Me

Network Scanning and Enumeration with Nmap

Discover essential Nmap commands, from basic network scans to advanced stealth techniques, and learn how to perform real-world security audits effectively.

Nmap (Network Mapper) is a powerful, versatile, and widely-used open-source tool for network exploration and security auditing. It enables administrators and security professionals to identify active hosts, open ports, running services, and even underlying operating systems within a network.

Below, we’ll start from basic usage and progressively explore more advanced techniques.

What is Nmap?

Nmap is an open-source tool used for network discovery, security auditing, and service enumeration. It allows users to identify live hosts, open ports, running services, and even operating system versions. Nmap is used by system administrators, penetration testers, and cybersecurity professionals to secure networks and identify vulnerabilities.

đź”— Official Nmap Documentation: https://nmap.org/docs.html

Beginner Level: Basic Host Discovery

At its simplest form, Nmap checks if a host is up and reachable.

nmap 192.168.1.1
  • What happens here?
    • Nmap sends ICMP echo requests (ping) and TCP SYN packets to common ports (like 80 and 443) to identify if the host responds, thus determining if it’s “alive.”
  • Output Example:
Starting Nmap 7.94 ( https://nmap.org ) at 2025-03-13 11:00 EST
Nmap scan report for 192.168.1.1
Host is up (0.0020s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
443/tcp open https

Intermediate Level: Port and Service Enumeration

To scan all 65535 ports on a host:

nmap -p- 192.168.1.1
  • Explanation:
    • -p- scans all ports (from 1 to 65535).
    • Useful for comprehensive enumeration, discovering services listening on unusual or non-standard ports.

To identify the exact services and their versions:

nmap -sV 192.168.1.1
  • Explanation:
    • -sV triggers service/version detection.
    • Nmap tries to identify the service and the exact version running behind open ports.
  • Output Example:
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.6 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

Intermediate Level: OS Detection and TTL Analysis

Nmap can fingerprint operating systems based on various network responses.

nmap -O 192.168.1.1

Explanation:

  • -O enables OS detection by examining packet responses.
  • TTL (Time To Live) values are often helpful indicators:
    • Windows hosts typically respond with TTL around 128.
    • Linux hosts typically have TTL values around 64.
    • Network devices (routers, firewalls) often have TTL values around 255.
  • Example Analysis (Windows Host Detection via TTL): If a ping reply shows:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
  • TTL=128 strongly suggests the host is running Windows.

Advanced Level: Aggressive Scan

An aggressive scan combines service detection, OS detection, and default scripts:

nmap -A 192.168.1.1
  • Explanation of flags:
    • -A: Aggressive mode (includes OS detection, service detection, version detection, traceroute, and script scanning).
    • When to use:
      • Useful in penetration tests or security assessments for a detailed overview quickly.

    Advanced Level: Scripted Scanning (NSE)

    Nmap includes the powerful Nmap Scripting Engine (NSE), which allows deeper enumeration, vulnerability detection, and exploit potential.

    Example: Check for common vulnerabilities:

    nmap --script vuln 192.168.1.1
    • Explanation:
      • Runs built-in scripts designed to detect vulnerabilities.
    • Example: Enumerate SMB shares:
    nmap --script smb-enum-shares 192.168.1.1
    • Useful for:
      • Gathering detailed information on Windows networks.

      Advanced Level: Stealth Scans (SYN Scanning)

      For scanning quietly (less detectable by firewalls):

      nmap -sS 192.168.1.1
      • Explanation:
        • -sS: TCP SYN stealth scan, doesn’t complete TCP handshakes, reducing logs and firewall detection.

        Useful Tips for Effective Nmap Usage:

        • Always run scans with permission—only scan networks and devices you own or have explicit authorization to test.
        • Adjust timing (-T0 to -T5) to be less noisy (-T0) or quicker (-T4 or -T5) based on requirements.
        • Export scans to files (-oN, -oX, -oA) for later analysis.

        Conclusion

        From simple host detection to complex vulnerability scanning, mastering Nmap equips you with an essential skill for network security and penetration testing. Understanding each command and option helps you approach network enumeration systematically, effectively, and responsibly.

        Stay In Touch.

        Let's Get Creative.