NMAP — A short summary

3mp3r0r
3 min readAug 28, 2020

--

In this story i will tell you the ways nmap is used most most widely. You may call it a short summary on how to use NMAP for port scanning on target.

Nmap, or Network Mapper, is an open source Linux command line tool for network exploration and security auditing. With Nmap, server administrators can quickly reveal hosts and services, search for security issues, and scan for open ports.

The Nmap tool can audit and discover local and remote open ports, as well as network information and hosts.

Different Ways of using NMAP:

All the commands are self-explanatory.

$ nmap subdomain.domain.com

$ nmap 127.0.0.1

$ nmap 127.0.0.1 192.0.0.1 10.0.0.1

$ nmap 127.0.0.* --exclude 127.0.0.11

$ nmap 127.0.0.1,2,3,4

$ nmap 127.0.0.1-9

$ nmap -p 80,443 127.0.0.1

3 Main types of NMAP Scans

  • -sT for TCP scan (also called full scan)
  • -sS for Stealth scan (also called half scan). This type of scan is slower and may not be as aggressive as other possible options.
  • -sX for X-mas scan. In this 3 packets having no inter-relationship or relevance are sent just to confuse.

Following is shown how -sT, -sS and -sX differ using packet sniffing via wireshark:

In -sT, complete 3-way handshake takes place starting with SYN packet and so on.
In -sS or half scan, complete 3-way handshake does not take place
In -sX scan, always 3 packets FIN, PSH & URG are sent. They have no relevance together.

Output Forms:

  • oN (normal output)
    Requests that normal output be directed to the given filename.

Eg: $ nmap 127.0.0.1 -oN myfile.txt

  • -oX (XML output)
    Requests that XML output be directed to the given filename.
    XML offers a stable format that is easily parsed by software. Free XML parsers are available for all major computer languages, including C/C++, Perl, Python, and Java. In almost all cases that a non-trivial application interfaces with Nmap, XML is the preferred format.
    The easiest way to use this is simply to load the XML output in a web browser such as Firefox or IE. By default, this will only work on the machine you ran Nmap on due to the hard-coded nmap.xsl filesystem path.

Eg: $ nmap 127.0.0.1 -oX myfile.xml

  • -oS (ScRipT KIdd|3 oUTpuT)
    I personally found nothing special in output, for me its similar to normal (-oN).
  • -oG (grepable output)
    This output format is covered last because it is deprecated. The XML output format is far more powerful, and is nearly as convenient for experienced users. XML is a standard for which dozens of excellent parsers are available, while grepable output is my own simple hack. XML is extensible to support new Nmap features as they are released, while I often must omit those features from grepable output for lack of a place to put them.
    It is a simple format that lists each host on one line and can be searched with standard Unix tools such as grep, awk, cut, sed, diff, and Perl. Grepable output consists of comments (lines starting with a pound (#)) and target lines. A target line includes a combination of six labeled fields, separated by tabs and followed with a colon.

Eg: $ nmap 127.0.0.1 -oG myfile

  • -oA (Output to all formats)
    As a convenience, it stores scan results in normal, XML, and grepable formats at once. They are stored in myfile.nmap, myfile.xml, and myfile.gnmap, respectively for following command.

Eg: $ nmap 127.0.0.1 -oA myfile

Photo by Max Duzij on Unsplash

--

--