There are a ton of resources out there for Nmap. This is a bare bones intro meant for people just getting started with penetration testing. I gave this presentation at my ethical hacking club and wanted to have a write-up that members could reference. This will be short, sweet, and (hopefully) to the point. I’ve also included the PDF of the handout I provided (at the bottom of this post).
So what is Nmap? It’s a network mapper and can be considered a vulnerability scanner as well. It can give you a lot of information quickly. It will let you see what’s on a network and provide a lot of info about the devices that it sees.
Disclaimer – hacking is illegal, don’t go to jail, get permission/use any of the great practice tools out there/set up a home lab/etc.
- It can BREAK things.
- The scan rate is adjustable, so you can make it less likely to break things.
- There are quite a few options. Spend some time on the project page or other resources to figure out what you need to know.
- Hit enter while a scan is running to see progress.
- Use -h to display the help summary page.
- IP address or range: 192.168.1.1 or 192.168.1.0/24 (CIDR notation)
- URL: www.example.com
- Filename: -iL <filename>
- -p <port ranges>: Scan a range of ports or particular ports
- –exclude-ports <port ranges>: Exclude certain ports
- The default Nmap scan includes 1,000 TCP ports, so it covers a lot of ground. You may want to limit the ports scanned if you know you are looking for something specific.
- -sS: TCP SYN scan; default; most popular
- -O: Enable operating system detection
- -T<0-5>: Set scan speed; higher is faster; 3 is the default
- -v: Increase verbosity (print more stuff); -vv, -vvv, etc.
- -A: Enable aggressive scan; includes OS detection, version scanning, script scanning, and traceroute; common choice when doing ctf or boot2root activities; I think of this as “do all the things”
-oN/-oX/-oG/-oA <file>: Output scan normal, XML, grepable, or all 3
This is very useful and allows you to easily review your results or use the scan results with other tools that can take a file for input. Nmap output can get long very quickly, and scrolling back through the CLI can get old. Another benefit of saving the output is you can come back to your info later. If you are working in your homelab, saving the output can save you some time if you have to step away from what you are doing. The IP addresses may change, but you’ll have enough info that you should be able to skip running nmap when you come back.
The first example will scan “scanme.nmap.org” and -A will do OS and version detection, script scanning, and traceroute.
The second example will scan the IP ranges of 192.168.0.0/16 and 10.0.0.0/8 and -sn indicates a ping scan should be done.
The third example saves the results to pentest1 in the normal format, does OS and version detection, and sets the scan speed to level 3. It scans the IP range 192.168.14.0/24.
If you are learning to do pen testing, doing CTF, or other ethical hacking activities, it’s likely you can scan at the faster rates without an issue. But make sure you are on an isolated network – this can be a physical network you have setup or a couple of virtual machines. A typical situation would be running Kali on one VM and have a second running whatever vulnerable VM you are targeting. I typically set these up using the Host-Only Adapter option so I know exactly what should be on the network I’m scanning. You’ll usually see 3 targets pop up when you do this scan – the Kali VM, the vulnerable VM, and your actual computer. If you run the scan and see something that you can’t identify, it would be a good idea to check it out.
A common scan you might use with a virtual machine you’ve downloaded from VulnHub or a similar site would be:
You have asked for Nmap to be verbose (-v), use multiple scanning options (-A), save your output in the normal format to ctf1 (-oN ctf1), and scan as fast as possible (-T5). This should get you all of the information needed on the target machine to move on to the next step and identify some vulnerabilities.
Remember to swap out your specific target IP or IP range for the 192.168.14.0/24 portion of the example.
That’s your quick rundown of how to use Nmap. There’s a lot more to it than this, but this should be enough to get started with boot2root or CTF challenges. Take some time looking over your options if you get stuck or don’t get the expected results. And don’t forget to do some searching – there are a lot of resources out there that show just how powerful Nmap can be.
PDF: Nmap Intro