Master Nmap: Essential Commands and Scanning Techniques Explained

Typical Nmap Usage

Running a basic scan on a target IP:

root@node01~# nmap 192.168.1.220
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 13:08 CST
Nmap scan report for 192.168.1.220
Host is up (0.00012s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:C5:19:99 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

The output shows the host is up, port 22 is open, and the MAC address of the target.

Advanced Scan with -A, -T4, -v

root@node01~# nmap -T4 -A -v 192.168.1.220
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 13:12 CST
NSE: Loaded 110 scripts for scanning.
Initiating ARP Ping Scan at 13:12
Scanning 192.168.1.220 [1 port]
Completed ARP Ping Scan at 13:12, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host.
Completed Parallel DNS resolution of 1 host. at 13:12, 0.01s elapsed
Initiating SYN Stealth Scan at 13:12
Scanning 192.168.1.220 [1000 ports]
Discovered open port 22/tcp on 192.168.1.220
Completed SYN Stealth Scan at 13:12, 0.05s elapsed (1000 total ports)
Initiating Service scan at 13:12
Scanning 1 service on 192.168.1.220
Completed Service scan at 13:12, 0.04s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.1.220
... (multiple OS detection attempts) ...
Nmap scan report for 192.168.1.220
Host is up (0.00089s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 2048 e5:a6:1b:ba:13:4e:84:7e:21:2e:4f:23:f6:0e:a8:80 (RSA)
|_256 6c:e7:fe:f6:b4:a6:b1:e4:04:47:fc:6b:e6:51:55:8b (ECDSA)
MAC Address: 00:0C:29:C5:19:99 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%...)
Uptime guess: 0.004 days (since Sat Mar 21 13:07:06 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT   ADDRESS
1   0.89 ms 192.168.1.220
NSE: Script Post-scanning.
Nmap done: 1 IP address (1 host up) scanned in 12.57 seconds
Raw packets sent: 1111 (52.918KB) | Rcvd: 1072 (46.334KB)

Key options explained:

-A : Enables aggressive scanning (OS detection, version detection, script scanning, and traceroute).

-T4 : Sets the timing template to level 4 (faster scans, more likely to be detected by firewalls).

-v : Increases verbosity to show detailed progress.

Scanning Stages

Stage 1 – Host discovery : Determines whether the target is online. Host is up (0.00068s latency). Stage 2 – Port scanning : By default Nmap scans the 1,000 most common ports; only port 22 is open in the example. Not shown: 999 closed ports Stage 3 – Service and version detection provides details about the running services.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)

Stage 4 – OS detection attempts to guess the operating system.

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

Stage 5 – Traceroute shows the network path to the target.

TRACEROUTE
HOP RTT   ADDRESS
1   0.75 ms 192.168.1.220

Host Discovery Methods

Option

Description

-sn

Ping scan only – no port scan.

-Pn

Treat all hosts as online, skip host discovery.

-sL

List targets only, no scanning.

-PS/PA/PU/PY

Use TCP SYN, TCP ACK, UDP, or SCTP probes for discovery (e.g., nmap -PS80,21).

-PE/PP/PM

ICMP echo, timestamp, or netmask requests.

-PO

IP protocol probe.

-n / -R

Disable DNS resolution (-n) or always resolve (-R).

Commonly used are -sn and -Pn.

Port Scan States

The following image illustrates the six possible port states returned by Nmap.

Port Scan Commands

Example of a mixed TCP SYN, UDP, and fast scan:

root@node01~# nmap -sS -sU -F www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 14:09 CST
Nmap scan report for www.baidu.com (39.156.66.18)
Host is up (0.013s latency).
Not shown: 100 open|filtered ports, 98 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
Nmap done: 1 IP address (1 host up) scanned in 10.13 seconds

Options used: -sS: TCP SYN scan. -sU: UDP scan. -F: Fast scan (top 100 ports).

Version Detection

Detecting service versions on a web server:

root@node01~# nmap -sV www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 14:15 CST
Nmap scan report for www.baidu.com (39.156.66.18)
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE        VERSION
80/tcp open  http-proxy     sslstrip
443/tcp open  ssl/http-proxy sslstrip
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.15 seconds

OS Detection

Using aggressive OS guessing:

root@node01~# nmap -O --osscan-guess 192.168.1.220
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 14:18 CST
Nmap scan report for 192.168.1.220
Host is up (0.00078s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:C5:19:99 (VMware)
Aggressive OS guesses: Linux 2.6.32-3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (96%), ...
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%...)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.21 seconds

These examples cover the most frequently used Nmap features for network reconnaissance and vulnerability assessment.