Using Nmap: Pro Tips and Tricks

Reading Time: 12 minutes

Introduction

nmap-logo

In this article, we will review the Nmap software program and multiple commands. Nmap is an open-source mainstream tool used by network administrators to scan ports and map networks. Nmap commands are primarily used to identify which ports certain software is running on our system. It is also used to discover available hosts and what services they are offering and detecting potential security risks. Using Nmap, you can check a single host or a complete network. In this tutorial, we will cover several basic as well as advanced Nmap commands in the “Pro Tips and Tricks” section of the article.

Category, Requirements, and Software Version Used

OS Used: CentOS 7
User Type: Root
Software: Nmap
Task Difficulty: Medium
Other: The server we will use in this tutorial is an unmanaged CentOS 7 server without a control panel.

Nmap Installation


New servers usually do not have the nmap tool installed. To install nmap, we use a simple yum command.

[root@host ~]# yum install nmap

The output of that command will look similar to this.

Loaded plugins: 
fastestmirror, priorities Loading mirror speeds from cached hostfile * base: mirror.umd.edu * extras: mirror.wdc1.us.leaseweb.net * 
updates: mirrors.usinternet.com 
Resolving Dependencies --> 
Running transaction check ---> Package nmap.x86_64 2:6.40-19.el7 will be installed --> 
Processing Dependency: nmap-ncat = 2:6.40-19.el7 for package: 2:nmap-6.40-19.el7.x86_64 --> 
Processing Dependency: libpcap.so.1()(64bit) for package: 2:nmap-6.40-19.el7.x86_64 --> Running transaction check ---> Package libpcap.x86_64 14:1.5.3-11.el7 will be installed ---> Package nmap-ncat.x86_64 2:6.40-19.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved 
=================================================== 
Package Arch Version Repository Size 
=================================================== 
Installing: nmap x86_64 2:6.40-19.el7 base 3.9 M Installing for dependencies: libpcap x86_64 14:1.5.3-11.el7 base 138 k nmap-ncat x86_64 2:6.40-19.el7 base 206 k Transaction Summary 
=================================================== 
Install 1 Package (+2 Dependent packages) Total download size: 4.3 M Installed size: 17 M Is this ok [y/d/N]: y 

Downloading packages: 
(1/3): libpcap-1.5.3-11.el7.x86_64.rpm | 138 kB 00:00:00 
(2/3): nmap-ncat-6.40-19.el7.x86_64.rpm | 206 kB 00:00:00 
(3/3): nmap-6.40-19.el7.x86_64.rpm | 3.9 MB 00:00:00 
-------------------------------------------------------------------------- Total 6.9 MB/s | 4.3 MB 00:00:00 
Running transaction check 
Running transaction test Transaction test succeeded 
Running transaction Installing : 
  14:libpcap-1.5.3-11.el7.x86_64 
1/3 Installing : 2:nmap-ncat-6.40-19.el7.x86_64 
2/3 Installing : 2:nmap-6.40-19.el7.x86_64 
3/3 Verifying : 2:nmap-ncat-6.40-19.el7.x86_64 
1/3 Verifying : 14:libpcap-1.5.3-11.el7.x86_64 
2/3 Verifying : 2:nmap-6.40-19.el7.x86_64 
3/3 Installed: nmap.x86_64 2:6.40-19.el7 
Dependency Installed: 
libpcap.x86_64 14:1.5.3-11.el7 
nmap-ncat.x86_64 2:6.40-19.el7

Nmap is now installed and ready for use, so let’s begin with some basics.

Basic Nmap Commands

The most basic nmap command is with an IP address. For example:

[root@host ~]# nmap 8.8.8.8

And you will get output similar to this:

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-06 14:21 EDT Nmap scan report for dns.google (8.8.8.8) 
Host is up (0.023s latency). 
Not shown: 998 filtered ports 
PORT STATE SERVICE 53/tcp open domain 443/tcp open https 
Nmap done: 1 IP address (1 host up) scanned in 5.03 seconds

Using this command, we scanned Google’s DNS resolvers, and as you can see, the output provides various info such as what is actually scanned, which ports are open, what services are listening on them, and how long scan took. The same command can be used for our server.

