nmap tutorial
nmap tutorial

NMAP is a network and port scanning tool, and how to scan targets and networks we will see in this small guide which is only about scanning targets and ranges. The other NMAP guides where we discuss further are next step in nmap series, to keep the other guides to the points I avoided many types of scanning in that post. Take a look at how we can scan different targets with nmap.

NOTE : This is Part 1/3 , in subsequent parts 2nd and 3rd we will cover more on nmap, here we talk only about selecting attack surface. Part 2,3 will detail on attacking the surface/machines.

nmap <argument> target(S)

NOTE : argument -sP is to check if the host is up, so I have used it below many places to show how to select targets, we will cover arguments in details in other post, this article is only to select targets. So actually you can ignore -sP argument when you are trying yourself.

NMAP Targets on VM

The First scan is nmap on a single target machine or website

nmap 172.16.109.132
Here we are scanning a single target which will give us the basic details. In terminal it will be something like below.

root@ETHICALHACKX:~# nmap 172.16.109.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 02:23 IST
Nmap scan report for 172.16.109.132
Host is up (0.0018s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
MAC Address: 00:0C:29:8E:EE:70 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
root@ETHICALHACKX:~# 
namp target

Scanning a website with nmap
Your target is a website and so our target changes.

root@ETHICALHACKX:~# nmap scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 02:22 IST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.22s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 993 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
23/tcp    filtered telnet
25/tcp    filtered smtp
80/tcp    open     http
2323/tcp  filtered 3d-nfsd
9929/tcp  open     nping-echo
31337/tcp open     Elite

Nmap done: 1 IP address (1 host up) scanned in 26.51 seconds
root@ETHICALHACKX:~# 
nmap scanning a website - nmap target.com

Scanning a Subnet with nmap

You want to scan a subnet when you have the CIDR information or you suspect that you might get something useful on this network subnet. So I have removed few machines t o make the result understandatble, we scanned a subnet and we got to know we have few machines that are up and the ports on machines that are open, You need to know the CIDR information and the subnet classification.

root@ETHICALHACKX:~# nmap 172.16.109.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 02:21 IST
Nmap scan report for 172.16.109.128
Host is up (0.0011s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:CD:7D:B8 (VMware)

Nmap scan report for 172.16.109.132
Host is up (0.0014s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
MAC Address: 00:0C:29:8E:EE:70 (VMware)

Nmap scan report for 172.16.109.134
Host is up (0.00083s latency).
All 1000 scanned ports on 172.16.109.134 are filtered
MAC Address: 00:0C:29:8C:43:90 (VMware)

Nmap scan report for 172.16.109.254
Host is up (0.00016s latency).
All 1000 scanned ports on 172.16.109.254 are filtered
MAC Address: 00:50:56:F1:3F:AE (VMware)

Nmap scan report for 172.16.109.1
Host is up (0.0000050s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
111/tcp open  rpcbind
902/tcp open  iss-realsecure

Nmap done: 256 IP addresses (5 hosts up) scanned in 10.35 seconds
root@ETHICALHACKX:~# 
scanning by CIDR format, scanning subnet

Scanning more than one targets , specific IP addresses

root@ETHICALHACKX:~# nmap -sP 172.16.109.128 172.16.109.132 172.16.109.134 172.16.109.135
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 02:20 IST
Nmap scan report for 172.16.109.128
Host is up (0.00043s latency).
MAC Address: 00:0C:29:CD:7D:B8 (VMware)
Nmap scan report for 172.16.109.132
Host is up (0.00080s latency).
MAC Address: 00:0C:29:8E:EE:70 (VMware)
Nmap scan report for 172.16.109.134
Host is up (0.00059s latency).
MAC Address: 00:0C:29:8C:43:90 (VMware)
Nmap done: 4 IP addresses (3 hosts up) scanned in 0.31 seconds
root@ETHICALHACKX:~# 
Scanning Range of IP Address

As we have used -sP argument , we just checked 4 IP address and got that 3 machines are up. In a similar way you can scan as many IP address you want, and change remove arguments, like I have used -sP

Scanning IP Ranges

Now we want to scan range of IP address, like 172.16.109.(128-150) or
172.16.(108-110).(125-150)

Scan result for 172.16.109.125-150
So when scanning this a total 26 IP Address scanned and 3 machines up.

