Installation

Visit nmap.org for the official download page.

During installation, ensure all options are selected. This includes installing the packet capture driver (npcap) and setting up enviroment variables automatically.

To verify installation:

Open Command Prompt and run nmap. If successful, the tool is ready for use.

Common Scan Types

TCP Connect Scan (-sT)

This method establishes a full TCP connection to determine port status.

nmap -sT target_host

It's less stealthy and slower compared to other methods.

Multiple hosts can be scanned simultaneously by listing them:

nmap host1.com host2.com
nmap 192.168.0.1 192.168.0.2
nmap 192.168.0.1,2
nmap -sL list.txt

Scanning an entire subnet like 192.168.0.* is also possible but takes considerable time.

SYN Scan (-sS)

This scan sends a SYN packet and waits for a response. It avoids completing the TCP handshake, making it faster and more discreet.

nmap -sS target_host

It requires root privileges and is generally preferred due to its efficiency and reduced detection risk.

UDP Scan (-sU)

Used to identify open UDP ports on a target system.

nmap -sU target_host

UDP scan are typically slower and may reveal running services.

IP Protocol Scan (-sO)

Determines wich IP protocols are supported by the target.

nmap -sO target_host

OS Detection (-O)

Identifies the operating system of the target machine.

nmap -O target_host

Firewall Evasion Techniques

These options help bypass firewalls or IDS systems:

-f: Fragment packets
--mtu <value>: Set maximum transmission unit
-D <decoy1,decoy2,...>: Use decoys to obscure scan origin
-S <IP>: Spoof source IP address
-e <interface>: Specify network interface
-g <port>: Set source port for scanning
--data-string <string>: Append custom ASCII string
--data-length <num>: Append random data

Advanced Usage

nmap -Pn target_host          # Skip ping checks
nmap -sl zombie_ip target_ip  # Zombie scan using a zombie host
nmap -sA target_host          # ACK scan to detect filtered ports
nmap target_host -p 80        # Scan specific port
nmap 192.168.78.1/24          # Scan entire subnet
nmap target_host -oX result.xml # Save output in XML format
nmap -T1-6 target_host        # Adjust scan speed (T4 is default)

nmap -sV target_host          # Service version detection
nmap -sC script_file target_host # Run NSE scripts
nmap -A target_host           # Aggressive scan mode
nmap -6 ipv6_address          # IPv6 scanning
nmap -f target_host           # Fragment packets
nmap --mtu 128 target_host    # Set MTU size
nmap -D rand,target_host      # Use decoys
nmap --source-port 53 target_host # Use specific source port
nmap --data-length 100 target_host # Modify packet length
nmap -v target_host           # Verbose output
nmap -sn target_host          # Ping scan only
nmap -sP target_host          # Host discovery only
nmap -n -p 80 target_host     # No DNS resolution, scan port 80
nmap --system-dns target_host # Use system DNS
nmap --traceroute target_host # Trace route to target
nmap -PE target_host          # ICMP echo scan
nmap -PP target_host          # ICMP timestamp scan
nmap -PM target_host          # ICMP netmask scan
nmap -iR 10                   # Randomly scan 10 hosts