Red Teaming

17 min read

HTB’s 15 must-know Nmap commands in 2024

Discover the most essential commands for scanning, host discovery, and evasion using Nmap.

Dimitris avatar

Dimitris,
Feb 27
2024

This post is based on the Hack The Box (HTB) Academy module (or course) on Network Enumeration with Nmap. The module provides the fundamentals that will be needed to use the Nmap tool for performing effective network enumeration.

You can learn more by browsing the catalog of free or advanced cybersecurity courses on the HTB Academy! 

What is Nmap?

Network Mapper (Nmap) is an open-source network analysis and security auditing tool. It is designed to scan networks and identify which hosts are available on the network using raw packets, services, and applications. 

Nmapcan also identify the operating systems and versions of these hosts. Itoffers scanning capabilities that can determine if packet filters, firewalls, or intrusion detection systems (IDS) are configured as needed.

Every cybersecurity professional should use and understand Nmap. Haven’t used it yet? You can download it here.

How to use Nmap

Nmap can be divided into the following scanning techniques:

  • Host discovery.

  • Port scanning.

  • Service enumeration and detection.

  • OS detection.

  • Scriptable interaction with the target service (Nmap Scripting Engine).

The syntax for Nmap is fairly simple and looks like this:

[!bash!]$ nmap <scan types> <options> <target>

Nmap offers plenty of different scanning techniques, including the following: 

$ nmap --help

<SNIP>
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
<SNIP>

We’ll dive into some of the most common and important Nmap scan commands later on in this guide.

The importance of enumeration: Why learning Nmap is just a starting point

Enumeration is the art of information gathering so that we can identify all of the ways we could attack a target. Nmap is a tool we can use to enumerate this information, but we should always prioritize skills and methodology over tools.

After all, we need to know what to do with and how to analyze the information we may find using Nmap. The tools are just tools, and tools alone should never replace our knowledge and our attention to detail.

After using a tool like Nmap to gather as much information as we can, we must then understand how to actually interact with the services found. 

Manual enumeration is a critical component. Many scanning tools simplify and accelerate the process. However, these cannot always bypass the security measures of the services.

Learn Network Enumeration with Nmap

Nmap is an important part of network diagnostics and evaluation of network-connected systems. In this interactive module, we will learn the basics of this tool and how it can be used to map out internal networks by identifying live hosts and performing port scanning, service enumeration, and operating system detection.

  • An overview of Nmap.

  • Host discovery and port scanning.

  • Saving scan results.

  • Service enumeration.

  • Using the powerful Nmap scripting language.

  • Firewall and IDS/IPS evasion.

Top Nmap use cases 

Nmap use cases
 

Network administrators, IT security specialists, SOC analysts, and penetration testers all have Nmap as a regular pentesting tool in their arsenal. Here are some of the most common use cases: 

  • Enumeration: uncover information including device types, reverse DNS (Domain Name System) names, MAC addresses, and IP addresses of all active hosts.

  • Auditing: survey the security aspects of a network.

  • Testing: simulate penetration tests using Nmap. 

  • Find security issues: Nmap can be used to scan servers and uncover paths attackers may use to exploit. 

  • Detect vulnerabilities: analysts and pentesters can use Nmap to detect any existing vulnerabilities on the network. 

  • Host discovery: discover live hosts within the network.

  • Identify open ports: Nmap conducts port scanning of target hosts.

  • OS version detection: discover the operating system (OS) and version of a target system quickly. 

Nmap commands cheat sheet 

Whilst we do develop muscle memory in the world of cybersecurity, we don’t expect you to memorize everything right away. Keep this cheat sheet handy, you never know when you might need it!

 

Host discovery commands

Nmap host discovery commands
 

Say we’re conducting an internal penetration test for an entire company network. We’ll begin by gaining an overview of which systems are online that we can work with.

To discover active systems on the network, we can use various Nmap host discovery options. 

