Nmap Notes for Beginners (Simple + Practical)

Nmap Notes for Beginners (Simple + Practical)

 


What is Nmap?

Nmap (Network Mapper) is a tool used for:
• Finding live hosts (which systems are online)
• Finding open ports
• Detecting services and versions
• Running scripts for extra recon using NSE (Nmap Scripting Engine)

Used widely in VAPT (Vulnerability Assessment and Penetration Testing) for recon.

 

1) Basic Nmap Scan

Command:
nmap 10.10.10.10

Why used: Scans the top 1000 common TCP ports of the target.

 

2) Host Discovery (Find live systems)

-sn (Scan No ports)
Command:
nmap -sn 192.168.1.0/24

Why used: Only checks which devices are alive/up, does NOT scan ports.
Best use: First step in scanning a network.

 

3) Ping blocked? Force scan

-Pn (Skip host discovery, assume host is alive)
Command:
nmap -Pn 10.10.10.10

Why used: Many servers block ping, so Nmap may say “Host seems down”.
-Pn tells Nmap: don’t ping, just scan.

 

4) Port Scanning

Scan one port:
nmap -p 80 10.10.10.10

Scan multiple ports:
nmap -p 22,80,443 10.10.10.10

Scan all ports:
nmap -p- 10.10.10.10

Why used: scans all 65535 TCP ports.

 

5) Scan Types (How Nmap scans)

-sS (SYN Scan)
Command:
sudo nmap -sS 10.10.10.10
Why used: Fast, common, stealthy scan (half-open). Needs sudo.

-sT (TCP Connect Scan)
Command:
nmap -sT 10.10.10.10
Why used: Works without sudo, but is noisier (easier to detect).

-sU (UDP Scan)
Command:
sudo nmap -sU 10.10.10.10
Why used: Finds UDP services (DNS, SNMP etc.) but usually slow.

 

6) Service + Version Detection

-sV (Service Version Detection)
Command:
nmap -sV 10.10.10.10

Why used: Shows what service is running and its version.
Example output:
• 22/tcp open ssh OpenSSH 8.x
• 80/tcp open http Apache httpd 2.4.x

 

7) Scripts (NSE)

NSE (Nmap Scripting Engine) = scripts to get more details.

-sC (Default scripts)
Command:
nmap -sC 10.10.10.10
Why used: runs safe default scripts.

Best recon combo:
nmap -sC -sV 10.10.10.10
Why used: scripts + version info gives better recon.

Vulnerability scripts:
nmap --script vuln 10.10.10.10
Why used: checks known vulnerabilities.
Warning: can be noisy and trigger alerts.

 

8) Timing (Speed)

-T4 (Fast scan)
Command:
nmap -T4 10.10.10.10

Timing guide:
• -T3 = normal (default)
• -T4 = faster (recommended)
• -T5 = very aggressive (may miss results + noisy)

 

9) Save Output (Important)

-oN (Normal output file)
Command:
nmap -sV -oN result.txt 10.10.10.10

-oA (Output All formats)
Command:
nmap -sV -oA scan 10.10.10.10

Creates 3 files:
• scan.nmap
• scan.gnmap
• scan.xml

 

10) Scan multiple targets from a file

-iL (Input List)
Create targets.txt:
10.10.10.10
10.10.10.11
scanme.nmap.org

Command:
nmap -iL targets.txt

Why used: scans all targets inside the file automatically.

 

Best Practical Nmap Command (VAPT)

Command:
sudo nmap -Pn -sS -p- -sV -sC -T4 -oA fullscan 10.10.10.10

Meaning:
• -Pn → assume host alive
• -sS → SYN scan
• -p- → scan all TCP ports
• -sV → service/version detect
• -sC → default NSE scripts
• -T4 → fast timing
• -oA → save output files

 

Quick Cheat Sheet

• -sn (Scan No ports) → Finds live hosts only
• -Pn (Ping No / skip discovery) → Assume host alive
• -p- (All ports) → Scan all TCP ports
• -sS (SYN scan) → Fast stealth scan (needs sudo)
• -sT (TCP connect scan) → Works without sudo
• -sU (UDP scan) → Scans UDP ports
• -sV (Service Version) → Detect service versions
• -sC (Default scripts) → Run default NSE scripts
• -oA (Output All) → Saves nmap + gnmap + xml
• -iL (Input List) → Scan targets from file

  

Comments

Post a Comment

Popular posts from this blog

TryHackMe Learning Path From Beginner to Expert

Image
  TryHackMe Learning Path From Beginner to Expert A comprehensive TryHackMe learning path with organized sections on Introductory Rooms, Linux Fundamentals, Networking, Forensics, CTF challenges, Scripting, and more. This repo provides a structured approach to mastering cybersecurity skills through TryHackMe. Name of Topic Number of Rooms Introductory Rooms 10 Network Basics 4 Forensics 5 Networking 7 Linux Fundamentals 5 Special Events 9 Easy CTF 58 Privilege Escalation 13 Hard CTF 38 Scripting 8 Active Directory 5 Basic Rooms 9 Misc 35 Steganography 6 Reverse Engineering 11 Web 27 Crypto & Hashes 5 Medium CTF 73 Reconnaissance 10 Tooling 17 Malware Analysis 7 Wifi Hacking 1 PCAP Analysis 4 Android 1 Buffer Overflow 4 Windows 7 Windows Fundamentals 3 Total Rooms 389 Intro Rooms   TryHackMe | Welcome   TryHackMe | How to use TryHackMe   TryHackMe | Tutorial   TryHackMe | OpenVPN   TryHackMe | Learning Cyber Security   TryHackMe | Starting Out In Cy...
Read More >>

90-Day Cybersecurity Study Plan

Image
90-DayCybersecurity Study Plan 📚 Table of Contents Introduction Goals and Audience Daily BreakdownDay 1-7: Network+ Concepts Day 8-14: Security+ Concepts Day 15-28: Linux Tutorials Day 29-42: Python Day 43-56: Traffic Analysis Day 57-63: Git Day 64-70: ELK Day 71-77: GCP or AWS or Azure Day 85-90: Hacking 📘 Introduction Welcome to the  90 Days of Cybersecurity  challenge! This repository provides a structured, 90-day self-paced study plan designed to help learners build a strong foundation in cybersecurity. Whether you're a beginner looking to break into the field or a professional aiming to sharpen your skills, this roadmap offers a wide range of curated resources, hands-on tasks, and learning materials. The daily modules cover essential and advanced topics, including: Networking fundamentals (Network+) Security principles (Security+) Linux basics and shell scripting Python programming for security tasks Traffic analysis and packet inspection Version control with Git SIEM t...
Read More >>

Comprehensive Metasploitable2 Exploitation Walkthrough

Image
Comprehensive Metasploitable2 Exploitation Walkthrough This educational walkthrough demonstrates how to identify and exploit common vulnerabilities in the Metasploitable2 virtual machine using tools like Nmap, Telnet, FTP, VNC, PostgreSQL, and Apache Tomcat via Metasploit. Designed for ethical hacking practice, it guides learners through real-world exploitation techniques to highlight the importance of securing exposed services. Introduction: Metasploitable2 , developed by Rapid7 , is a valuable tool designed for developing and executing exploits against vulnerable systems. This walkthrough outlines the step-by-step process of exploiting different ports on Metasploitable2 for educational purposes. Discovery Phase: The default login credentials for the Metasploitable2 machine is msfadmin:msfadmin. Press enter or click to view image in full size Metasploitable2 Machine Identifying the victim’s IP address using the `ifconfig` command. Press enter or click to view image in full size Utiliz...
Read More >>