Get introduced to the process of port scanning with this Nmap Tutorial and series of more advanced tips. With a basic understanding of networking (IP addresses and Service Ports), learn run a port scanner, and understand what is happening under the hood. Nmap is the world's leading port scanner, and a popular part of our hosted security tools.Nmap as an online port scanner can scan your. This post provides an overview of the Nmap scanning tool, specifically. Anecdotally, it would take about a week for a single machine to ping.
In this tutorial we are going to use Nmap in Kali Linux to scan for open ports scan and we will be using OS detection. Nmap stands for Network Mapper and is an open source tool for network exploration and security auditing which comes standard with Kali Linux but is also available for Windows, OSX and many other UNIX platforms. Nmap also has a graphical user interface called Zenmap.
First I want to start off with a little warning: Please be careful using the more aggressive functions of Nmap against hosts you do not own or do not have permission to scan. It may be against your ISP’s terms to use some Nmap features.
Open Port Scanning and OS Detection
Let’s start with a ping scan on an IP range to determine live hosts using the following command:
nmap -sP 192.168.0.0-100
Next we will start a SYN scan with OS detection on one of the live hosts using the following command:
nmap -sS [ip address]-O
Now we will start an open port scan with version detection using the following command:
nmap -sV 192.168.0.1 -A
When we add -v to the command we can increase the verbosity :
nmap -sV 192.168.0.13 -A -v
nmap -sV 192.168.0.13 -A -v
Nmap Open Port Scanning and OS Detection Video Tutorial
Thanks for watching and please subscribe to my YouTube channel :)
Nmap options summary
![Man Man](/uploads/1/2/5/6/125646409/843700487.png)
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
–exclude <host1[,host2][,host3],…>: Exclude hosts/networks
–excludefile <exclude_file>: Exclude list from file
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
–exclude <host1[,host2][,host3],…>: Exclude hosts/networks
–excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan – simply list targets to scan
-sn: Ping Scan – disable port scan
-Pn: Treat all hosts as online — skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
–dns-servers <serv1[,serv2],…>: Specify custom DNS servers
–system-dns: Use OS’s DNS resolver
–traceroute: Trace hop path to each host
-sL: List Scan – simply list targets to scan
-sn: Ping Scan – disable port scan
-Pn: Treat all hosts as online — skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
–dns-servers <serv1[,serv2],…>: Specify custom DNS servers
–system-dns: Use OS’s DNS resolver
–traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
–scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
–scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
–exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode – Scan fewer ports than the default scan
-r: Scan ports consecutively – don’t randomize
–top-ports <number>: Scan <number> most common ports
–port-ratio <ratio>: Scan ports more common than <ratio>
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
–exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode – Scan fewer ports than the default scan
-r: Scan ports consecutively – don’t randomize
–top-ports <number>: Scan <number> most common ports
–port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
–version-intensity <level>: Set from 0 (light) to 9 (try all probes)
–version-light: Limit to most likely probes (intensity 2)
–version-all: Try every single probe (intensity 9)
–version-trace: Show detailed version scan activity (for debugging)
-sV: Probe open ports to determine service/version info
–version-intensity <level>: Set from 0 (light) to 9 (try all probes)
–version-light: Limit to most likely probes (intensity 2)
–version-all: Try every single probe (intensity 9)
–version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to –script=default
–script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
–script-args=<n1=v1,[n2=v2,…]>: provide arguments to scripts
–script-args-file=filename: provide NSE script args in a file
–script-trace: Show all data sent and received
–script-updatedb: Update the script database.
–script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
-sC: equivalent to –script=default
–script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
–script-args=<n1=v1,[n2=v2,…]>: provide arguments to scripts
–script-args-file=filename: provide NSE script args in a file
–script-trace: Show all data sent and received
–script-updatedb: Update the script database.
–script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
–osscan-limit: Limit OS detection to promising targets
–osscan-guess: Guess OS more aggressively
-O: Enable OS detection
–osscan-limit: Limit OS detection to promising targets
–osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append ‘ms’ (milliseconds),
‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
–min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
–min-parallelism/max-parallelism <numprobes>: Probe parallelization
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
–max-retries <tries>: Caps number of port scan probe retransmissions.
