Recon: Nmap Basics

(YAWN) Morning. Valentine here with another tutorial. Before I begin I do apologize for my two week absence, I was without Internet for two weeks. With that out of the way, the topic I’m gonna discuss is Nmap. I’ve looked around and I was a bit surprised that there’s no real tutorial on Nmap. What’s up with that? I’ve decided to input my own tutorial for Nmap both for reference and also to help the new hackers out. This may or may not be a lengthy tutorial, so please grab your coffee sit in you comfortable chair and please if you like this article or tutorial or whatever you want to call it, please reply down below and give me some lovins. Cheers.

On a more serious note, Nmap isn’t just important it is vital in hacking. The first step with any hack is research, research, research. I admit, it’s not always that exciting but your research can determine with getting caught and the success of the actual hack. But google doesn’t hold the answer to everything and that’s where Nmap comes into the spotlight.

Nmap is a port scanner. Nothing more except the fact that Nmap can scan for OS, Fingerprint, which services are running on which port, etc. Of course I’m only gonna go into the basics. If you really want to learn every nook and cranny of Nmap there’s a book out there that’s waiting for you to find.

Nmap is easy to use and is installed on both Kali Linux and Parrotsec, even installed on the Raspberry Pi version of Kali Linux, but if for some crazy reason you are using Ubuntu or Debian then please type:

apt-get install nmap

I know this is the command for Ubuntu, Kali Linux, and Parrotsec but I’m not exactly sure for the other Linux flavors. When you type Nmap in a terminal the help screen shows up and as you scroll down there are many options to use, but half of these aren’t even important for this tutorial. Please direct your attention to the Scan Techniques section which is probably one of the most important functions that one needs to distinguish.

There are many different types of Scans Basic Scans (I call it basic cause it’s basic),TCP Null Scan, Xmas Scan , etc. There are many scans but I’m only gonna cover four, Basic Scans, Fin Scan, and Windows Scan (Basic Scans are two).

In a terminal: Nmap -sN -A -T sneaky

(Replace with your Ip of choice)

Don’t worry about the other flags and instead pay attention to -sN. This certain type of flag I never used because most systems will block this type of scan or log it. We don’t want that happening which is why the second half of what I call Basic Scans is with the flag -sS. This is the scan that I most frequently use at first, for example a typical scan that I would use along with this flag would look something like this:

Nmap -sS -A -T sneaky

This type of scan for me only really works on systems like a school’s because of the fact that most “important” systems have filtered ports, thankfully there’s a scan that can bypass the filtered ports. The scan is called a FIN scan and I’ve recently discovered this type of scan a few days ago when I ran into the issue of filtered ports. The flag is -sF. The command that I used for this scan looked like this:

Nmap -sF -A -Pn -T polite

Just because the ports are filtered doesn’t mean they aren’t open.

My last scan which I never had to use, but I still keep it as a last resort if all else fails, is the Windows Scan. The one thing that I learned about hacking is that try everything especially the ones that look as if they may fail and of course think outside the box, anything can work. The Windows Scan flag is, -sW. I don’t know if I’ll ever use this scan but I personally think that it’s just as important as anyother.

With the different types of scans covered I’m finally gonna explain the other flags that I showed earlier.

Nmap -sS -A -p (port) -Pn -o -T sneaky

Not all of these flags would need to be in one command, for example the -o flag can determine the OS of the target but the -A flag does both OS and the fingerprint of the target. So you could just run -A or -o instead of having both on one command. -T is the speed that you send the packets (packets is what Nmap sends to gain information). -T is very useful since sometimes there’s extra measures put in place, like if you exceed a number of packets you get logged on the target system. There are five different speeds but in my experience I only use the speed polite and sneaky depending if I want to take a risk or not. The flag -p can be useful at times if you want to figure out which ports are open or not. Nmap automatically scans 1000 ports but what if you want to scan 4000 ports? The flag would look something like this: -p 1-4000. Of course the last flag is the Ip which I’m gonna assume is self-explanatory.

Well then, looks like that’s all that I got for now. If I wrote something wrong please point it out down below in the comments section. I’m still learning so feedback would be great, but other then that, cheers.


Thank you so much for sharing these tutorials! I LOVE when people share their knowledge.

Respect. I salute you.

1 Like

To install nmap in Arch based you can use Pacman (Package manager) :
pacman -sS nmap

dnf install nmap

Apt-get is used to Debian based distros.

To know how much noise is your command, you can test it into a VM and look for his log or use wireshark to see how much noise you do.

-sS do not complete the 3 way handshake for this reason is a good option to start, but -A is very noise try to be careful with it.

Thanks for share, it’s a good tutorial!


This topic was automatically closed after 24 hours. New replies are no longer allowed.