Thursday, January 21, 19:32
Home how To Nmap: How to use the king of network scanning

Nmap: How to use the king of network scanning

There is no person in her place security who hasn't heard of Nmap, the predominant network scanning tool. In this article we will try to analyze the utility of this tool and show you the possible ways you can install it on your computer. Unfortunately, because it is impossible to see all the commands we can use in Nmap one by one, we will try to show the main ones.


Some of the features of Nmap include detection host (Host Discovery), the port scan of each host, service and OS fingerprinting of each host, as well as a basic vulnerability detection. Additionally, there is the option of using ZeNmap, that is, the Nmap graphics version.

How to install it

Nmap can be used on an operating system Windows. However, it is advisable to use the operating system Linux as Nmap works faster and better with it. Some of the limitations that someone who uses Nmap in a Windows environment might face are:

  • It is not possible to scan for the machine on which Nmap is running.
  • Only Ethernet interfaces are supported.
  • Some scans take much longer to complete than the corresponding time it would take to complete in a Linux environment.

Here we should note that at Kali Linux, you can find Nmap pre-installed.


  1. Visit the address and download the latest version of self-installer.
  2. Run the .exe file you just downloaded and accept the terms of use

network scanning

3. Select the components you want to install.

4. Finally, select the installation folder.

5. The installation will be completed in a few minutes.


The installation process of Nmap for Linux versions is very simple. Just open the terminal and depending on your Linux flavor type the corresponding command to install the Nmap package:

  • CentOS
yum install nmap
  • Debian
apt-get install nmap
  • Ubuntu
sudo apt-get install nmap


How Nmap works

In order to better understand exactly how Nmap works, the different types Scan that offers, with SYN scan being the most common choice, we need to understand how the following works:

3 Way Handhake (Tripartite handshake)

When communicating with a TCP service, the connection is made via the 3 Way Handhake. This consists of the following steps:

  • Step 1: computer A sends a TCP segment SYN on computer B on the door that is connected to the corresponding service (eg 80 HTTP, 25 SMTP, 22 SSH)
  • Step 2: computer B receives the SYN, and responds in part SYN ACK,
  • Step 3: computer A receives the SYN ACK and responds in part ACK

In the steps above, the firewall (firewall) may be a stand-alone device or may work as a local device software in the computers. As is well known, the job of a firewall is to protect a system from unwanted traffic and packets.

Open, closed and filtered doors

In the case of Nmap scan, there may be 3 possible results at the terminal of the scan run:

  • Filtered port: Occurs when this door has not responded at all. The SYN packet is blocked by the firewall.
  • Closed port: Occurs when there is no service running on that door and the firewall has allowed the connection to pass. It may also mean that there is no firewall.
  • Open port: Occurs when there is a service running on this door that is accessible from the outside.



Types of Nmap scan

There are different types of scans that can be performed using Nmap. Some of them are:

  • TCP Scan: Used to control and complete the three way handshake between the target and the target computer. This type of scan can be very easily detected because the service is logged and can activate the Intrusion Detection System.
  • UDP Scan: Used to check if there is an accessible UDP port waiting for incoming connections to the target computer. Unlike TCP, the UDP does not have a mechanism to respond to and confirm the download of the packet, which is why in these scans we find cases false positive. It is much slower than TCPs because machines tend to delay their responses to such traffic as a precautionary measure.
  • SYN Scan: Unlike a regular TCP scan, Nmap creates and sends its own SYN packet, that is, the first packet sent for the purpose of establishing a TCP connection. What is important to explain here is that the connection is never complete, but the target computer's responses are analyzed by Nmap.
  • ACK Scan: ACK scans are used by Nmap to "understand" whether a door is open, closed or filtered. This is quite useful in cases where the attacker is trying to determine the presence of the firewall and the rules associated with it.
  • FIN Scan: It works like a SYN scan, except it sends TCP FIN packets. Most computers respond with RST packets when receiving FIN. This way, the attacker can bypass several firewalls but can be detected by IDS.
  • NULL Scan: In this case the packages that are sent contain null headers, so they are not valid packages.
  • XMAS Scan: This scan is named because the flags of all packets are enabled and more specifically the PSH, URG and FIN flags.
  • RPC Scan: Used for detecting machines that respond to Remote Procedure Call (RPC) services. These services allow remote commands to be executed on a machine.