Note:💡Store every single scan. Each one may later be used for comparison, documentation, and reporting. After all, different tools may produce different results. 

Scan network range 

Scanning a range of networks with this method only works if the firewalls in place allow it.

sudo nmap 10.129.2.0/24 -sn -oA tnet

Nmap command

Description

10.129.2.0/24

target network range.

-sn

disables port scanning.

-oA tnet

Stores the results in all formats starting with the name 'tnet'.

 

Scan IP list

Often, before performing an internal penetration test, you may be provided with an IP list of the hosts we need to test. 

Nmap saves us time by allowing us to upload a list, rather than manually tying them in. It looks like this:

sudo nmap -sn -oA tnet -iL hosts.lst

10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

Nmap command

Description

-sn

Disables port scanning.

-oA tnet

Stores the results in all formats starting with the name 'tnet'.

-iL

Performs defined scans against targets in provided 'hosts.lst' list.

 

Scan multiple IPs

In some instances, you may only need to scan a small portion of the network, which means you can manually enter the IP addresses:

sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5

10.129.2.18
10.129.2.19
10.129.2.20

Scan a single IP

Before we scan a single host for open ports and its services, we first have to determine if it is alive or not. For this, we can use the same method as before.

sudo nmap 10.129.2.18 -sn -oA host 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 23:59 CEST
Nmap scan report for 10.129.2.18
Host is up (0.087s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Nmap command

Description

10.129.2.18

Performs defined scans against the target.

-sn

Disables port scanning.

-oA host

Stores the results in all formats starting with the name 'host'.

 

Host and port scanning commands

Nmap host and port scanning commands
 

Once we’ve gathered whether a host is active or not, the next step is to understand what state the scanned port is in. There are six different states:

  1. Open: a connection to the scanned port has been established.

  2. Closed: the TCP protocol indicates that the packet we received back contains an RST flag.

  3. Filtered: Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.

  4. Unfiltered: the port is accessible, but it cannot be determined whether it is open or closed.

  5. Open|filtered: this indicates that a firewall or packet filter may protect the port.

  6. Closed|filtered: impossible to determine if the scanned port is closed or filtered by a firewall.

How to discover open TCP ports

By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This means that if we do not define ports and scanning methods, these parameters are set automatically.

We can define the ports in the following ways:

  • One by one (-p 22,25,80,139,445).

  • By range (-p 22-445).

  • By top ports (--top-ports=10). 

Scanning Top 10 TCP ports

sudo nmap 10.129.2.28 --top-ports=10 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:36 CEST
Nmap scan report for 10.129.2.28
Host is up (0.021s latency).

PORT     STATE    SERVICE
21/tcp   closed   ftp
22/tcp   open     ssh
23/tcp   closed   telnet
25/tcp   open     smtp
80/tcp   open     http
110/tcp  open     pop3
139/tcp  filtered netbios-ssn
443/tcp  closed   https
445/tcp  filtered microsoft-ds
3389/tcp closed   ms-wbt-server
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds

Nmap command

Description

10.129.2.28

Scans the specified target.

--top-ports=10

Scans the specified top ports that have been defined as most frequent.

Here Nmap will display the state the port is in (open, closed, etc.) and also the service it runs on. 

Trace the packets 

Now, we want to find out more information about the open ports, we can do this by running a packet trace scan:

sudo nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-ping

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:39 CEST
SENT (0.0429s) TCP 10.10.14.2:63090 > 10.129.2.28:21 S ttl=56 id=57322 iplen=44  seq=1699105818 win=1024 <mss 1460>
RCVD (0.0573s) TCP 10.129.2.28:21 > 10.10.14.2:63090 RA ttl=64 id=0 iplen=40  seq=0 win=0
Nmap scan report for 10.11.1.28
Host is up (0.014s latency).

PORT   STATE  SERVICE
21/tcp closed ftp
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Nmap command

Description

10.129.2.28

Scans the specified target.

-p 21

Scans only the specified port.