–host-timeout <time>: Give up on target after this long
–scan-delay/–max-scan-delay <time>: Adjust delay between probes
–min-rate <number>: Send packets no slower than <number> per second
–max-rate <number>: Send packets no faster than <number> per second
Options which take <time> are in seconds, or append ‘ms’ (milliseconds),
‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
–min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
–min-parallelism/max-parallelism <numprobes>: Probe parallelization
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
–max-retries <tries>: Caps number of port scan probe retransmissions.
–host-timeout <time>: Give up on target after this long
–scan-delay/–max-scan-delay <time>: Adjust delay between probes
–min-rate <number>: Send packets no slower than <number> per second
–max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; –mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],…>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/–source-port <portnum>: Use given port number
–proxies <url1,[url2],…>: Relay connections through HTTP/SOCKS4 proxies
–data <hex string>: Append a custom payload to sent packets
–data-string <string>: Append a custom ASCII string to sent packets
–data-length <num>: Append random data to sent packets
–ip-options <options>: Send packets with specified ip options
–ttl <val>: Set IP time-to-live field
–spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
–badsum: Send packets with a bogus TCP/UDP/SCTP checksum
-f; –mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],…>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/–source-port <portnum>: Use given port number
–proxies <url1,[url2],…>: Relay connections through HTTP/SOCKS4 proxies
–data <hex string>: Append a custom payload to sent packets
–data-string <string>: Append a custom ASCII string to sent packets
–data-length <num>: Append random data to sent packets
–ip-options <options>: Send packets with specified ip options
–ttl <val>: Set IP time-to-live field
–spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
–badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
–reason: Display the reason a port is in a particular state
–open: Only show open (or possibly open) ports
–packet-trace: Show all packets sent and received
–iflist: Print host interfaces and routes (for debugging)
–log-errors: Log errors/warnings to the normal-format output file
–append-output: Append to rather than clobber specified output files
–resume <filename>: Resume an aborted scan
–stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
–webxml: Reference stylesheet from Nmap.Org for more portable XML
–no-stylesheet: Prevent associating of XSL stylesheet w/XML output
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
–reason: Display the reason a port is in a particular state
–open: Only show open (or possibly open) ports
–packet-trace: Show all packets sent and received
–iflist: Print host interfaces and routes (for debugging)
–log-errors: Log errors/warnings to the normal-format output file
–append-output: Append to rather than clobber specified output files
–resume <filename>: Resume an aborted scan
–stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
–webxml: Reference stylesheet from Nmap.Org for more portable XML
–no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
–datadir <dirname>: Specify custom Nmap data file location
–send-eth/–send-ip: Send using raw ethernet frames or IP packets
–privileged: Assume that the user is fully privileged
–unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
–datadir <dirname>: Specify custom Nmap data file location
–send-eth/–send-ip: Send using raw ethernet frames or IP packets
–privileged: Assume that the user is fully privileged
–unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page
Related Nmap Hacking Tutorials
|
Downloading Nmap
Nmap and Zenmap (the graphical front end) are available inseveral versions and formats. Recent source releases and binarypackages are described below. Older version (and sometimes newer testreleases) are available from the dist directory(and really old ones are in dist-old).For the moresecurity-paranoid (smart) users, GPG detached signatures and SHA-1hashes for each release are available in the sigsdirectory (verification instructions). Before downloading, be sure to read the relevant sections for your platform from the Nmap Install Guide. The mostimportant changes (features, bugfixes, etc) in each Nmap version aredescribed in the Changelog. Using Nmap is covered in the Reference Guide, and don't forget to readthe other available documentation, particularly the new book Nmap Network Scanning!
Nmap users are encouraged to subscribe to the Nmap-hackersmailing list. It is a low volume (7 posts in 2015), moderated listfor the most important announcements about Nmap, Insecure.org, andrelated projects. You can join the 128,953 current subscribers (as ofSeptember 2017) by submitting your email address here:
You can also get updates from our Facebook and Twitter pages.
Nmap is distributed with source code under custom license terms similar to (and derived from) the GNUGeneral Public License, as noted in the copyright page.
Microsoft Windows binaries
Please readthe Windows section of theInstall Guide for limitations and installation instructions for theWindows version of Nmap. You can choosefrom a self-installer (includes dependencies and also the Zenmap GUI)or the much smaller command-line zip file version. We support Nmap on Windows 7 and newer, as well as Windows Server 2008 and newer. We also maintain a guide for userswho must run Nmap on earlier Windows releases..
Note: The version of Npcap included in our installers may not always be the latest version. If you experience problems or just want the latest and greatest version, download and install the latest Npcap release.