root@ETHICALHACKX:~# nmap -sP 172.16.109.125-150
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 01:36 IST
Nmap scan report for 172.16.109.128
Host is up (0.00094s latency).
MAC Address: 00:0C:29:CD:7D:B8 (VMware)
Nmap scan report for 172.16.109.132
Host is up (0.00041s latency).
MAC Address: 00:0C:29:8E:EE:70 (VMware)
Nmap scan report for 172.16.109.134
Host is up (0.00066s latency).
MAC Address: 00:0C:29:8C:43:90 (VMware)
Nmap done: 26 IP addresses (3 hosts up) scanned in 0.52 seconds

Scanning with two ranges in IP Address – 172.16.(108.110).(125-150) .

root@ETHICALHACKX:~# nmap -sP 172.16.108-110.125-150
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 01:38 IST
Nmap scan report for 172.16.109.128
Host is up (0.00025s latency).
MAC Address: 00:0C:29:CD:7D:B8 (VMware)
Nmap scan report for 172.16.109.132
Host is up (0.00032s latency).
MAC Address: 00:0C:29:8E:EE:70 (VMware)
Nmap scan report for 172.16.109.134
Host is up (0.00030s latency).
MAC Address: 00:0C:29:8C:43:90 (VMware)
Nmap done: 78 IP addresses (3 hosts up) scanned in 43.64 seconds

If you are confused what we did the step above, use -sL arguments to list all the IP Address scanned, nmap -sP -sL 172.16.107-110.132-134 . In the output below you can notice the result.

root@ETHICALHACKX:~# nmap -sP -sL 172.16.107-110.132-134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 01:45 IST
Nmap scan report for 172.16.107.132
Nmap scan report for 172.16.107.133
Nmap scan report for 172.16.107.134
Nmap scan report for 172.16.108.132
Nmap scan report for 172.16.108.133
Nmap scan report for 172.16.108.134
Nmap scan report for 172.16.109.132
Nmap scan report for 172.16.109.133
Nmap scan report for 172.16.109.134
Nmap scan report for 172.16.110.132
Nmap scan report for 172.16.110.133
Nmap scan report for 172.16.110.134
Nmap done: 12 IP addresses (0 hosts up) scanned in 0.00 seconds
Scanning IP Address Range in Format 172.16.x-y.x-y

So this was specifying targets, what if somehow you scanned website and got all the IP address in a file ?

Scanning IP Address List from file.

root@ETHICALHACKX:~# nmap -sP -iL targetIP.txt
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 01:51 IST
Nmap scan report for 172.16.109.128
Host is up (0.00040s latency).
MAC Address: 00:0C:29:CD:7D:B8 (VMware)
Nmap scan report for 172.16.109.134
Host is up (0.00065s latency).
MAC Address: 00:0C:29:8C:43:90 (VMware)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.22s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Nmap done: 7 IP addresses (3 hosts up) scanned in 0.61 seconds
namp scanning IP Address list form a file.

Scanning IP Address excluding IP(s)

We have a list of IP Address we want to scan but we also have information where we want to exclude those IP due to some reasons, maybe we know on that IP we don’t have any useful information. Now it might seem foolish but attach surface should always be precise, without making noise we should detect information and hence this is important. Here you can use comma(,) to add more IP to excluded list.

oot@ETHICALHACKX:~# nmap -sP -sL -iL targetIP.txt --exclude 172.16.109.128
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 01:53 IST
Nmap scan report for 172.16.109.130
Nmap scan report for 172.16.109.133
Nmap scan report for 172.16.109.134
Nmap scan report for 172.16.109.135
Nmap scan report for 172.16.109.136
Nmap scan report for scanme.nmap.org (45.33.32.156)
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Nmap done: 6 IP addresses (0 hosts up) scanned in 0.01 seconds
nmap exclude IP Address from scanning

Exclude IP List from a file

We scanned a list of targets from a file but excluded IP which we wanted. Two parts of Output show the result for excluding IPs from a file.

root@ETHICALHACKX:~# nmap -sP -iL targetIP.txt --excludefile leave.txt
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 01:59 IST
Nmap scan report for 172.16.109.128
Host is up (0.00033s latency).
MAC Address: 00:0C:29:CD:7D:B8 (VMware)
Nmap scan report for 172.16.109.134
Host is up (0.00067s latency).
MAC Address: 00:0C:29:8C:43:90 (VMware)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.22s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Nmap done: 9 IP addresses (3 hosts up) scanned in 0.61 seconds

root@ETHICALHACKX:~# nmap -sP -sL -iL targetIP.txt --excludefile leave.txt
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 01:59 IST
Nmap scan report for 172.16.109.128
Nmap scan report for 172.16.109.130
Nmap scan report for 172.16.109.133
Nmap scan report for 172.16.109.134
Nmap scan report for 172.16.109.135
Nmap scan report for 172.16.109.136
Nmap scan report for 172.16.109.137
Nmap scan report for 172.16.109.139
Nmap scan report for scanme.nmap.org (45.33.32.156)
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Nmap done: 9 IP addresses (0 hosts up) scanned in 0.01 seconds
Nmap scanning and excluding IP Address from a list in file

So this was all about IP, now we move to ports.

