Nmap: Learning the Art of Network Scanning with Cool Flags!

In the world of pen testing, Nmap stands out as a popular scanning tool. Nmap stands for Network Mapper, it’s an open-source Linux command-line tool. Basically, it scans IP addresses and ports in a network, identifying installed applications. Nmap helps network admins to pinpoint devices on their network, uncover open ports and services, and spot vulnerabilities. The credit for creating Nmap goes to Gordon Lyon, also known as Fyodor, who developed it to easily map networks, revealing open ports and services.

Well, to check if the device is up, what we use? Ping, right?

But what if we have to check in the whole network that which device is up?

Nmap syntax is simple and looks like this:

To know all the options which nmap provides us, type:

This is a bunch of commands for you, but don’t worry, I’ve narrowed it down to the coolest and most essential ones in each category.

A) Target Specification:

1. Scanning hostname/ip address/networks:

2. Getting input from the file (-iL):

B) Host discovery:

1. Disabling port scan (-sn) Ping Scan: This will check that which hosts are up in the given network.

C) Scan Techniques:

1. TCP-SYN Scan (-sS): By default scan. This only sends the SYN flag and thus doesn’t complete 3-way handshake. So, full connection of TCP is not made. If Nmap receives a SYN-ACK flag after it sends a SYN flag then it is marked open otherwise marked as close.

2. TCP Connect Scan (-sT): This checks 3-way handshake. It is considered open if the target port responds with an SYN-ACK packet and closed if responds with RST (reset) packet. It is slower than TCP-SYN scan but also stealthier.

3. UDP Scan (-sU): doesn't require 3-way handshake. Less common.

D) Port Specification:

1. Specifying the port:

2. Giving the range of ports:

3. Scan all ports:

4. Fast port scan (top 100):

E) Service/ Version Detection:

1. Getting the version of services (-sV):

2. Detailed version scan activity ( — version-trace):

F) Script Scan:

1. Running default scripts (-sC):

G) OS Detection:

1. Detecting the OS of host (-O):

H) Output:

1. Saving output in a file (-o):

2. Getting output in 3 major formats (-oA):

3. Increasing Verbosity (-v): Provides more detailed information about the scanning process. To increase the verbosity strength, increase number of v’s (-vvv). It’s helpful for understanding what Nmap is doing and identifying any issues during the scan.

4. Increasing Debugging (-d): used for troubleshooting and when trying to diagnose problems or understand the inner workings of Nmap. To increase the debugging strength, increase number of d’s (-ddd).

5. Showing possibly open ports ( — — open):

I) MISC:

1. Aggressive Scan (-A): It’s a step up from the basics. You can trigger it using the -A flag. Essentially, it bundles together several scans we discussed earlier: service detection (-sV), OS detection (-O), traceroute ( — — traceroute), and default scripts (-sC).

Well, these are fundamental yet crucial CLI flags that one should familiarize themselves with before getting into hacking or pen-testing stuff.

This blog may receive updates with new flags later on. In the meantime, grasp these concepts, and don’t forget to engage in hands-on practical exercises. Feel free to share additional flags in the comments to enhance everyone’s knowledge! Also, I would recommend you to solve TryHackMe | Nmap room, , it’s fun trust me.

Thanks for taking the time to check out this blog, you’re Awesome!

Connection: LinkedIn