--packet-trace

Shows all packets sent and received.

-n

Disables DNS resolution.

--disable-arp-ping

Disables ARP ping.

 

Connect scan

The Nmap TCP Connect Scan (-sT) uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. 

The scan sends a SYN packet to the target port and waits for a response. It is considered open if the target port responds with a SYN-ACK packet and closed if it responds with an RST packet.

Why do we do this?

Because it’s the most accurate way of determining the true state of a port.

It’s also stealthy. 

The connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS).

sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:26 CET
CONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progress
CONN (0.0396s) TCP localhost > 10.129.2.28:443 => Connected
Nmap scan report for 10.129.2.28
Host is up, received user-set (0.013s latency).

PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Scan for open UDP ports

Some system administrators sometimes forget to filter the UDP ports in addition to the TCP ones. 

Since UDP is a stateless protocol and does not require a three-way handshake like TCP. We do not receive any acknowledgment. Consequently, the timeout is much longer, making the whole UDP scan (-sU) much slower than the TCP scan (-sS).

Let's look at an example of what a UDP scan (-sU) can look like and what results it gives us:

sudo nmap 10.129.2.28 -F -sU

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:01 CEST
Nmap scan report for 10.129.2.28
Host is up (0.059s latency).
Not shown: 95 closed ports
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
631/udp  open|filtered ipp
5353/udp open          zeroconf
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 98.07 seconds

Nmap command

Description

10.129.2.28

Scans the specified target.

-F

Scans top 100 ports.

-sU

Performs a UDP scan.

 

Service enumeration commands

Nmap service enumeration commands
 

When conducting any enumeration, determining the application and its version accurately is essential. We can use this information to scan for known vulnerabilities and analyze the source code.

Service version detection

A quick port scan with show us a small overview of the available ports and what versions they are.

sudo nmap 10.129.2.28 -p- -sV

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 19:44 CEST
[Space Bar]
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.64% done; ETC: 19:45 (0:00:53 remaining)

Nmap command

Description

10.129.2.28

Scans the specified target.

-p-

Scans all ports.

-sV

Performs service version detection on specified ports.

Once the scan is complete, we will see all TCP ports with the corresponding service and their versions that are active on the system.

sudo nmap 10.129.2.28 -p- -sV

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 20:00 CEST
Nmap scan report for 10.129.2.28
Host is up (0.013s latency).
Not shown: 65525 closed ports
PORT      STATE    SERVICE      VERSION
22/tcp    open     ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp    open     smtp         Postfix smtpd
80/tcp    open     http         Apache httpd 2.4.29 ((Ubuntu))
110/tcp   open     pop3         Dovecot pop3d
139/tcp   filtered netbios-ssn
143/tcp   open     imap         Dovecot imapd (Ubuntu)
445/tcp   filtered microsoft-ds
993/tcp   open     ssl/imap     Dovecot imapd (Ubuntu)
995/tcp   open     ssl/pop3     Dovecot pop3d
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Service Info: Host:  inlane; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.73 seconds

Banner grabbing

Nmap looks at the banners of the scanned ports and prints them out. If it cannot identify versions through the banners, Nmap attempts to identify them through a signature-based matching system.

The issue here is that the automatic scan can miss some information because sometimes Nmap does not know how to handle it.

So, what can we do about this?

We can manually connect to the SMTP server using nc, grab the banner, and intercept the network traffic using tcpdump. Then we can see what Nmap did not show us.

Tcpdump

sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Nc

nc -nv 10.129.2.28 25

Connection to 10.129.2.28 port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)

Tcpdump - Intercepted Traffic

18:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], seq 1798872233, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 331260178 ecr 0,sackOK,eol], length 0
18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], seq 1130574379, ack 1798872234, win 65160, options [mss 1460,sackOK,TS val 1800383922 ecr 331260178,nop,wscale 7], length 0
18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 1, win 2058, options [nop,nop,TS val 331260304 ecr 1800383922], length 0
18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu)
18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 36, win 2058, options [nop,nop,TS val 331260368 ecr 1800383985], length 0

These first three lines are showing us the three-way handshake. 

