Nmap is the most popular port scanner out there – and with good reason. It has a lot of functionality, and you can really tweek it to your needs!
The pitfall with the nmap port scanner however, is that the whole thing can seem a bit daunting at first – there are a lot of options, and it is not easy to know which options to use for different situations.

That is what this nmap tutorial is about – the most used options of the nmap port scanner, as well as when to use them.

Please keep in mind that we’ll only cover the basic use cases of nmap – for further documentation, check out the nmap docs.

If you’re looking to develop your own simple port scanner, check out this article. 😉

Installing nmap

If you already have nmap install, feel free to skip to the next section!
You can also fast forward if you’re running Kali, which provides nmap out-of-the-box. 🙂

The nmap tool is available for all major operating systems – namely Linux, Windows and MacOS. Simply head on over to the nmap download page, and download the correct source / binary.

Many of the popular Linux distributions do also contain the source repository for nmap. Simply type this into your terminal, and hit enter:

sudo apt-get install nmap

If you get an error, don’t worry. Simply download via the nmap download page as described above.

Before we get started with the actual port scanning, you must have an actual IP-address to scan. Since we’re only doing some testing here, your local gateway will do just fine (there might also be some legal implications if you’re scanning external target without permission)

Finding the IP address of your local gateway is a simple task.

On Linux, simply type this into the terminal and hit enter:

ip route | grep default

Similarly on Windows, open up the command prompt and type the following:

ipconfig | findstr /i “Gateway”

Finally, on Mac, you just need to type this into the terminal:

netstat -nr | grep default

Now that we have our target IP, we’re ready to run our first nmap scan.

Default nmap scan

The easiest way to get started with nmap, is to perform the default nmap scan. The command for the default nmap scan is simply nmap [IP-address].

nmap 10.0.0.138

Remember that you’ll have to swap out 10.0.0.138 with the IP address of your local gateway.

Since we’re running this scan on the local network, it should finish quickly. When the scan is done, you’ll see a three-column result listing, where the columns are PORT, STATE and SERVICE.

The PORT column simply shows the port number and protocol.
The STATE shows the current state of that port – typically either OPEN or FILTERED.
Finally, the SERVICE column tells you which service is currently running on the corresponding port – keep in mind that this is only an educated guess from nmap, but it tends to be quite accurate.

The output you got should provide you with some valuable information – namely which ports are open on your local gateway.

The default nmap scan will perform either a CONNECT or SYN scan as default, which can be performed quickly, scanning thousands of ports in a short time span.

As I mentioned earlier, nmap has a lot of options, so let’s have a look at them.

Options for nmap scan

To list out the most common available options for nmap, simply type nmap into your terminal, and hit enter.

Nmap 7.60 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

As you can see, there are a lot options.

One of the most used nmap options is the service identification, which is performed by appending -sV after the nmap command.

nmap -sV -p1-65535 10.0.0.1/24 -v

This command will perform a service identification scan against 10.0.0.1 – 10.0.0.255, using either a CONNECT or SYN scan. The choice between CONNECT or SYN is dependent on your privileges – if you have root privileges, it will run a SYN scan, and a CONNECT scan otherwise.
If you’re running Linux, simply type sudo before the scan command to perform the scan with root privileges.

sudo nmap -sV -p1-65535 10.0.0.1/24 -v

The service identification scan will run against port 1 – 65 535, which is defined by the -p option.

The trailing -v option stands for verbose – meaning you’ll get more information output in your console during the scan.

After the scan has finished, nmap will list out the open ports on your scanned targets, as well as which services are running on those ports.
Note that the determination of the service is signature-based. Said in other words, it is only an indication that the service is running on that port.

Difference between CONNECT and SYN scan

As mentioned, the default tcp scan type for nmap is either CONNECT or SYN. But what are the differences?

Before we can understand the differences between those two scans, we need to understand the three way TCP handshake.

When a TCP connection is established between two parties, they have to initialize the connection.
The connection is initialized by performing a handshake, consisting of three parts: SYN, SYN-ACK, and finally ACK.

To understand the TCP handshake, let’s explain it with a basic example; connecting to a web server.

  • Step 1, SYN: The first step of the TCP handshake is SYN step. The client will send a TCP SYN request to the server. In our example, this is done when you navigate to a web site. Your browser will automatically send a TCP SYN request to the web server (ignoring DNS lookup etc).
  • Step 2, SYN-ACK: The server will then respond to the client with a SYN-ACK packet. In the web server example, this means that the web server will send a SYN-ACK back to your machine.
  • Step 3, ACK: The client will then respond to the SYN-ACK with an ACK. Said in other words, the web browser will return an ACK back to the web server.

TCP three way handshake nmap

The nmap CONNECT and SYN scans are now starting to make a little more sense.

The SYN scan will simply send the first SYN request to the server, but never respond with the last ACK. Said in other words, the scan will request a connection with the first SYN, but it will not initialize the connection by sending the last ACK. This is why the SYN scan is also referred to as half-open scanning.

The CONNECT scan however, unlike the SYN scan, will initialize the connection – just as a normal web browser would do with a web server. This indicates that the CONNECT scan is more resource heavy, and louder.

Open, Closed and Filtered

Now that we know how the basic nmap scans are performed, we can have a look at how nmap actually determines whether a port is open, closed or filtered.

Open

Nmap will report the port back as being open if a SYN-ACK is received from the target after the initial SYN is sent by nmap.
If we think about, this makes perfect sense – the target responded to our request to initialize a TCP connection, meaning the target is open to the world on the given port!

Closed

The closed status indicates that there is no service running on the given port. Note that closed is not the same as not responding.
If nmap reports back with a port being closed, it actually means that the host is responding to the nmap probes – but there’s no service responding to handle the TCP requests.

Filtered

A port is being considered filtered if nmap can’t determine if it is open or closed, because the packets are being filtered before they reach the target port. One common reason for this is firewall filtering.

Summary

This was a short introduction to the nmap port scanner tool. There’s alot more you can do with this wonderful tool, so be sure to check out the nmap website for further reference.