Nmap Tutorial

Getting started with Nmap

Operating System

Nmap runs on all major platforms but performs best on Linux. Examples in this tutorial use Ubuntu, though the same commands work with Fedora, Alma/Rocky and FreeBSD with only minor changes. Windows users can run Nmap via the official installer, but many prefer WSL2 which provides full Linux functionality without leaving Windows.

Security focused distros such as Kali Linux and ParrotOS ship with Nmap pre-installed.

Virtual Machines

A simple and reliable way to run Nmap in a controlled environment is to use a virtual machine such as VirtualBox or VMware. Whether your main OS is Windows, macOS or Linux a VM gives you a safe environment to experiment with Nmap, take snapshots, install extra tools and break things without affecting your base system.

If you need a Linux system for this tutorial, download an Ubuntu ISO from ubuntu.com and attach it as the boot media for your VM. The default installer is quick and requires no special configuration.

Tip: Use bridged networking so your VM receives its own IP address on the local network.
This makes it easy to scan between your VM, your host, and other devices during testing. Only scan systems you own or have permission to test.

Containers

While you can get containers with Nmap preinstalled from the Docker hub, start from a trusted Ubuntu base and install Nmap in your Dockerfile.

Dockerfile
FROM ubuntu:22.04
RUN apt update && apt install -y --no-install-recommends \
    nmap \
    && apt clean \
    && rm -rf /var/lib/apt/lists/*

ENTRYPOINT ["nmap"]
CMD ["--help"]

Build the image
docker build -t my-nmap .
To run a basic scan
docker run --rm my-nmap scanme.nmap.org
Version & Service detection
docker run --rm my-nmap -sV -p 80,443 example.com

VPS for External Scans

For perimeter testing or remote scanning (such as that provided by hackertarget.com), a small Ubuntu VPS works extremely well. It gives you a clean, dedicated host to scan from an external perspective, matching what an attacker would see. A couple of examples of providers are DigitalOcean or Akamai Cloud offer low-cost instances useful for this purpose.

Nmap Installation

From Package Manager

Ubuntu comes with Nmap in the repositories or software library. To check the version available in the package manager first update your package list and then run:

testuser@ubuntu:/~$ sudo apt update
testuser@ubuntu:/~$ apt show nmap

Your Linux distribution may ship an older or repackaged version of Nmap. Note the snippet of the result below showing version 7.91+dfsg1+really7.80+dfsg1-2ubuntu0.1. Comparing this to the latest stable version its an older version with the latest (at the time of this article) being 7.98

testuser@ubuntu:/~$ apt show nmap
Package: nmap
Version: 7.91+dfsg1+really7.80+dfsg1-2ubuntu0.1
Priority: extra
Section: universe/net
Origin: Ubuntu
Maintainer: Ubuntu Developers 
Original-Maintainer: Debian Security Tools 
...

Then simply run the following command install:

sudo apt install nmap

From Source

In most cases, I suggest sticking with the software from the Software Center, but there are many benefits from running the latest version of Nmap from source. This ensures you have the newest Nmap release system-wide, independent of your package manager.

Building from source also gives you:

• the latest OS fingerprints
• newest service/version detection signatures
• updated NSE scripts
• performance improvements not yet packaged by your distro

Summary of steps. Full explanations below.

Step by step info

1. Download

Download the latest stable tarball from the official Nmap download page: https://nmap.org/download.html, or pull it straight to your current working directory using:

wget https://nmap.org/dist/nmap-7.98.tar.bz2

The tarball will download to your current directory so you can extract and build it immediately.

2. Install dependencies

You may need to install g++ in order to compile. You should also install the libssl-dev package as this will enable the SSL testing NSE scripts to work.

sudo apt install g++ libssl-dev

3. & 4. Extract, Configure, Make & Install

Now unpack, compile and install. Use the standard configure and make commands when building software from source.

bzip2 -cd nmap-7.98.tar.bz2 | tar xvf -
cd nmap-7.98/
./configure
make
sudo make install

Tip: To confirm you're using the compiled version rather than your package manager’s Nmap run:

testuser@ubuntu:/~$ which nmap
This should print
/usr/local/bin/nmap

5. Verify

Now verify the installation has been successful with:

nmap --version

Run the nmap command to see available command line options. Below is a small example.

testuser@ubuntu:/~$ nmap
Nmap 7.98 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL : Input from list of hosts/networks
  -iR : Choose random targets
  --exclude : Exclude hosts/networks
  --excludefile : Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN, TCP ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping

...

A good starting point is to discover which hosts are live on your local network:

sudo nmap -sn 192.168.1.0/24

This performs a quick host discovery scan across your entire local network (192.168.1.0-254). The -sn flag disables port scanning and only checks which hosts are up, making this very fast, typically completing in under a minute.

Note: This command will also run without sudo, but Nmap falls back to non-privileged host-discovery methods. These are slower and may miss hosts that block TCP connection attempts. Running with sudo enables raw ICMP, ARP, and SYN probes, giving faster and more accurate results.

