This is the core reason why Nmap was created, and remains one of the top uses. Called host discovery, Nmap will identify the types of devices actively using scanned ports. This includes servers, routers, switches and other devices. Users can also see how those devices are connected, and how they link together to form a network map.

b. Port Rules Discovery

Nmap can easily tell, even with a low-level scan, if a port is open or closed by something like a firewall. In fact, many IT professionals use Nmap to check their work when programming firewalls. They can see if their policies are having the desired effect, and if their firewalls are working properly.

c. Shadow IT Hunting

Because Nmap discovers the type and location of devices on a network, it can be used to identity things that should not be there at all. These devices are called shadow IT because their presence on a network isn’t officially authorized, or sometimes may be intentionally hidden. Shadow IT can be dangerous because such devices are not part of a security audit or program.

d. Operating System Detection:

Nmap can discover the types of operating systems running on discovered devices in a process called OS fingerprinting. This generally returns information about the name of the vendor of the device (Dell, HP, etc.) and the operating system. With a deeper Nmap scan, you can even discover things like the patch level of the OS and the estimated uptime of the device.

e. Service Discovery

The ability to discover services elevates Nmap above the level of a common mapping tool. Instead of simply discovering that a device exists, users can trigger a deeper scan in order to find out what roles discovered devices are performing. This includes identifying if they are acting as mail server, a web server, a database repository, a storage device or almost anything else. Depending on the scan, Nmap can also report on which specific applications are running, and what version of those applications are being used.

f. Vulnerability Scanning

Nmap is not a dedicated vulnerability scanning tool in that it does not maintain a database of known vulnerabilities or any kind of artificial intelligence that could identify potential threats. However, organizations that regularly ingest security information from threat feeds or other sources can use Nmap to check their susceptibility to specific threats.

Nmap Installation

Nmap will be default installed in Kali Linux Operating System

To install NMAP on Ubuntu, run the command:

The system prompts you to confirm and continue by typing y and pressing Enter.

⁠

example of installing nmap on Ubuntu command

⁠

After confirming, the installation runs its course.

To verify the installation was successful and to determine the current version of Nmap:

The output provides detailed information about Nmap. In this example, the version installed on Ubuntu is 7.60.

⁠

⁠

Nmap Commands in Kali Linux

Syntax: nmap <scan type> <options> <target>

Target Selection

Target Selection

S.No

Target Selection

Command Syntax

POC

Scan a single IP

nmap 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-1.png

Scan a host

nmap www.example.com

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-2.png

Scan a range of IPs

nmap 192.168.20.120-128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-3.png

Scan a subnet

nmap 192.168.20.2/24

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-4.png

Scan targets from Text file

nmap -iL ips.txt

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-5.png

There are no rows in this table

⁠

Port Selection

Port Selection

S.No

Target Selection

Command Syntax

POC

Scan a single port

nmap -p 22 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-6.png

Scan a range of ports

nmap -p 1-100 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-7.png

Scan 100 common ports

nmap -F 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-8.png

Scan all ports

nmap -p- 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-9.png

Specify UDP or TCP scan

nmap -p U:137,T:139 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-10.png

There are no rows in this table

⁠

Scan Types

Scan Types

S.No

Target Selection

Command Syntax

POC

Scan using TCP connect

nmap -sT 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-11.png

Scan using TCP SYN scan

nmap -sS 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-12.png

Scan UDP ports

nmap -sU -p 123,161,162 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-13.png

Scan Selected ports (Ignore Discovery)

nmap -Pn -F 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-14.png

There are no rows in this table

⁠

Service and OS Detection

Service and OS Detection

S.No

Target Selection

Command Syntax

POC

Detect OS and Services

nmap -A 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-15.png

Standard service detection

nmap -sV 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-16.png

Aggressive service detection

nmap -sV –version-intensity 5 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-17.png

There are no rows in this table

⁠

Output Formats

Output Formats

S.No

Target Selection

Command Syntax

POC

Save default output to file

nmap -oN result.txt 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-18.png

Save results as XML

nmap -oX resultxml.xml 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-19.png

Save formatted results (Grep)

nmap -oG formattable.txt 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-20.png

Save in all formats

nmap -oA allformats 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-21.png

There are no rows in this table

⁠

Scripting Engine

Scripting Engine

S.No

Target Selection

Command Syntax

POC

Scan using default safe scripts

nmap -sV -sC 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-22.png

Get help for a script

nmap –script-help=ssl-heartbleed

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-23.png

Scan using a specific script

nmap -sV -p 443 -script=ssl-heartbleed 192.168.20.133

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-24.png

Update script database

nmap –script-updatedb

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-25.png

There are no rows in this table

⁠

Some Useful NSE Scripts

Some Useful NSE Scripts

S.No

Target Selection

Command Syntax

POC

Scan for UDP DDOS reflectors

nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.20.2/24

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-26.png

Gather page titles from HTTP Servers

nmap –script=http-title 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-27.png

Get HTTP headers of web services

nmap –script=http-headers 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-28.png

Find web apps from known paths

nmap –script=http-enum 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-29.png

Find exposed Netbios servers

nmap -sU –script nbtstat.nse -p 137 192.168.20.128

https://www.yeahhub.com/wp-content/uploads/2018/11/nmap_useful_commands-30.png

There are no rows in this table

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.