Port Scanning

We have few options in port scanning, just like IP we can specify the ports we want to scan, range of ports and more we will see below.

Scanning a port on IP Address or more than one IP Address.


Suppose you are interested in port 80 on a list of hosts say web servers you are scanning or say ftp ports on a list of servers.

root@ETHICALHACKX:~# nmap -p21 172.16.109.128 172.16.109.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 02:05 IST
Nmap scan report for 172.16.109.128
Host is up (0.00042s latency).

PORT   STATE SERVICE
21/tcp open  ftp
MAC Address: 00:0C:29:CD:7D:B8 (VMware)

Nmap scan report for 172.16.109.132
Host is up (0.00065s latency).

PORT   STATE  SERVICE
21/tcp closed ftp
MAC Address: 00:0C:29:8E:EE:70 (VMware)

Nmap done: 2 IP addresses (2 hosts up) scanned in 0.20 seconds
root@ETHICALHACKX:~# 
Scanning ports on multiple IP Address

Scanning a number of ports on one or more machines

We might want to scan multiple ports on one or more machines/IP, here we check port 21,80,443 on a range of IP Address.

root@ETHICALHACKX:~# nmap -p21,80,443 172.16.109.128-132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 02:07 IST
Nmap scan report for 172.16.109.128
Host is up (0.00077s latency).

PORT    STATE  SERVICE
21/tcp  open   ftp
80/tcp  open   http
443/tcp closed https
MAC Address: 00:0C:29:CD:7D:B8 (VMware)

Nmap scan report for 172.16.109.132
Host is up (0.00069s latency).

PORT    STATE  SERVICE
21/tcp  closed ftp
80/tcp  open   http
443/tcp closed https
MAC Address: 00:0C:29:8E:EE:70 (VMware)

Nmap done: 5 IP addresses (2 hosts up) scanned in 0.44 seconds
root@ETHICALHACKX:~# 

Scan a range of Ports

We can scan a range of ports in a similar way to IP Address over one or more IP Address, in this example I will show only on one IP Address but just like above you can add more to targets or add a list of targets from file. Below we are scanning ports 1-400 range

root@ETHICALHACKX:~# nmap -p1-400 172.16.109.128
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 02:11 IST
Nmap scan report for 172.16.109.128
Host is up (0.0012s latency).
Not shown: 392 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
23/tcp  open  telnet
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
111/tcp open  rpcbind
139/tcp open  netbios-ssn
MAC Address: 00:0C:29:CD:7D:B8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
root@ETHICALHACKX:~# 

Scanning all ports

You might know little about a machine and want to explore all the ports, a basic nmap scan scans ports up to 1000 only, what if you want to scan all ports 65535 total. This might take some time but you might uncover some more information.

root@ETHICALHACKX:~# nmap -p- 172.16.109.128
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 02:14 IST
Nmap scan report for 172.16.109.128
Host is up (0.0017s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
512/tcp   open  exec
513/tcp   open  login
514/tcp   open  shell
1099/tcp  open  rmiregistry
1524/tcp  open  ingreslock
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
3306/tcp  open  mysql
3632/tcp  open  distccd
5432/tcp  open  postgresql
5900/tcp  open  vnc
6000/tcp  open  X11
6667/tcp  open  irc
6697/tcp  open  ircs-u
8009/tcp  open  ajp13
8180/tcp  open  unknown
8787/tcp  open  msgsrvr
33093/tcp open  unknown
38247/tcp open  unknown
45628/tcp open  unknown
45649/tcp open  unknown
MAC Address: 00:0C:29:CD:7D:B8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.91 seconds
root@ETHICALHACKX:~# 
Scanning All Ports on machine / IP Address

Always remember you can always scan a range of IPs, a range of ports and with a number of more arguments. This was only about selecting the attack surface, make it more precise and sure shot so that with minimum noise we collect more information.

Thought of scanning the internet ?

What ? Scan the internet ? yes what if you decide to scan all the IP Ranges, tell below in comment your idea on this.

We are covering more interesting NMAP Guide Part 2 in upcoming article.

What Do You Think on This ? Say Here