Check Out My Youtube Channel!

Monday, 10 May 2021

Getting Started with nmap

I have referenced nmap before a few time.  As a reference check out these links.

CTF:Critical CTF Tools

Testing Firewalls with Hping3 

Python - Super Quick Port Scan

Fingerprinting with Port Scans (Minecraft Addition) 

nmap buddy script

Ethics of Port Scanning

Finally I have a growing database of NSE script examples.

If you were to ask a security person, hey even your average IT person, what their top 5 network tools of choice were I would be surprised if #nmap was not on the list.

#nmap and portscanning is such a huge topic and such an incredibly powerful tool when it is wielded correctly.

This post is designed to wet your whistle and get you started with the tool.

Basic Usage:


the above command is bare bones usage of nmap.  It will do the job, it's "noisy" but will conduct a portscan.  Essentially what is happening here is hat you are conducting a scan on a single target.  If I wanted to do a scan on the entire class C network I would change the string to be something like this.


This command will provide me data on all machines on my network.

Now I say this next part with a bit of "tongue in cheek" but if you are ever running a command like this you probably don't want your more experienced colleague to see you doing this.  They may look at you funny.


Well, the reason is that you are missing out on SO MUCH that nmap can do!

Let's take the basic nmap command above(#nmap and change it up.

#nmap -sS -T3 -p 1-1024

This command is a stealth scan with a time interval of 3 and we are scanning ports 1-1024 of our target.  

I got news for you, the two lines are exactly the same.  It will return the same results.

I will break down why #2 is better.  It's like driving a manual car over an automatic, one option provides you more control.  The more you use nmap the more you realize that the only way you should be using it is if you are in complete control.

-sS is typically your go-to switch when using nmap.  It is not the only one, far from it!  It is a normal one to start with though.  

So what makes it stealthy?

Well think back to what a port is and how TCP utlizes ports.  A port is a logical entrance to an asset.  In the three-way-handshake relationship a SYN packet is sent to target to establish connection.  If the SYN packet reaches it's destination the target asset will send a SYN-ACK back to the sender.  The sender then responds with a final ACK, completing the three-way-handshake.

the -sS (stealth) scan does not complete the third step.  

SYN is sent out, SYN-ACK comes back.....and the sender says "Cool, thanks we're good here"

The handshake never completes which means there are significant less packets going transporting effectively making the stealth scan fairly fast.

What about -p 1-1024

ports 1-1024 are reserved ports, everything above this top range are open for applications (all the way to 65,000) and different TCP connections.

a basic nmap scan scans this high probability port range.  There is a high chance that a port within this is being utilized *cough cough 80.

and -T3?

A time interval says in a nutshell the intervals in which the packets will be leaving the sender and going to the target.  -T5 "insane" and -T0 "paranoid" are accurate descriptions for the their corresponding intervals.  T3 would be the default interval.  Why choose T0 or T1? Well if you are trying to avaid detection this is one method.  On a network there are so many packets coming and going, who is going to spot the single packet relating to a port scan? 

So there you go, I have only just begun talking about nmap.  There is SO much that nmap can do it's insane.

Keep coming back there will be more #nmap coming (I love #nmap)