Scribd
Upload
2 views

Nmap Deep Notes

The document provides an in-depth guide to Nmap, a network discovery and security auditing tool created by Gordon Lyon in 1997. It covers various aspects of Nmap including host discovery, port scanning techniques, version detection, saving scan results, and advanced techniques for optimizing scans. Key commands and flags for different scanning methods are also detailed throughout the document.

Uploaded by

kp.admob
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Nmap Deep Notes

The document provides an in-depth guide to Nmap, a network discovery and security auditing tool created by Gordon Lyon in 1997. It covers various aspects of Nmap including host discovery, port scanning techniques, version detection, saving scan results, and advanced techniques for optimizing scans. Key commands and flags for different scanning methods are also detailed throughout the document.

Uploaded by

kp.admob
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

N-MAP.

md 2025-01-06

Nmap Deep Notes


Index
1. Introduction to Nmap
2. Host Discovery
Specifying Targets
-sn Ping Scan
Additional Tips for Host Discovery
-sL List Scan
3. Port Scanning
TCP Scans
-sT Full TCP Connect Scan
-sS SYN Stealth Scan
UDP Scans
-sU UDP Scan
Limiting Target Ports
4. Version Detection
Techniques: -sV, -A
5. Saving Scan Results
6. Advanced Techniques
Timing and Performance
Verbose and Debugging Modes
7. Summary Table

Introduction to Nmap
Attribute Details

Name Nmap (Network Mapper)

Created By Gordon Lyon (Fyodor)

First Released 1997

Primary Use Network discovery, security auditing

Short History:

Nmap was first released in 1997 and has become one of the most widely used network exploration and
security auditing tools. It helps security professionals assess the status of networks, services, and hosts by
scanning for live devices, open ports, and service versions.

K.H.Patil

1/8
N-MAP.md 2025-01-06

Host Discovery
Specifying Targets

You can specify the target(s) for a scan in the following ways:

Type Example

Specific IP Address 192.168.1.1

Range of IPs 192.168.1.1-50

Subnet 192.168.1.0/24

Example Command:

nmap 192.168.1.0/24

-sn Ping Scan

The -sn option performs a ping scan, which only checks for live hosts without scanning ports. The scan uses
different methods depending on the network environment.

Environment Actions Taken

Local Network Sends ARP requests to identify live hosts.

Remote Network Sends ICMP Echo Requests, TCP SYN packets to port 443, and TCP ACK packets to
(WAN) port 80 to identify live hosts.

Flag Description

ICMP Echo Sends Type 8 (Echo Request)

TCP SYN Sends SYN packet to port 443

TCP ACK Sends ACK packet to port 80

Example Command:

nmap -sn 192.168.1.0/24

Additional Tips for Host Discovery

Flag Purpose Example

-pS TCP SYN-based host discovery nmap -sn -pS22,443 192.168.1.0/24

2/8
N-MAP.md 2025-01-06

Flag Purpose Example

-pA TCP ACK-based host discovery nmap -sn -pA80 192.168.1.0/24

-pU UDP-based host discovery nmap -sn -pU161 192.168.1.0/24

-sL List Scan

The -sL option performs a list scan, where Nmap only lists the targets without sending any probes. This can
be useful to check the list of hosts that will be scanned.

Example Command:

nmap -sL 192.168.1.0/24

Port Scanning
TCP Scans

-sT Full TCP Connect Scan

A Full TCP Connect Scan (-sT) attempts to complete the three-way TCP handshake (SYN, SYN-ACK, ACK) to
detect open ports.

Port State Description

Open Completes the 3-way handshake

Closed Responds with a TCP RST (reset)

Command Example:

nmap -sT 192.168.1.1

Top 10 TCP Ports for -sT Scan

Port Service

22 SSH

80 HTTP

443 HTTPS

21 FTP

25 SMTP

3/8
N-MAP.md 2025-01-06

Port Service

110 POP3

143 IMAP

3306 MySQL

3389 RDP

53 DNS

-sS SYN Stealth Scan

A SYN Stealth Scan (-sS) sends a SYN packet to the target and waits for a response. If the target is open, it
responds with a SYN-ACK. The connection is never fully established, making it harder to detect.

