Nmap reconnaissance tutorial: Episode 1.

10 Min Read

In security land, we decided to offer readers a comprehensive guide to the most used Network Mapper.

The importance of such tool is reflected in the fact that no pentest can be done without proper collection of data of potentially vulnerable entities. Active services, service versions, open ports and closed ports are a very small part of what this opensource utility offers.

Nmap, abbreviated for (“Network Mapper”), is a free utility for mapping networks and security tests. It is used by administrators and pentesters for different purposes, starting from checking the uptime of the service to the full functioning of one network to finding the vulnerability of the system and the possibility of exploiting those vulnerabilities.
Nmap uses raw IP packets for the purpose of detecting live hosts on the network, what services (applications) those hosts carry, which OSs are present, firewalls, filters, and many other details.
Nmap is present on all popular operating systems, with an addition called ZenMap, which is an advanced GUI utility based on Nmap.

Nmap is…
flexible, portable, direct and simple, free, extensively documented, massively applicable and popular.

You need a desktop computer or laptop and the latest version of Nmap (https://nmap.org/download.html) for your operating system.
If you are using a security-oriented distribution such as KALI, Nmap is installed by default.


Finding live hosts online:
Finding live hosts on the network is the everyday activity of every pentester and administrator, with the aim of displaying the exact number of active devices on the network or part of the network. Nmap is very effective within this scenario because, in addition to the basic ping, which is used for standard sending of ICMP echo requests, it sends additional probes that increase the accuracy of the detection of live hosts and their specifications. To start Nmap ping scan, we use the following command:

(listed examples of IP addresses in the command line are probably not the same on your network)

nmap -sP

The results will include all hosts that responded to any packet sent by Nmap during the ping scan; more precisely we get enumeration of active machines or devices on the network.

As we can see, Nmap identifies MAC addresses and manufacturers if it is executed through administrator or root privileges.

The potential problem:

If ping fails in sending SYN packet to port 80, this is because modern firewalls block ping and port 80 (windows firewall blocks ping by default). Hosts that are on the network block port 80 and do not accept connections, and there Nmap will not dump the correct results.

How to solve the problem:

One of the options I personally apply is to use the -P0 flag that skips the host discovery process and does port scan on all addresses, which will probably require more time if this applies to a larger network.

Even better option would be to specify the input ports for scanning, which Nmap allows with its SYN/UDP packets, so it is wise to do this scan through the most represented ports 22 (SSH), 3389 (windows remote desktop), or 161 (SNMP).

Practically, that would look like this:

nmap -sP -PS22,3389
nmap -sP -PU161

Annotation: -sP and -P0 are now -sn and -Pn within the command line of nmap, but these older flags now work in newer versions too.



Ping scans enable traceroute information related to target hosts, specifically: tracing routes from the scanning machine to terminal location (target host):

-v indicates verbosity, which is an option that executes a live dump of what nmap does.

nmap -sn -v --traceroute google.com microsoft.com

Nmap scripting engine:

Nmap scripting engine can be useful for getting additional information through NSE scripts (more about them in the next episodes). To execute NSE scripts, we use a simple option in the following way:

nmap -sn --script dns-brute website.com


Another usable and interesting NSE script can be used for finding live hosts on the network and is called broadcast-ping (the easiest way to find live hosts online).

nmap -sn --script broadcast-ping

Results on the dns-brute NSE script should look like this:
(in this example we use plaintext dump for  websec.mx)

Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| ipv6.websec.mx -
| web.websec.mx -
| www.websec.mx -
|_ beta.websec.mx -

Detecting open ports on a Target Host:

Essentially, detecting open ports through Nmap is the most basic default scan where the only thing you need is a hostname or target address.

nmap scanme.nmap.org

The default scan results show a number of different information including IPv4 and IPv6 addresses, reverse DNS names, and ports with active services.

All listed ports have their “status”:

Open: specific service is active and is listening for connection on this port
Closed: no service on this port is active
Filtered: the existence of filtering that blocks the probes
Unfiltered: there is no filtering
Opened/Filtered: filtering is active on the port but the connection is not made
Closed/Filtered: filtering is active, the services are not connected to this port so the connection could not be realized

Scanning of port ranges:

Manual scanning of ports is very useful and effective especially for pentesters, as they often require infected machines using a specific communication port. Narrowing the amount of ports in scans speeds up the Nmap scan process.

In Nmap we use –p for scanning ports, in the following way:

List of ports:
nmap -p80,443 localhost
Range of ports:
nmap -p1-100 localhost
All ports:
nmap -p- localhost
Specific ports:
nmap -pT:25,U:53 <target>
Scanning ports by name of the service/application:
nmap -p smtp <target>
Scanning ports with wildcard (*) for services/applications:
nmap -p smtp* <target>


Selecting the network interface:

Nmap automatically uses the default network interface that is currently in use, though if there are situations where we are forced to use another interface we can “make” nmap do it and work for us.

The procedure is very simple:

nmap -e <interface> <target>
nmap -e eth2 <target


OS fingerprinting (determining the OS running on the target host):

Version Detection and OS detection are one of the most important features of Nmap. It has the most comprehensive database for OS fingerprinting.
Knowing the target host itself in pentesting and everyday hacking activities are the essential parts of the entire security auditing process.

Knowing the OS and its exact version is crucial for finding vulnerabilities on networks and systems:

nmap -sV <target>

-sV option adds additional set of information which we can see by the VERSION, where we can see the version of specific service or OS:

To enable the detection of OS we use –O prefix in nmap:

nmap -O <target>

The Nmap option -sV provides service detection, using the various probes located within the nmap-service-probes file. The probes are selected by nmap at the current frequency of service detection through the usage of a specific probe.

If you are interested in more detailed questions about the functioning of service and OS detection, please visit the following link:

Using TCP, UDP, and ICMP protocols on open and closed ports, OS detection is very effective because of OS fingerprints submission by the Nmap community.

Nmap uses CPE or Common Platform Enumeration to detect operating systems, which is an industry standard for identification of platforms, systems and operating systems.


In the next episode we will deal with NSE scripts, aggressive scans, and scan ranges of IP addresses.





Share This Article
Leave a comment