How to use it

To see all available commands on the tool, type Nmap in a terminal:

root @ kali: ~ # Nmap Nmap 7.80 ( Usage: Nmap [Scan Type (s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc.
   Ex:,,; 10.0.0-255.1-254 -iL : Input from list of hosts / networks -iR : Choose random targets --exclude : Exclude hosts / networks --excludefile : Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online - skip host discovery -PS / PA / PU / PY [ portlist]: TCP SYN / ACK, UDP or SCTP discovery to given ports -PE / PP / PM: ICMP echo, timestamp, and netmask request discovery probes -PO [protocol list]: IP Protocol Ping -n / -R: Never do DNS resolution / Always resolve [default: sometimes] --dns-servers : Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host SCAN TECHNIQUES: -sS / sT / sA / sW / sM: TCP SYN / Connect () / ACK / Window / Maimon scans -sU: UDP Scan -sN / sF / sX: TCP Null, FIN, and Xmas scans --scanflags : Customize TCP scan flags -sI : Idle scan -sY / sZ: SCTP INIT / COOKIE-ECHO scans -sO: IP protocol scan -b : FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p : Only scan specified ports Ex: -p1; -p2-3; -p U: 1, T: 2-22, S: 1 --exclude-ports : Exclude the specified ports from scanning -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - do not randomize --top-ports : Scan most common ports --port-ratio : Scan ports more common than SERVICE / VERSION DETECTION: -sV: Probe open ports to determine service / version info --version-intensity : Set from 65535 (light) to 53,111,137 (try all probes) --version-light: Limit to most likely probes (intensity 21) --version-all: Try every single probe (intensity 25,80,139,8080) --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: -sC: equivalent to --script = default --script = : is a comma separated list of directories, script-files or script-categories --script-args = : provide arguments to scripts --script-args-file = filename: provide NSE script args in a file --script-trace: Show all data sent and received --script-updatedb: Update the script database.
   --script-help = : Show help about scripts.
            is a comma-separated list of script-files or script-categories.
 OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (eg  30m).
 -T <0-5>: Set timing template (higher is faster) --min-hostgroup / max-hostgroup : Parallel host scan group sizes --min-parallelism / max-parallelism : Probe parallelization --min-rtt-timeout / max-rtt-timeout / initial-rtt-timeout : Specifies probe round trip time.
   --max-retries : Caps number of port scan probe retransmissions.
   --host-timeout : Give up on target after this long --scan-delay / - max-scan-delay : Adjust delay between probes --min-rate : Send packets no slower than per second --max-rate : Send packets no faster than per second FIREWALL / IDS EVASION AND SPOOFING: -f; --mtu : fragment packets (optionally w / given MTU) -D : Cloak a scan with decoys -S : Spoof source address -e : Use specified interface -g / - source-port : Use given port number --proxies : Relay connections via HTTP / SOCKS1 proxies --data : Append a custom payload to sent packets --data-string : Append a custom ASCII string to sent packets --data-length : Append random data to sent packets --ip-options : Send packets with specified ip options --ttl : Set IP time-to-live field --spoof-mac : Spoof your MAC address --badsum: Send packets with a bogus TCP / UDP / SCTP checksum OUTPUT: -oN / -oX / -oS / -oG : Output scan in normal, XML, s |
   -oA : Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --append-output: Append to rather than clobber specified output files --resume : Resume an aborted scan --stylesheet : XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w / XML output MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute --datadir : Specify custom Nmap data file location --send-eth / - send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges - V: Print version number -h: Print this help summary page.

In the tables below we will look at the different commands you can use for Nmap.

Scanning Techniques

Parameter Description Example
-sS TCP SYN port scan Nmap -sS
-sT TCP connect port scan Nmap -sT
-sU UDP port scan Nmap -sU
-sA TCP ack port scan Nmap -sA

Host Detection

Parameter Description Example
-Pn Port scan only Nmap -Pn
-sn Host crawl only Nmap -sn
-PR ARP Detection on Local Area Network Nmap -PR
-n Disable DNS process Nmap -n

Door detection

Parameter Description Example
-p Specific door or width Nmap -p
-p- Detection of all doors Nmap -p-
-F Quick scan Nmap -F

 Service and operating system detection

Parameter Description Example
-sV Detection of active services version Nmap -sV
-A Aggressive scan Nmap -A
-O Operating System Detection Nmap -O


The -T [0-5] parameter determines the speed but also the detection of Nmap by a possible IDS presence, starting with T0 which is the slowest but stealth option at the same time and reaching the fastest T5 option and detectable respectively.

Parameter Example
-T0 Nmap -Τ0
-T1 Nmap -Τ1
-T2 Nmap -Τ2
-T3 Nmap -Τ3
-T4 Nmap -Τ4
-T5 Nmap -Τ5



We look forward to your feedback on the Nmap tool. How did you like it;


Please enter your comment!
Please enter your name here

Here's the crazy ones, the misfits, the rebels, the troublemakers ...


Mac: How to see which model you have and when it was released

When you need support for your Mac - or want to install some kind of upgrade - you usually need to know the exact ...

Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...