Beginner to Advanced in NMAP: Complete Guide 2025

Beginner to Advanced in NMAP: Complete Guide 2025

Introduction:
Nmap is indeed one of the most flexible tools in our cyber security arsenal in an ever-changing world of cyber security from day to day. It’s an open source tool and has been considered one of the essentials of network scanning, security auditing, and vulnerability testing. This article will walk you through everything: from basic Nmap commands to more complex ones and get you feeling comfortable at any level when using Nmap.

What is Nmap and Why Do We Use It?

Nmap is a free and open-source network scanner that helps us detect hosts, open ports, services, operating systems, and vulnerabilities on networks. It’s invaluable for both penetration testers and network administrators because it provides detailed insights that enhance network security.

Basic Nmap Commands

• Basic TCP Scan

nmap target_ip

Checks for open TCP ports on the target, giving us a snapshot of the network’s entry points.

• UDP Scan

nmap -sU target_ip

Scans for open UDP ports, which are commonly associated with certain vulnerabilities.

• OS Detection

nmap -O target_ip

Identifies the operating system running on the target machine.

• Service Version Detection

nmap -sV target_ip

Helps us determine the specific versions of services running on open ports.

• Aggressive Scan

nmap -A target_ip

Performs a comprehensive scan that includes OS detection, version detection, script scanning, and traceroute.

• Ping Scan

nmap -sn target_ip_range

Checks if devices in a specified IP range are online without scanning open ports.

• Port Range Scan

nmap -p port_range target_ip

Scans only a specific range of ports on the target system.

• Script Scanning

nmap -sC target_ip

Runs default Nmap scripts for common security checks, helpful for quick vulnerability assessments.

• Vulnerability Scan

nmap --script vuln target_ip

Utilizes scripts to find potential vulnerabilities on the target system.

• Fast Scan

nmap -F target_ip

A quicker scan that checks fewer ports, often used in large networks.

• Traceroute

nmap --traceroute target_ip

Identifies the path packets take from our device to the target.

• Firewall Detection

nmap -sA target_ip

Detects firewalls by analyzing open and closed ports.

• IP Protocol Scan

nmap -sO target_ip

Checks for supported IP protocols on the target.

• TCP SYN Ping

nmap -PS target_ip

Sends SYN packets to see if hosts are online without establishing a full connection.

• Idle Scan

nmap -sI zombie_ip target_ip

Uses a “zombie” host to perform a stealth scan, hiding our IP address from the target.

Advanced Nmap Commands

• Aggressive Service and OS Detection

nmap -A -T4 target_ip

Increases scan speed with aggressive OS and service detection, useful in time-sensitive scenarios.

• UDP Scan with Specific Ports

nmap -sU -p 53,67,161 target_ip

Scans specific UDP ports like DNS, DHCP, and SNMP.

• Top 1000 Ports Scan

nmap -p 1-1000 target_ip

Targets the 1000 most commonly used ports, giving us a broader view of open services.

• Scan for Heartbleed Vulnerability

nmap --script ssl-heartbleed target_ip

Checks for the Heartbleed vulnerability in SSL/TLS, crucial for sites with sensitive data.

• Script Category Scan

nmap --script default target_ip

Executes default scripts, a useful command to start vulnerability assessments.

• Custom Script Scan

nmap --script=script_name.nse target_ip

Runs specific custom scripts from the Nmap Scripting Engine.

• Scan with a Specific NSE Script Argument

nmap --script script_name.nse --script-args arg=value target_ip

Provides arguments to specific scripts, allowing us to customize the scan.

• Exclude Hosts from Scan

nmap target_ip_range --exclude host_to_exclude

Skips specific IPs within a scan range.

• IP Range Scan with Output to a File

nmap -oX output_file.xml target_ip_range

Saves scan results to an XML file for easier parsing.

• Version Detection with Intensity

nmap -sV --version-intensity 5 target_ip

Increases version detection detail, useful for distinguishing between service versions.

• Timing and Packet Tweak

nmap -T4 --ttl 128 target_ip

Speeds up scan timing and adjusts packet TTL, ideal for quicker scans.

• Scan Multiple Targets from a File

nmap -iL target_file.txt

Loads target IPs from a file, efficient for scanning large networks.

• Scan for HTTP Vulnerabilities

nmap --script http-vuln* target_ip

Uses scripts for common HTTP-related vulnerabilities, vital for web server security.

• Scan IPv6 Addresses

nmap -6 target_ipv6

Specifically targets IPv6 addresses.

• Scan for SMB Vulnerabilities

nmap --script smb-vuln* target_ip

Checks for SMB vulnerabilities, essential for securing Windows networks.

Conclusion

This guide is used to create a foundation on how to use Nmap, from basic commands to more advanced commands. Nmap is certainly one of the tools forming part of our cybersecurity toolbox, and we can use it to determine which ports are open for finding vulnerabilities, assessing what is running on ports as a service, or just find ways into an organization that are not noticed.

Disclaimer

This is an education guide for you to be able to develop hands-on skills in cybersecurity safely and legally. The tool covered here is Nmap. It is meant to use only for ethical and legal purposes. Scanning networks or probing them without authority is illegal and carries dire consequences. Our mission is to empower you as a cybersecurity professional, whether you are preparing for certifications like OSCP or CEH or simply expanding your knowledge. Always use these tools responsibly, ethically, and within the boundaries of the law to make cybersecurity a priority for everyone.

References

• External
  • Official NMAP page
  • NMAP github
• Internal
  • How to Install All-in-One Hacking Tool for Hackers
  • CyberSecurity Tools By Category
  • 100 Kali Linux Commands for Hackers PenTesters Bug Hunters