Very stealthy, fast, accurate

Disadvantages: Requires root privileges

Detection Risk: LOW

Description: Scan UDP ports - slower but comprehensive

Command: nmap -sU

How it works: Sends UDP packets to target ports

Advantages: Discovers UDP services (DNS, DHCP, SNMP)

Disadvantages: Very slow, less reliable due to UDP nature

Detection Risk: MEDIUM

Description: OS detection, version detection, script scanning

Command: nmap -A

Detection Risk: HIGH

This scan type is easily detected by IDS/IPS systems

Description: Detect service versions

Command: nmap -sV

Detection Risk: MEDIUM

Essential Nmap Commands

CommandDescriptionUse CaseSpeed
nmap 192.168.1.1Basic scan of single hostQuick port checkFast
nmap -sS 192.168.1.0/24Stealth scan of entire subnetNetwork discoveryMedium
nmap -A scanme.nmap.orgAggressive scan with OS detectionDetailed reconnaissanceSlow
nmap -sV -p 80,443 192.168.1.1Version scan on specific portsWeb service identificationFast
nmap -sU -p 53,161 192.168.1.1UDP scan on DNS and SNMP portsUDP service discoveryMedium
nmap --script vuln 192.168.1.1Vulnerability scanning scriptsSecurity assessmentSlow

Understanding Nmap Output

Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-15 10:30 GMT
Nmap scan report for 192.168.1.1
Host is up (0.00050s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds
Key Elements:
  • Host Status: "Host is up" indicates the target is reachable
  • Latency: Response time to reach the host
  • Port States: open, closed, filtered, unfiltered
  • Services: Common service names for known ports
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-15 10:30 GMT
Nmap scan report for 192.168.1.1
Host is up (0.00050s latency).
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.52 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.4.52 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds
Version Detection Benefits:
  • Service Versions: Exact software versions running
  • OS Information: Operating system identification
  • Service Info: Additional service details and CPE identifiers

Understanding Port States

OPEN

Service is actively listening and accepting connections

CLOSED

Port is accessible but no service is listening

FILTERED

Firewall, filter, or network obstacle blocking port

UNFILTERED

Port is accessible but cannot determine if open or closed

OPEN|FILTERED

Cannot determine if port is open or filtered

CLOSED|FILTERED

Cannot determine if port is closed or filtered

Security and Legal Considerations

⚠️ Legal Requirements
  • Authorization: Only scan networks you own or have explicit written permission to scan
  • Compliance: Ensure scanning complies with local laws and regulations
  • Corporate Policy: Follow your organization's security testing policies
  • Service Providers: Check with ISP/cloud provider terms of service
🛡️ Detection Avoidance
  • Timing: Use -T option to control scan timing
  • Source Ports: --source-port to specify source port
  • Decoy Scans: -D option to use decoy addresses
  • Fragment Packets: -f option to fragment packets
🎯 Best Practices
  • Start Small: Begin with single hosts before scanning networks
  • Document Everything: Keep logs of what you scan and when
  • Rate Limiting: Use slower scans to avoid overwhelming targets
  • Scope Definition: Clearly define what's in and out of scope
🧪 Safe Testing Environment

Test Target: scanme.nmap.org

This is an official Nmap test server that welcomes scanning for educational purposes.

Knowledge Check

Answer: -sS (SYN scan) is a stealth scan that doesn't complete the TCP handshake, making it less detectable but requiring root privileges. -sT (TCP connect scan) completes the full handshake, making it more detectable but works without root privileges.

Answer: UDP scanning is essential for discovering services that use UDP protocol, such as DNS (port 53), DHCP (port 67/68), SNMP (port 161), and NTP (port 123). These services won't be detected by TCP scans.

Answer: A filtered port indicates that a firewall, packet filter, or other network obstacle is blocking access to the port. Nmap cannot determine whether the port is open or closed because packets are being dropped or rejected.