[root@host ~]# nmap localhost
Nmap

This output will provide us the same information, but only for our server. This is one of the quickest ways to find out which ports are opened on your server and which services are using those ports.

Scan a Single Port

If you want to scan a specific port on the server, you can use this command.

[root@host ~]# nmap -p 25 67.43.11.187

The output will look similar to this.

[root@host ~]# nmap -p 25 67.43.11.187 Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-06 14:29 EDT Nmap scan report for host2.amarbot.tk (67.43.11.187) Host is up (0.00035s latency). PORT STATE SERVICE 25/tcp open smtp Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Above, we also used the -p flag, which identifies the specific port. We added port 25, which is the SMTP port, and the IP address of the remote server that we scanned. The output that was provided gave us the hostname that we examined, if the port is opened or not, and info about service that is running on the port. The same command can be used on our server as well. We simply need to use our server’s IP address at the end of the command.

Scan Multiple Ports

If you want to scan multiple ports, you can use a command like this.

[root@host ~]# nmap -p 80,25,443,110 67.43.11.187

We can see the additional info that is provided for each of the listed ports.
We can also add additional ports we want to scan and can separate them using a “,” comma.

Scan a Port Range

Nmap can scan a range of IP addresses as well. This is the command we would use.

[root@host ~]# nmap 192.168.1.1-50

This would be similar to the output it will provide.

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-06 14:36 EDT Nmap done: 50 IP addresses (0 hosts up) scanned in 41.08 seconds

As you can see, we removed the -p flag in this command, and we added -50 at the end of the command. This number indicates how many IP addresses from that range we want to scan. If we’re going to scan 65 IP addresses, we would add -65 at the end. This is an extremely useful option when we have an internal network and want to see which IP’s have not been used.

If we add the -v flag to our command, we will get more detailed output about the host that we requested info on. For example:

[root@host ~]# nmap -v 72.52.176.198

Our output will be longer and will look something like this.

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-06 14:49 EDT
Initiating Ping Scan at 14:49
Scanning 72.52.176.198 [4 ports]
Completed Ping Scan at 14:49, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:49
Completed Parallel DNS resolution of 1 host. at 14:49, 0.00s elapsed
Initiating SYN Stealth Scan at 14:49
Scanning swan26.denizkiziyuzme.net (72.52.176.198) [1000 ports]
Discovered open port 25/tcp on 72.52.176.198
Discovered open port 22/tcp on 72.52.176.198
Discovered open port 993/tcp on 72.52.176.198
Discovered open port 3306/tcp on 72.52.176.198
Discovered open port 80/tcp on 72.52.176.198
Discovered open port 53/tcp on 72.52.176.198
Discovered open port 587/tcp on 72.52.176.198
Discovered open port 21/tcp on 72.52.176.198
Discovered open port 443/tcp on 72.52.176.198
Discovered open port 110/tcp on 72.52.176.198
Discovered open port 995/tcp on 72.52.176.198
Discovered open port 143/tcp on 72.52.176.198
Discovered open port 465/tcp on 72.52.176.198
Increasing send delay for 72.52.176.198 from 0 to 5 due to 11 out of 36 dropped probes since last increase.
Increasing send delay for 72.52.176.198 from 5 to 10 due to max_successful_tryno increase to 4
Completed SYN Stealth Scan at 14:50, 64.12s elapsed (1000 total ports)
Nmap scan report for swan26.denizkiziyuzme.net (72.52.176.198)
Host is up (0.00044s latency).
Not shown: 931 filtered ports, 56 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 64.18 seconds
           Raw packets sent: 5727 (251.964KB) | Rcvd: 104 (4.264KB

As we can see, it provides an output for all the open ports, information about DNS resolvers, how many packets were sent, and so on. We can also use this command when we need more details about a host that we are scanning.

This concludes our info about the basics of the nmap command. We learned what the -p and -v flags do, and for what they can be used for. We also learned how to scan an IP range as well as multiple ports. Next, we will review some of the more advanced nmap commands.