The Nmap executable Windows installer can handle Npcapinstallation, registry performance tweaks, and decompressing theexecutables and data files into your preferred location. It also includes the Zenmap graphical frontend. Skip all thecomplexity of the Windows zip files with a self-installer:
Latest stable release self-installer: nmap-7.80-setup.exe
Latest Npcap release self-installer: npcap-0.9984.exe
Latest Npcap release self-installer: npcap-0.9984.exe
We have written post-install usageinstructions. Please notify usif you encounter any problems or have suggestions for theinstaller.
For those who prefer the command-line zip files (Installation Instructions; UsageInstructions), they are still available. The Zenmap graphicalinterface is not included with these, so you need to runnmap.exe from a DOS/command window. Oryou can download and install a superior command shell such as thoseincluded with the free Cygwin system.Also, you need to run the Npcapand Microsoft Visual C++ 2013 Redistributable Packageinstallers which are included in the zip file. The main advantage is that these zip files are a fraction of the size of the executable installer:
Latest stable command-line zipfile:nmap-7.80-win32.zip
Linux RPM Source and Binaries
Many popular Linux distributions (Redhat, Mandrake, Suse, etc) usethe RPM package management system forquick and easy binary package installation. We havewritten a detailed guide toinstalling our RPM packages, though these simple commands usually dothe trick:You can also download and install the RPMs yourself:
Latest stable release:
x86-64 (64-bit Linux)Nmap RPM: nmap-7.80-1.x86_64.rpm
x86-64 (64-bit Linux)Ncat RPM: ncat-7.80-1.x86_64.rpm
x86-64 (64-bit Linux)Nping RPM: nping-0.7.80-1.x86_64.rpm
Optional Zenmap GUI (all platforms): zenmap-7.80-1.noarch.rpm
Source RPM (includes Nmap, Zenmap, Ncat, and Nping): nmap-7.80-1.src.rpm
x86-64 (64-bit Linux)Nmap RPM: nmap-7.80-1.x86_64.rpm
x86-64 (64-bit Linux)Ncat RPM: ncat-7.80-1.x86_64.rpm
x86-64 (64-bit Linux)Nping RPM: nping-0.7.80-1.x86_64.rpm
Optional Zenmap GUI (all platforms): zenmap-7.80-1.noarch.rpm
Source RPM (includes Nmap, Zenmap, Ncat, and Nping): nmap-7.80-1.src.rpm
Mac OS X Binaries
Nmap binaries for Mac OS X (Intel x86) are distributed as a disk image filecontaining an installer. The installer allows installing Nmap, Zenmap,Ncat, and Ndiff. The programs have been tested on Intel computersrunning Mac OS X 10.8 and later. See theMac OS X Nmap installpage for more details. Users of PowerPC (PPC) Mac machines, which Apple ceased selling in 2006, should see this page instead for support information.
Latest stable release installer: nmap-7.80.dmg
Latest stable release installer: nmap-7.80.dmg
Source Code Distribution
This is the traditional compile-it-yourself format. The Nmaptarball compiles under Linux, Mac OS X, Windows, and many UNIXplatforms (Solaris, Free/Net/OpenBSD, etc.) It includes Zenmap, theGUI frontend.
Detailed Linux/BSD/Solaris compilation instructions and options are provided here, though this usually does the trick:
Most Windows users install with our Windows executable installer, but we also provide Windows source code compilation instructions.
Most Mac OS X users install with our Mac installer, but we also provide Mac OS X source code compilation instructions.
If you are compiling Nmap anyway, you might prefer to get the very latest code from our SVN source code repository rather than downloading a tarball here.
Latest stable Nmap release tarball: nmap-7.80.tar.bz2 (or gzip compressed)
Other Operating Systems
Many other operating systems support Nmap so well that I have no needto create and distribute binary packages myself. You can choose touse the packages below, or compile the sourcedistribution, which is often newer. We have created installation pages for the following platforms:
Linux (all distributions)
Microsoft Windows
Mac OS X
FreeBSD, OpenBSD, and NetBSD
Sun Solaris
Amiga, HP-UX, and Other Platforms
Linux (all distributions)
Microsoft Windows
Mac OS X
FreeBSD, OpenBSD, and NetBSD
Sun Solaris
Amiga, HP-UX, and Other Platforms
Nmap Site Navigation
Intro | Reference Guide | Book | Install Guide |
Download | Changelog | Zenmap GUI | Docs |
Bug Reports | OS Detection | Propaganda | Related Projects |
In the Movies | In the News |