nmap

A basic introduction.

What is nmap?

nmap is a scanning tool that can scan ports and IPs for vulnerabilities. The most basic nmap scan is

nmap [ip]. This will scan a given IP or IP range and give you basic info on the open ports. For example, here is the scan results, from scanning my machine.

$ kali@kali:~/Downloads$ nmap 192.168.202.131
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-19 21:25 UTC
Nmap scan report for 192.168.202.131
Host is up (0.000068s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

This only scans the 1000 most popular ports. To scan every single port, use -p- after the IP.

nmap timing

An nmap scan has 6 options for timing. These are:

• (0)Paranoid, 5 minutes between packet, scans serially

• (1)Sneaky, 15 seconds between packets, scans serially

• (2)Polite, 0.4 seconds between packets, scans serially

• (3)Normal, default timing, designed to not overwhelm network or miss targets/ports, scans in parallel

• (4)Aggressive, waits 1.25 seconds for probe response, scans in parallel

• (5)Insane, spends up to 15 minutes per host but if it takes longer, it will move onto the next host, waits 0.3 seconds for probe response and scans in parallel

To use this command, just add -T[number from 0-5] to the end of your command. The default is 3, however at the cost of possibly missing some ports, you can bump this up to a 5.

For example, here is a -T5 scan of every TCP port on my machine:

kali@kali:~/Downloads$ nmap 192.168.202.131 -p- -T5
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-19 21:32 UTC
Nmap scan report for 192.168.202.131
Host is up (0.000041s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8834/tcp open  nessus-xmlrpc

Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds

As you can see, the scan went incredibly quick!