Advanced Nmap Commands

In the advanced commands section, we will review how to perform TCP and UDP scans and how to send SYN or ACK packages to specific ports. Let’s begin. The first command that we are going to use is this one.

[root@host ~]# nmap -sS 67.43.11.187

Our output will be similar to the following.

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-08 13:09 EDT
Nmap scan report for host2.amarbot.tk (67.43.11.187)
Host is up (0.00023s latency).
Not shown: 932 filtered ports, 56 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s

Nmap done: 1 IP address (1 host up) scanned in 3.90 seconds

Let’s explain what the -sS flag does. The -sS flags stand for scan SYN. The SYN scan is the default and primary scan option. This scan can be performed promptly and scans thousands of ports per second on a fast network that is unhampered by restrictive firewalls.

The SYN scan is relatively inconspicuous and somewhat stealthy since it never completes a TCP connection. This command scans the one thousand most used TCP ports by sending SYN packages to a target server and awaiting a response. This Nmap command is more on the clandestine side because it does not try to complete a connection to the target server. If you are running a pen test, you should be able to avoid detection when using this command in this manner.

There is a variation of the -sS flags which can be run without root access. This nmap command uses the -sT flags. If you use these flags, you will be detected 99.9% of the time, so use it with caution.

If we want to run a UDP scan instead of a TCP scan, the -sU flags would be the flags to add. The command would look like this.

[root@host ~]# nmap -sU 67.43.11.187

The output will scan ports 67/68 and 53 as they primarily use UPD. Needless to say, UDP Scans are a valuable asset for scanning services like DNS and DHCP, which use UDP.

Our next command is useful because it tells us if the remote host is hidden behind a firewall or not. The command to check this would be as follows.

[root@host ~]# nmap -sA 67.43.11.187

This would be the output similar to what you will get.

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-14 11:17 EDT
Nmap scan report for host2.amarbot.tk (67.43.11.187)
Host is up (0.00034s latency).
All 1000 scanned ports on host2.amarbot.tk (67.43.11.187) are filtered

Nmap done: 1 IP address (1 host up) scanned in 21.20 seconds

Now, as you can see, the line “All 1000 scanned ports on host2.amarbot.tk (67.43.11.187) are filtered” means that all the ports on the remote host are protected by a firewall. Any unfiltered ports are almost always allowed through the firewall using specific rules.

The next command is an advanced SCTP (Stream Control Transmission Protocol) scan. This command is a way of silently scanning ports as it drops any packets which contain “Cookie Echo” chunks on any open ports. It also sends an Abort response if the port is closed. To perform this scan, we will use this command.

[root@host ~]# nmap -sZ 72.52.176.198

Our output would be similar to this.

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-27 09:20 EDT
Nmap scan report for host2.amarbot.tk (67.43.11.187)
Host is up (0.00038s latency).
All 52 scanned ports on host2.amarbot.tk (67.43.11.187) are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds

In this case, all of the ports are open, as we can see by the line “All 52 scanned ports on host2.amarbot.tk (67.43.11.187) are open|filtered”. If we perform this command on a server that does not have all of those ports open, this command will list the ports and services that are listening on them.

The Last command that we will run in our advanced section of this article is called an Xmas scan. It is named this because this scan uses the FIN, PSH, and URG flags, which lights up the packets like a Christmas tree. This command is from Nmap’s official documentation. The command is called like this.

[root@host ~]# nmap -sX 67.43.11.187

Again, our output will be similar to the ones noted above.

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-27 09:32 EDT
Nmap scan report for host2.amarbot.tk (67.43.11.187)
Host is up (0.00032s latency).
All 1000 scanned ports on host2.amarbot.tk (67.43.11.187) are open|filtered

This type of scan will definitely get a response from a remote host, but needless to say, this is a very “loud” approach and you will most likely be detected during pen-testing.

This concludes our advanced nmap command section. Next, we will show you some pro-tips and tricks on how to get the most out of our nmap command.

Pro Tips and Tricks

The first command that we would like to outline in our pro tips section is the command which conducts mass rDNS queries. This nmap command does not make direct queries. It simply lists IP addresses within a specified range and then performs rDNS queries. That command would look like this.

