Guide To Pentesting- Nmap Basics

Pulkit Mital
6 min readApr 8, 2020


Ever Wonder how the hackers or cybersecurity professional gets to know more about our system.
In this article, we will cover the same techniques from basics to advance.

Let’s start with some theory.

What is Nmap?

Nmap is a network scanning and host detection tool which helps us to gather open ports and services running on it. It can be also used as a vulnerability scanner.

Host Discovery

Before doing any scans to a targeted host or any other systems in the network, you should know how many hosts are live in the network and respond to a ping scan.
Using a specific flag in Nmap we can scan a range of IP Address in the scan.

nmap -sn–255

If we run the command it will scan all the addresses within the network and return the IP Addresses of the systems that are live at that particular time.

Understanding Port State

Now from the above command, we have found the IP Addresses of the live hosts in the network. Now, the question arises what is the state of the ports in the targeted system.
Nmap uses 6 different states:

Open- An open is actively accepting TCP, UDP connections. The hackers have interest in these ports as it is more vulnerable to attacks.

Closed- A closed port is accessible, but no application is listening to it. These ports are majorly helpful to detect if the host is up or for OS detection.

Filtered- Nmap cannot determine if the port is open because the packet filtering prevents nmap probes from reaching the port. The filtering can be because of a firewall, router-rules, or software-based firewalls.

Unfiltered- means the port is accessible but Nmap is unable to determine whether the port is open or not.

Open|Filtered- This state happens when Nmap is unable to determine if the port is open or filtered.

Closed|Filtered- This state happens when Nmap is unable to determine if the port is closed or filtered.

If you want to scan only TCP port you can use below the following command

nmap -sT

In the above image, it is clearly showing if we scan for TCP ports on the targeted system it will give us info about port numbers that are opened, closed, filtered as well as the services running on these ports.

Port List

It is a very tedious job to scan the port one by one so you can set a list of ports in the Nmap scan and then the host will be scanned for the ports specified in the command.

nmap -p135, 139

Port Range

Instead of giving the list of specific ports to check whether they are open or not, you can even specify a range of ports and Nmap scans for every port specified in the range.

nmap -p1–50 

All Ports

Suppose you want to scan all 65535 ports then you can use below commands and as the open ports are more useful for us, we can have a flag “ — open” to only specify the open ports.

nmap -p- — open

Port Service Name

What if you don’t know a specific port number but you know the service which can be running on the target then we can use below syntax to scan it
nmap -p <service_name> <target_ip>

nmap -p http

UDP Scan

Most of the time, when we are scanning targets for open, we ignore the UDP ports and these ports mostly expose essential information about the host and are vulnerable. To scan these ports we can use “-sU” flag while scanning with Nmap and all the port list and range technique will work as it is with this flag.

nmap -sU

OS Detection

Nmap can also be used as OS fingerprinting tool. You can scan the target and get which operating system is running on it. And this data is very useful for us as a hacker or pentester. you can enter the following command

nmap -O

As we can see in the above image, after scanning the target for OS, the Nmap scan is returning that the target is running Linux on it.

Above command will dump the following information:

Device type: All fingerprints are classified with one or more high-level device types, such as router, printer, firewall, general purpose.

Running: It shows the OS Family (Linux in this case) and OS generation if available. If there are multiple OS families, they are separated by commas. When Nmap can’t narrow down OS generations to one specific choice, options are separated by the pipe symbol (‘|’) Examples include OpenBSD 3.X, NetBSD 3.X|4.X and Linux 2.4.X|2.5.X|2.6.X.

OS CPE: This shows a Common Platform Enumeration (CPE) representation of the operating system when available. It may also have a CPE representation of the hardware type. OS CPE begins with cpe:/o and hardware CPE begin with cpe:/h.

OS details: This line gives a detailed description for each fingerprint that matches. While the Device type and Running lines are from predefined enumerated lists that are easy to parse by a computer, the OS details line contains free-form data which is useful to a human reading the report. This can include more exact version numbers, device models, and architectures specific to a given fingerprint.

Version Scan

When doing the pentesting of your computer or clients, you want to know the services and versions of the services running on the system. Having an accurate version of the services running on the system can help you to determine which exploits a server is vulnerable. And because of this reason version scanning is very important.

nmap -sV

Protocol Scan

A Protocol scan is useful for determining what communication protocols are being used by a host. This method shows how to use Nmap to enumerate all of the IP protocols, where sends a raw IP packet without any additional protocol header, to each protocol on the target machine. For the IP protocols TCP, ICMP, UDP, IGMP, and SCTP, Nmap will set valid header values but for the rest, an empty IP packet will be used.

nmap -sO

Timing Template Scan

The main timing option is set through the -T parameter if you may want more control over the timing in order get the scan to get over fast. However, Nmap adjusts its timings automatically depending on network speed and response times of the victim.

Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0–5) or their name as shown below:

  • T0: paranoid
  • T1: sneaky
  • T2: polite
  • T3: normal
  • T4: aggressive
  • T5: insane
nmap -T4

If you compare a normal Nmap scan and the scan with a time template, then you will notice the later is faster then the first one.

Now, you learned how to enumerate and detect the open ports and services running on the target system with their version. In the coming section, we will see how can we use this gathered information from Nmap to find the vulnerability on the targeted host.