Nmap Commands For Beginner Hackers

What Nmap is ? its an open source security tool  for network exploration, security scanning and auditing. My purpose of this post is to introduce Nmap command line tool to scan a host and or network .

Sample Of Lab Setup:-
Port scanning is illegal so you need to setup a lab so your lab looks like as follow

+———-+          | Network |           +——–+
| server1 |——–+  swtich  +——–|server2 |
+———-+          |   (sw0)    |         +———+
+——— + ———-+
| wks01 Linux/OSX |

Description of lab is :-

  • wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.
  • server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.
  • server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server with firewall. Again, feel free to install few services such as a web-server, file server and so on.
  • All three systems are connected via switch.
  1.  Scan a single host or an IP address (IPv4)
    ### Scan a single ip address ###
    ## Scan a host name ###
    nmap server1.************
    ## Scan a host name with more info###
    nmap -v server1.************
  2. Scan a firewall for MAC address spoofing
    ### Spoof your MAC address ##
    nmap –spoof-mac MAC-ADDRESS-HERE Add other options ###
    nmap -v -sT -PN –spoof-mac MAC-ADDRESS-HERE Use a random MAC address ###
    ### The number 0, means nmap chooses a completely random MAC address ###
    nmap -v -sT -PN –spoof-mac 0
  3. Cloak a scan with decoys
    The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
    nmap -n -D192.168.1.5,,,
  4. Scan a firewall for security weakness
    The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:
    TCP Null Scan to fool a firewall to generate a response ##
    ## Does not set any bits (TCP flag header is 0) ##
    nmap -sN TCP Fin scan to check firewall ##
    ## Sets just the TCP FIN bit ##
    nmap -sF TCP Xmas scan to check firewall ##
    ## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##
    nmap -sX
  5. Scan a host for UDP services (UDP scan)Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:nmap -sU nas03
    nmap -sU
    Sample outputs:Starting Nmap 5.00 ( ) at 2012-11-27 00:52 IST
    Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
    UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)
    Interesting ports on nas03 (
    Not shown: 995 closed ports
    111/udp open|filtered rpcbind
    123/udp open|filtered ntp
    161/udp open|filtered snmp
    2049/udp open|filtered nfs
    5353/udp open|filtered zeroconf
    MAC Address: 00:11:32:11:15:FC (Synology Incorporated)Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds
  6. How do I detect remote services (server / daemon) version numbers?nmap -sV
    Sample outputs:Starting Nmap 5.00 ( ) at 2012-11-27 01:34 IST
    Interesting ports on
    Not shown: 998 closed ports
    22/tcp open ssh Dropbear sshd 0.52 (protocol 2.0)
    80/tcp open http?
    1 service unrecognized despite returning data.
  7. How to detect remote operating system?You can identify a remote host apps and OS using the -O option:nmap -O
    nmap -O –osscan-guess
    nmap -v -O –osscan-guess
    Sample outputs:Starting Nmap 5.00 ( ) at 2012-11-27 01:29 IST
    NSE: Loaded 0 scripts for scanning.
    Initiating ARP Ping Scan at 01:29
    Scanning [1 port]
    Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 01:29
    Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed
    Initiating SYN Stealth Scan at 01:29
    Scanning [1000 ports]
    Discovered open port 80/tcp on
    Discovered open port 22/tcp on
    Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)
    Initiating OS detection (try #1) against
    Retrying OS detection (try #2) against
    Retrying OS detection (try #3) against
    Retrying OS detection (try #4) against
    Retrying OS detection (try #5) against
    Host is up (0.00049s latency).
    Interesting ports on
    Not shown: 998 closed ports
    22/tcp open ssh
    80/tcp open http
    MAC Address: BC:AE:C5:C3:16:93 (Unknown)
    Device type: WAP|general purpose|router|printer|broadband router
    Running (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
    Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), OpenWrt 0.9 – 7.09 (Linux 2.4.30 – 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (94%), Linux 2.4.21 – 2.4.31 (likely embedded) (92%), Linux 2.6.15 – 2.6.23 (embedded) (92%), Linux 2.6.15 – 2.6.24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)
    No exact OS matches for host (If you know what OS is running on it, see ).
    TCP/IP fingerprint:
    Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=200 (Good luck!)
    IP ID Sequence Generation: All zeros
    Read data files from: /usr/share/nmap
    OS detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds
    Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)
  8. Only show open (or possibly open) portsnmap –open
    nmap –open server1.************
  9. How save output to a text file?The syntax is:nmap > output.txt
    nmap -oN /path/to/filename
    nmap -oN output.txt
  10. Scan an IPv6 host/addressThe -6 option enable IPv6 scanning. The syntax is:nmap -6 IPv6-Address-Here
    nmap -6 server1.************
    nmap -6 2607:f0d0:1002:51::4
    nmap -v A -6 2607:f0d0:1002:51::4
  11. Show host interfaces and routesThis is useful for debugging (ip command or route command or netstat command like output using nmap)nmap –iflist
    Sample outputs:Starting Nmap 5.00 ( ) at 2012-11-27 02:01 IST
    lo (lo) loopback up
    eth0 (eth0) ethernet up B8:AC:6F:65:31:E5
    vmnet1 (vmnet1) ethernet up 00:50:56:C0:00:01
    vmnet8 (vmnet8) ethernet up 00:50:56:C0:00:08
    ppp0 (ppp0) point2point up**************************ROUTES**************************
    DST/MASK DEV GATEWAY ppp0 eth0 eth0 vmnet1 vmnet8 eth0 ppp0 eth0

You can install zenmap for this becouse its graphical and easy to use How you do is simply just but apt-get

sudo su
apt-get update
apt-get install zenmap

Type following command to run it

sudo zenmap

It’s look like



Related Articles

Back to top button