[root@host ~]# nmap -sL 67.43.11.187-190 --dns-servers 8.8.8.8

The L flag is used for listing, then the IP address is noted and then, -190. This specifies the range that we want to scan. If I set this to -192, five IP addresses would be scanned then. And at the end we used 8.8.8.8, this is Google’s resolver. Our output looked like this.

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-27 09:43 EDT
Nmap scan report for host2.amarbot.tk (67.43.11.187)
Nmap scan report for cloudvpsserver.prasad.org (67.43.11.188)
Nmap scan report for 67.43.11.189
Nmap scan report for cloudvpsserver.alcon-nig.com (67.43.11.190)
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.04 seconds

Stealthy Scans

Now, let’s say we want to perform a stealthy scan that will show us the percentage of scan completion, and we want to find out which OS is running on a remote host. That command would look like this.

[root@host ~]# nmap -v -Pn -O 67.43.11.187

The usual output will be quite long (it depends on the server, of course).
The output will give us the open ports, percentage of scan completed, and time remaining until it’s done. Additionally, it will provide us with the OS version at the end. The OS version is getting pulled from a nmap-os-db file located in the installation dir of the command.

In the example below, you will see a certain percentage of numbers next to the OS version. That is because nmap will pull the data from the database, and it will provide you with the closest OS version that it can find in the database. The most common location of the database is /usr/share/nmap/ directory. Here is the command output.

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-27 11:03 EDT
Initiating Parallel DNS resolution of 1 host. at 11:03
Completed Parallel DNS resolution of 1 host. at 11:03, 0.12s elapsed
Initiating SYN Stealth Scan at 11:03
Scanning host2.amarbot.tk (67.43.11.187) [1000 ports]
SYN Stealth Scan Timing: About 15.50% done; ETC: 11:11 (0:02:49 remaining)
SYN Stealth Scan Timing: About 30.50% done; ETC: 11:11 (0:02:19 remaining)
SYN Stealth Scan Timing: About 45.50% done; ETC: 11:11 (0:01:49 remaining)
SYN Stealth Scan Timing: About 60.50% done; ETC: 11:11 (0:01:19 remaining)
SYN Stealth Scan Timing: About 75.50% done; ETC: 11:11 (0:00:49 remaining)
Completed SYN Stealth Scan at 11:11, 201.22s elapsed (1000 total ports)
Discovered open port 443/tcp on 67.43.11.187
Discovered open port 995/tcp on 67.43.11.187
Discovered open port 587/tcp on 67.43.11.187
Discovered open port 53/tcp on 67.43.11.187
Discovered open port 993/tcp on 67.43.11.187
Discovered open port 21/tcp on 67.43.11.187
Discovered open port 22/tcp on 67.43.11.187
Discovered open port 110/tcp on 67.43.11.187
Discovered open port 80/tcp on 67.43.11.187
Discovered open port 143/tcp on 67.43.11.187
Discovered open port 25/tcp on 67.43.11.187
Discovered open port 465/tcp on 67.43.11.187
Completed SYN Stealth Scan at 11:03, 3.65s elapsed (1000 total ports)
Initiating OS detection (try #1) against host2.amarbot.tk (67.43.11.187)
Retrying OS detection (try #2) against host2.amarbot.tk (67.43.11.187)
Nmap scan report for host2.amarbot.tk (67.43.11.187)
Host is up (0.00030s latency).
Not shown: 932 filtered ports, 56 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
Device type: general purpose
Running (JUST GUESSING): Linux 2.6.X|3.X (90%), FreeBSD 6.X (86%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:freebsd:freebsd:6.2
Aggressive OS guesses: Linux 2.6.32 - 3.0 (90%), Linux 3.2 - 3.6 (89%), Linux 3.4 (87%), Linux 2.6.39 (87%), Linux 2.6.32 (87%), Linux 2.6.28 (86%), Linux 2.6.32 - 2.6.33 (86%), FreeBSD 6.2-RELEASE (86%), Linux 2.6.35 (86%), Linux 3.5 (86%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 45.068 days (since Fri Mar 13 09:25:01 2020)
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds
           Raw packets sent: 2000 (91.612KB) | Rcvd: 88 (4.316KB)

As you can see, this command gives us quite a bit of information.

