Nmap Security Scanner Tutorial

Nmap is a great security scanner. Many systems and network administrators use it for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. In this article, I’ll guide you through how to use Nmap commands.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

How to Install Nmap

Nmap should be installed by default on your system, but if it isn’t, you can install it with the package manager of your distro. Also, you can install the GUI for nmap: Zenmap.

sudo apt-get install zenmap

Basic Nmap Scan

Scanning a single IP address:

1. Scan an IP address: # nmap

Nmap 1

2. Scan a hostname: # nmap www.google.com

Nmap 2

3. Scan an IP and get more information:

# nmap -v

Nmap 3

Nmap Commands to Discover Your LAN

If you want to make a simple scan you can try scanning your LAN.

1. Type ifconfig as root to know the broadcast IP address.

2. Search the Bcast IP in the active interface, wlan0 for example.

Nmap 4

3. In my LAN the Bcast IP is

4. Make a nmap scan to the LAN.

nmap -sP

Nmap 5

5. With this scan, you can discover the hosts presents in your LAN.

Scanning Multiple IP Addresses With Nmap

1. # nmap ip1 ip2 ip3


# nmap

Nmap 6

2. Working with the same subnet:

# nmap,2,3

Nmap 7

3. Scanning an IP range:

# nmap

Nmap 8

4. Scanning an entire subnet:

# nmap

Nmap 9

5. Excluding hosts:

# nmap --exclude

Nmap 10

Working With Functional Options

1. Detecting the OS

You must use the “A” option to detect the target’s operating system:

# nmap -A

Also, you can use the “O” option.

Nmap 11

2. Checking if the target is protected by a firewall.

You must use the “sA” option to detect the target’s firewall:

# nmap -sA

Nmap 12

3. Discovering which devices are up.

You must make a ping scan with the “sP” option:

# nmap -sP

Nmap 13

4. Performing a fast scan.

If you want a fast scan you can use the “F” option:

# nmap -F

Nmap 14

5. Showing host interfaces and routers.

Use the “iflist” option:

# nmap --iflist

Nmap 15

Nmap Commands to Scan Ports

Nmap is able to recognize six port states.

1. open
An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port.

2. closed
A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it.

3. filtered
Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port.

4. unfiltered
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed.

5. open | filtered
Nmap places ports in this state when it is unable to determine whether a port is open or filtered.

6. closed | filtered
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

Port Scanning Techniques

-sS (TCP SYN scan)
It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections.
-sT (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges.
-sU (UDP scans)
While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports.
-sY (SCTP INIT scan)
SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well.
-sN, -sF, -sX (TCP NULL, FIN, and Xmas scans)
These three scan types exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports.
-sA (TCP ACK scan)
It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
-sW (TCP Window scan)
Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned.
-sM (TCP Maimon scan)
This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK.
–scanflags (Custom TCP scan)
The –scanflags option allows you to design your own scan by specifying arbitrary TCP flags.
-sI <zombie host>[:<probeport>] (idle scan)
This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address).
-sO (IP protocol scan)
IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.

Using Zenmap

  1. Open Zenmap as root
  2. Enter the target
  3. Choose a profile, also you can type the scan in the command field or create a new profile
  4. Click “Scan”
  5. With Zenmap you can see the ports, host details and topology of the scan
  6. Also, you can save your scan as XML

Using Zenmap

This is a basic tutorial about Nmap, but this tool is very powerful, the number of things that you can do with Nmap is incredible. Also, you can find other powerful tools at Nmap’s website, and you can see the reference guide.


This tutorial is originally found on linuxandubuntu.com, a great site to learn about various hacking tools.