Nmap Scanning Guide
In the realm of cybersecurity, understanding the nuances of network scanning is pivotal. Nmap, a versatile and powerful tool, offers a plethora of scanning options tailored to diverse scenarios ranging from simple reconnaissance to evasion techniques. This guide goes over a relatively comprehensive list of common use cases for Nmap that you might encounter while performing your penetration tests.
Nmap Basics
Nmap has a host (no pun intended) of utilities for learning about the state of a running server. In particular, Nmap is capable of providing granular details (where possible) along the following 4 dimensions:
- Open ports and services
- Specific versions of the services
- Information about the services (things like headers, banners, etc)
- The host OS of the server
By default, Nmap scans the top 1000 ports. In some cases, this can take awhile, especially in situations where the connection to the server is slow. You can speed this up by initiating a fast scan, denoted by -F. This will scan the top 100 ports on the device instead of the top 1000. If you really need to scale the time back, you can use the --top-ports flag, which lets you specify an integer number of top ports (i.e. --top-ports=10). Our comprehensive tool, Reaper, which we plan to open source soon, can improve scan times by up to 90% with our optimized scanning routines.
When run with root, Nmap defaults to the SYN scan (-sS). When running without root, Nmap initiates a TCP scan (-sT). A scanned port can exist in 6 different states:
Port States
| State | Description |
|---------------------|------------------------|
| open | TCP/UDP success |
| closed | RST flag received |
| filtered | State unclear |
| unfiltered | In ACK scans |
| open|filtered | UDP scan response |
| closed|filtered | IP ID scan result |
Scanning
Timings and Speedups
If we use -p- it'll check literally every port. Speedups are: -F (top 100), and --top-ports=10 (top 10). You can use a timing modifier like -T4 or -T5 to get results more quickly. For long scans, it is recommended to use --stats-every=5s to get consistent updates. You can also press <space> to get it to print if you're in an interactive session.
Finding All TCP Ports
Running without Root
nmap -sT -p- -T4 $target
Running with Root
sudo nmap -sS -p- -T4 $target
Evasive TCP Scans
sudo nmap -sA -p- -T4 $target
Finding All UDP Ports
You'll almost always want to restrict the number of ports, or have an educated guess of the list. Otherwise this will take an eternity.
sudo nmap -sU -F -T4 $target
Evasion Techniques
Using Decoys
To mask your scanning IP, Nmap supports decoy options, which confuse IDS/IPS systems by simulating scans from multiple IPs.
sudo nmap $target -sS -D RND:5
Alternate Port Evasion
By sourcing packets from ports commonly used for DNS or HTTP traffic, you can bypass restrictive firewalls.
sudo nmap $target -sS --source-port 80
Packet Traced Scan
Useful for seeing how your packets are being interpreted.
sudo nmap $target --packet-trace -Pn -n --disable-arp-ping
Version Detection
This helps identify the exact software and version running on open ports.
sudo nmap $target -sV
Leveraging Proxies
If you need to use a proxy, Nmap supports this out of the box.
nmap --proxies <http://127.0.0.1:8080> $target
General Scanning Flags
| Flag | Description |
|--------------|-----------------------------|
| --reason | Port status reason |
| -oA | All output formats |
| -PE | ICMP echo requests |
| -sn | Host discovery only |
| -S | Custom source address |
| -O | OS detection |
| -e | Specify interface |
Scripting Engine
The scripting engine, typically called Nmap Scripting Engine (NSE), lets us make and use scripts in Nmap which facilitate purpose-specific functionality.
Default Scripts
sudo nmap -sC $target
Specific Category
sudo nmap --script <category> $target
Specific Script
sudo nmap --script <script_name>,... $target
All the scripts are located in /usr/share/nmap/scripts/ on Kali. Do not include the .nse extension.
Aggressive Scan
sudo nmap -A $target
“Screw It, Light it up!”
Want to scan everything?
sudo nmap -A -T5 --script auth,broadcast,brute,default,discovery,dos,exploit,external,fuzzer,intrusive,malware,safe,version,vuln -p- $target
This will light up every alarm possible — use with caution!
Outputting Results
It’s good practice to store and label your results to avoid confusion.
Save to XML
sudo nmap -sS -p- -T4 -oX scan-$target-syn.xml --reason $target
Convert to HTML
xsltproc scan-$target-syn.xml -o scan-$target-syn.html
Label your files clearly and avoid overwriting, especially in multi-host environments.