Home > Networking > What is Nmap? Powerful Network Scanning Tools Warning

What is Nmap? Powerful Network Scanning Tools Warning

By /

“The Nmap commands and techniques described here are for educational purposes only. Please test them exclusively on your own devices or in a testing environment where you have explicit permission. Scanning networks or systems without authorization is illegal and unethical. Always respect privacy and legal boundaries when using these tools.”

Nmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. It can:

  • Identify live hosts on a network.
  • Scan open ports and services.
  • Detect operating systems and software versions.
  • Run scripts to find vulnerabilities or enumerate details (like your WordPress plugins).

It’s pre-installed on Kali Linux, and you can update it with:

bash

sudo apt update && sudo apt install nmap

Basic Nmap Syntax

The general command structure is:

bash

nmap [options] [target]
  • Target: IP address (e.g., xxx.123.123.xxx), hostname (e.g., example.com), or range (e.g., 192.168.1.0/24).
  • Options: Flags to customize the scan (e.g., -p for ports, -sV for version detection).

Core Concepts Before Scanning

  1. Port States: Nmap reports ports as:
    • Open: A service is actively listening (e.g., HTTPS on 443).
    • Closed: No service, but the host is up.
    • Filtered: Blocked by a firewall, Nmap can’t determine the state.
  2. Scan Types: Nmap supports different techniques (e.g., TCP SYN, UDP) depending on your goal.
  3. Scripts: The Nmap Scripting Engine (NSE) extends functionality (e.g., http-wordpress-enum).

Step-by-Step: How to Use Nmap

Let’s build your skills with practical examples, starting simple and progressing to advanced scans.

1. Basic Host Discovery

Goal: Check if a host is alive without scanning ports.
Command:

bash

nmap -sn xxx.123.123.xxx

Explanation:

  • -sn: Ping scan (no port scanning), uses ICMP or TCP probes.
    Output (example):
Nmap scan report for xxx-123-123-xxx.abc.com (xxx.123.123.xxx)
Host is up (0.035s latency).

Use Case: Verify a server is online before deeper scans.

2. Default Port Scan

Goal: Scan the top 1,000 common ports.
Command:

bash

nmap xxx.123.123.xxx

Explanation:

  • No options = TCP SYN scan on default ports.
    Output (based on your earlier scan):
PORT    STATE SERVICE
443/tcp open  https

Use Case: Quick check for open services.

3. Specific Port Scan

Goal: Scan only port 443 (HTTPS, as in your WordPress example).
Command:

bash

nmap -p 443 xxx.123.123.xxx

Explanation:

  • -p 443: Targets port 443 only.
    Output:
PORT    STATE SERVICE
443/tcp open  https

Use Case: Focus on a known service (e.g., web server).

4. Range of Ports

Goal: Scan a range, like ports 80 (HTTP) and 443 (HTTPS).
Command:

bash

nmap -p 80,443 xxx.123.123.xxx

Output:

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp open   https

Use Case: Check multiple web-related ports.

5. Full Port Scan

Goal: Scan all 65,535 TCP ports.
Command:

bash

nmap -p- xxx.123.123.xxx

Explanation:

  • -p-: Scans every port (1-65535).
    Output (example):
PORT    STATE  SERVICE
443/tcp open   https

Use Case: Exhaustive scan to find hidden services (takes longer).

6. Service Version Detection

Goal: Identify the software and version running on open ports.
Command:

bash

nmap -sV -p 443 xxx.123.123.xxx

Explanation:

  • -sV: Probes services for version info.
    Output (example):
PORT    STATE SERVICE VERSION
443/tcp open  https   Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1

Use Case: Confirm web server details for vulnerability research.

7. OS Detection

Goal: Guess the operating system and version.
Command:

bash

nmap -O xxx.123.123.xxx

Explanation:

  • -O: Analyzes TCP/IP stack for OS fingerprint.
    Output (example):
OS details: Linux 4.15 - 5.4 (Ubuntu)

Use Case: Understand the server’s platform.