Starting Nmap 7.98 ( https://nmap.org ) at 2024-12-04 14:23 AEDT
Nmap scan report for router.home (192.168.1.1)
Host is up (0.0012s  latency).
MAC Address: A4:91:B1:2C:5D:8E  (TP-Link Technologies)

Nmap scan report for 192.168.1.15
Host is up (0.045s latency).
MAC Address: B8:27:EB:A3:F2:1C (Raspberry Pi Foundation)

Nmap scan report for 192.168.1.10
Host is up (0.0045s latency).
MAC Address: 3C:5A:B4:77:21:9C (Dell Inc.)

Nmap done: 256 IP addresses (3 hosts up) scanned in 3.29 seconds

Once you've identified live hosts, you can perform a more detailed scan on specific targets. The next example scans one of the hosts discovered in the previous -sn sweep:

sudo nmap -sV 192.168.1.1

This scans the top 1,000 most common ports and identifies service versions with -sV. Running the command with sudo enables Nmap's faster SYN scan; without sudo, Nmap falls back to a TCP Connect scan, which is slower and more detectable.

Starting Nmap 7.98 ( https://nmap.org ) at 2024-12-04 14:25 AEDT
Nmap scan report for router.home (192.168.1.1)
Host is up (0.0011s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain   dnsmasq 2.80
80/tcp  open  http     nginx 1.18.0
443/tcp open  ssl/http nginx 1.18.0
MAC Address: A4:91:B1:2C:5D:8E (TP-Link Technologies)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.43 seconds

For a full port scan o a single host (this takes 10-20 minutes) use:

sudo nmap -sV -p- 192.168.1.1

Scanning every host in a /24 with the -p- flag scans all 65,535 ports and would take several hours, so this is typically only done on specific targets of interest.

Starting Nmap 7.98 ( https://nmap.org ) at 2024-12-04 14:45 AEDT
Nmap scan report for desktop.home (192.168.1.20)
Host is up (0.0019s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE    SERVICE       VERSION
22/tcp   open     ssh           OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
80/tcp   filtered http
139/tcp  open     netbios-ssn   Samba smbd 4.17.12-Debian (workgroup: WORKGROUP)
445/tcp  open     netbios-ssn   Samba smbd 4.17.12-Debian (workgroup: WORKGROUP)
3389/tcp open     ms-wbt-server xrdp
5900/tcp open     vnc           VNC (protocol 3.8)
MAC Address: 00:1A:2B:3C:4D:5E (Intel Corporate)
Service Info: Host: DESKTOP; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.92 seconds

Understanding Open, Closed and Filtered

Nmap has a variety of scan types. Understanding how the default and most common SYN scan works is a good place to start to examine how the scan works and interpreting the results.

The 3 way TCP handshake

First, a bit of background, during communication with a TCP service, a single connection is established with the TCP 3 way handshake. This involves a SYN sent to an TCP open port that has a service bound to it, typical examples are HTTP (port 80), SMTP (port 25), POP3 (port 110) or SSH (port 22).

The server side will see the SYN and respond with SYN ACK, with the client answering the SYN ACK with an ACK. This completes the set up and the data of the service protocol can now be communicated.

In the above example, the firewall passes the traffic to the web server (HTTP -> 80) and the web server responds with the acknowledgement.

In all these examples a firewall could be a separate hardware device, or it could be a local software firewall on the host computer.

Filtered ports or when the Firewall drops a packet

The job of a firewall is to protect a system from unwanted packets that could harm the system. In this simple example, the port scan is conducted against port 81, as there is no service running on this port, using a firewall to block access to it is best practice.

A filtered port result from Nmap indicates that the port has not responded at all. The SYN packet has simply been dropped by the firewall. See the following Wireshark packet capture that shows the initial packet with no response.

Closed ports or when the Firewall fails

In this case, closed ports most commonly indicate there is no service running on the port, but the firewall has allowed the connection to go through to the server. It can also mean no firewall is present at all.

Note that while we are discussing the most common scenarios, it is possible to configure a firewall to reject packets rather than drop. This would mean packets hitting the firewall would be seen as closed (the firewall is responding with RST ACK).

Pictured below is a case where a firewall rule allows the packet on port 81 through even though there is no service listening on the port. This is most likely because the firewall is poorly configured.

An Open Port (service) is found

Open Ports are usually what you are looking for when kicking off Nmap scans. The open service could be a publicly accessible service that is, by its nature, supposed to be accessible. It may be a back-end service that does not need to be publicly accessible, and therefore should be blocked by a firewall.

An interesting thing to notice in the wireshark capture is the RST packet sent after accepting the SYN ACK from the web server. The RST is sent by Nmap as the state of the port (open) has been determined by the SYN ACK if we were looking for further information such as the HTTP service version or to get the page, the RST would not be sent. A full connection would be established.

And below, a reminder from Defcon that reconnaissance is an art that never goes out of style.

Hacking Nmap Video from Defcon 13

This video contains some interesting Nmap features, the presenter is Fyodor the creator of the Nmap port scanner.