Port State Description

Open Sends SYN-ACK response

Closed Sends RST (reset) response

Command Example:

nmap -sS 192.168.1.1

Top 10 TCP Ports for -sS Scan

Port Service

22 SSH

80 HTTP

443 HTTPS

21 FTP

25 SMTP

110 POP3

143 IMAP

3306 MySQL

3389 RDP

53 DNS

UDP Scans

4/8
N-MAP.md 2025-01-06

-sU UDP Scan

A UDP Scan (-sU) detects open UDP ports by sending a packet and awaiting a response. Open UDP ports
may respond with a valid message, while closed ports often reply with an ICMP unreachable message.

Port State Description

Open Receives a response or no response (depending on service)

Closed Receives an ICMP Type 3 (Destination Unreachable) response

Command Example:

nmap -sU 192.168.1.1

Top 10 UDP Ports for -sU Scan

Port Service

53 DNS

67 DHCP

68 DHCP

69 TFTP

123 NTP

161 SNMP

162 SNMP Trap

500 ISAKMP

514 Syslog

33434 Traceroute

Limiting Target Ports

By default, Nmap scans the top 1000 ports. You can limit the scan to specific ports using options like -F (fast
scan) or -p (range/specific ports).

Option Purpose Example

-F Scans only the top 100 ports nmap -F 192.168.1.1

-p Specifies ports to scan nmap -p 22,80,443 192.168.1.1

Version Detection

5/8
N-MAP.md 2025-01-06

What is it?

Version detection (-sV) allows Nmap to detect versions of services running on open ports. This can help
identify vulnerabilities and misconfigurations.

Why is it useful?

Helps identify outdated software versions.


Enables the detection of potential vulnerabilities in specific services.

How to use it?

Flag Purpose

-sV Service and version detection

-A Aggressive scan (includes service detection)

-Pn Skip host discovery

Example Command:

nmap -sV 192.168.1.1

Saving Scan Results


What is it?

Saving scan results is important for record-keeping, further analysis, or generating reports. Nmap provides
several output formats.

Flag Format Purpose

-oN Normal Saves plain-text human-readable output

-oX XML Saves machine-readable structured XML format

-oG Grepable Saves grep-friendly plain-text format

-oA All formats Saves results in all available formats simultaneously

Command Examples:

1. Save output in human-readable text:

nmap -oN output.txt 192.168.1.1

2. Save output in XML:

6/8
N-MAP.md 2025-01-06

nmap -oX output.xml 192.168.1.1

3. Save all formats:

nmap -oA results 192.168.1.1

Advanced Techniques
K.H.Patil

Timing and Performance

Timing Template Description Best Use Case

T0 Paranoid Avoiding detection in highly secure environments.

T1 Sneaky Slightly faster but still stealthy.

T2 Polite Slow scans for unstable networks.

T3 Normal Default for balanced speed and reliability.

T4 Aggressive Fast scans, may trigger IDS.

T5 Insane Maximum speed, likely to overwhelm targets.

Command Example:

nmap -T4 192.168.1.1

Verbose and Debugging Modes

Flag Description

-v Basic verbosity

-vv More details

-vvv Maximum verbosity

-d Basic debugging

-dd More detailed debugging

Command Example:

7/8
N-MAP.md 2025-01-06

nmap -vv -d 192.168.1.1

Summary Table
Feature Purpose Commands/Flags

Timing and -T0 to -T5, --min-rate, --max-


Optimizes scan speed and stealth
Performance parallelism

Verbose and Shows detailed scan progress and


-v, -vv, -d, -dd
Debugging packet info

Saving Scan Results Stores scan results in reusable formats -oN, -oX, -oG, -oA

K.H.Patil

8/8

You might also like