8. Aggressive Scan (All-in-One)

Goal: Combine version detection, OS detection, and scripts.
Command:

bash

nmap -A -p 443 xxx.123.123.xxx

Explanation:

  • -A: Enables -sV, -O, script scanning, and traceroute.
    Output (example):
PORT    STATE SERVICE VERSION
443/tcp open  https   Apache/2.4.xx (Ubuntu) OpenSSL/1.1.1
| http-methods: GET HEAD POST OPTIONS
|_http-title: Welcome to Your WordPress Site
OS details: Linux 4.xx - 5.x

Use Case: Comprehensive recon in one go.

9. Script Scanning (WordPress-Specific)

Goal: Enumerate WordPress plugins (like your earlier scan).
Command:

bash

nmap -p 443 --script http-wordpress-enum 1xxx.123.123.xxx

Explanation:

  • –script: Runs the specified NSE script.
  • http-wordpress-enum: Checks for plugins/themes.
    Output (your result):
PORT    STATE SERVICE
443/tcp open  https
| http-wordpress-enum:
|   plugins
|     akismet
|     contact-form-7 6.0.x
|     wordpress-seo 24.x.x
|     wordfence 8.0.x
|     woocommerce 9.x.0
|     gtranslate 3.0.x
|_    wp-mail-smtp 4.x.0

Use Case: Target WordPress-specific details.

10. UDP Scanning

Goal: Scan for UDP services (less common but worth checking).
Command:

bash

nmap -sU -p 123,161 xxx.123.123.xxx

Explanation:

  • -sU: UDP scan.
  • -p 123,161: Common UDP ports (NTP, SNMP).
    Output (example):
PORT    STATE  SERVICE
123/udp closed ntp
161/udp closed snmp

Use Case: Check non-TCP services (slower due to UDP nature).

11. Stealth Scan (SYN)

Goal: Scan quietly to avoid detection.
Command:

bash

nmap -sS -p 443 xxx.123.123.xxx

Explanation:

  • -sS: SYN scan (half-open, doesn’t complete TCP handshake).
    Output:
PORT    STATE SERVICE
443/tcp open  https

Use Case: Reduce logging on target (default for non-root is TCP connect).

12. Multiple Targets

Goal: Scan a range or multiple IPs.
Command:

bash

nmap xxx.123.123.1 xxx.123.123.2

Or for a subnet:

bash

nmap xxx.123.123.xxx/24

Output (example):

Nmap scan report for xxx.123.123.1
PORT    STATE SERVICE
443/tcp open  https
Nmap scan report for xxx.123.123.2
PORT    STATE SERVICE
22/tcp  open  ssh

Use Case: Scan a network or related servers.

Practical Demo Cases

Let’s apply these to your WordPress scenario (xxx.123.123.xxx):

  1. Quick Recon:

bash

nmap -sV -p 80,443 xxx.123.123.xxx
  • Checks HTTP and HTTPS, identifies server versions.
  1. WordPress Deep Dive:

bash

nmap -p 443 --script http-wordpress-enum,http-wordpress-users xxx.123.123.xxx
  • Enumerates plugins and attempts to find usernames.
  1. Full Security Audit:

bash

nmap -A -p- xxx.123.123.xxx
  • Scans all ports, versions, OS, and runs default scripts.
  1. Firewall Evasion:

bash

nmap -sS -f -p 443 xxx.123.123.xxx
  • -f: Fragments packets to bypass simple firewalls.

Practice Challenge

Try this on your target:

bash

nmap -sV -p 443 --script http-wordpress-enum,http-methods xxx.123.123.xxx
  • What services and HTTP methods do you see? Share the output if you want feedback!

Let me know if you’d like to explore a specific case further or troubleshoot a scan! What’s your next goal with Nmap?

Related posts:

  1. Spot fake email, stay alert
  2. Share a real world cyber security drill
  3. Understanding Reverse Shells: How They Work on Linux, Windows, and macOS
  4. What Can a Hacker Do with a Reverse Shell?

Powered by YARPP.

Leave a Comment