SQL Injection Scan

The next command we will look at is very useful when we want to find out if there are any possible SQL injection vectors on our domain. The syntax of the command would look like this.

[root@host ~]# nmap -p80 --script http-sql-injection example.com

This command will scan port 80 (in this case) and look for any traces of mysql injections.

Nmap Output to File

Next, we will demonstrate how to save the output of our nmap commands and how we can compare them. If you want to save the output of your nmap command to a file. You can use this command:

[root@host ~]# nmap 67.43.11.187 -oA results

This command will save our output into a file in three different formats .gnmap, .nmap and .xml. This is useful when we need to keep the output in case we need to compare it to the output that we will get after we have modified ports or firewalls. This brings us to the file comparison option. When you want to compare two files containing nmap output, you can use the ndiff command. For example:

[root@host ~]# ndiff results.xml results1.xml

The output will look similar to this.

Nmap 6.40 scan initiated Mon Apr 27 12:04:19 2020 as: nmap -oA results 67.43.11.187
+Nmap 6.40 scan initiated Mon Apr 27 12:13:14 2020 as: nmap -oA results1 72.52.176.198

-host2.amarbot.tk (67.43.11.187):
-Host is up.
-Not shown: 932 filtered ports, 56 closed ports
-PORT STATE SERVICE VERSION
-21/tcp open ftp
-22/tcp open ssh
-25/tcp open smtp
-53/tcp open domain
-80/tcp open http
-110/tcp open pop3
-143/tcp open imap
-443/tcp open https
-465/tcp open smtps
-587/tcp open submission
-993/tcp open imaps
-995/tcp open pop3s

+swan26.denizkiziyuzme.net (72.52.176.198):
+Host is up.
+Not shown: 931 filtered ports, 56 closed ports
+PORT STATE SERVICE VERSION
+21/tcp open ftp
+22/tcp open ssh
+25/tcp open smtp
+53/tcp open domain
+80/tcp open http
+110/tcp open pop3
+143/tcp open imap
+443/tcp open https
+465/tcp open smtps
+587/tcp open submission
+993/tcp open imaps
+995/tcp open pop3s
+3306/tcp open mysql

This will also show us the difference between the two servers and any open ports and the services listening on them.

Nmap Speed Control

In addition, the -T flag can be added on every nmap command to show more finely grained timing controls for controlling the speed of a scan. There are five scanning levels and each affects the intrusion detection level and will affect overall scan performance. The levels are denoted as follows.

  • T0 = Paranoid (0) Intrusion Detection System evasion
  • T1 = Sneaky (1) Intrusion Detection System evasion
  • T2 = Polite (2) slows down the scan to use less bandwidth and use less target machine resources
  • T3 = Normal (3) which is default speed
  • T4 = Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
  • T5 = Insane (5) speeds scan; assumes you are on an extraordinarily fast network

Please keep in mind that Nmap can be misused by malicious individuals who use it to find random vulnerabilities on servers. We recommend that this tool only be pointed at a network or hosts that you have direct control over as you can easily become banned from a host/network if abused.

We will conclude this tutorial with this information. There are literally hundreds of options and combinations to use with the Nmap command. This is what makes the Nmap tool so useful and powerful. For more information, we suggest reading either the man pages for Nmap commands and official documentation for it.

Would You Like To Learn More?

Nmap is an excellent tool that is easily implemented on your server. If you have any issues implementing this software, give us a call at 800.580.4985, or open a chat or ticket with us to speak with one of our knowledgeable technicians or Experienced Hosting advisors to learn how you can take advantage of this tool today!

Author Bio

About the Author: Dean Conally

I am Linux enthusiast and console gamer, dog lover and amateur photograph. I've been working at Liquidweb for a bit less than two years. Always looking for knowledge to expand my expertise, thus tackling new technologies and solutions one day at the time.

Refer a friend and get hosting credit!