After that, the target SMTP server sends us a TCP packet with the PSH and ACK flags. PSH states that the target server is sending data to us;ACK simultaneously informs us that all required data has been sent.

Nmap Scripting Engine commands 

Another handy feature of Nmap is the Nmap Scripting Engine (NSE). It provides us with the possibility to create scripts in Lua for interaction with certain services.

These scripts fit into the following categories:

Category

Description

auth

Determination of authentication credentials.

broadcast

Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.

brute

Executes scripts that try to log in to the respective service by brute-forcing with credentials.

default

Default scripts executed by using the -sC option.

discovery

Evaluation of accessible services.

dos

These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.

exploit

This category of scripts tries to exploit known vulnerabilities for the scanned port.

external

Scripts that use external services for further processing.

fuzzer

This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.

intrusive

Intrusive scripts that could negatively affect the target system.

malware

Checks if some malware infects the target system.

safe

Defensive scripts that do not perform intrusive and destructive access.

version

Extension for service detection.

vuln

Identification of specific vulnerabilities.

 

Using scripts for a vulnerability assessment

One key benefit of the NSE is the ability to use the vuln category to find and identify known vulnerabilities. Below, you can see that CVE-2019-0211, CVE-2018-1312, and CVE-2017-15715 were discovered using this scan:

sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
<SNIP>

Nmap command

Description

10.129.2.28

Scans the specified target.

-p 80

Scans only the specified port.

-sV

Performs service version detection on specified ports.

--script vuln

Uses all related scripts from specified category.

 

Commands to bypass security measures

Nmap commands for bypassing firewalls
 

Nmap gives us many different ways to bypass firewalls and IDS/IPS.

But first, let’s define what these security measures are: 

  • Firewall: a firewall is a security measure against unauthorized connection attempts from external networks. It checks whether individual network packets are being passed, ignored, or blocked. This mechanism is designed to prevent unwanted connections that could be potentially dangerous.

  • IDS/IPS: IDS scans the network for potential attacks, analyzes them, and reports any detected attacks. IPS complements IDS by taking specific defensive measures if a potential attack should have been detected.

Understanding firewall rules

Firewalls can either drop or reject packets when performing an Nmap scan. The dropped packets are ignored, and no response is returned from the host.

This is different for rejected packets that are returned with an RST flag. These packets contain different types of ICMP error codes:

  • Net Unreachable.

  • Net Prohibited.

  • Host Unreachable.

  • Host Prohibited.

  • Port Unreachable.

  • Proto Unreachable.

Nmap's TCP ACK scan (-sA) makes it harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or connect scans (sT) because they send a TCP packet with only the ACK flag. 

When a port is closed or open, the host must respond with an RST flag. 

Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. 

However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

Detecting IDS/IPS

The detection of IDS/IPS using Nmap is much more challenging as these are passive traffic monitoring systems. 

IDS systems examine all connections between hosts. If the IDS finds packets containing the defined contents or specifications, the administrator is notified and takes appropriate action in the worst case.

So, how can we detect whether these systems are in place during a penetration test? 

We’d recommend using several virtual private servers (VPS) with different IP addresses.

Therefore, if at any time this host is blocked and has no access to the target network, we know that the administrator has taken some security measures. Accordingly, we can continue our penetration test with another VPS.

Decoys

If we detect that IDS/IPS exists, then the decoy scanning method (-D) is the right choice. 

With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent.

Here’s a decoy scan in action:

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 16:14 CEST
SENT (0.0378s) TCP 102.52.161.59:59289 > 10.129.2.28:80 S ttl=42 id=29822 iplen=44  seq=3687542010 win=1024 <mss 1460>
SENT (0.0378s) TCP 10.10.14.2:59289 > 10.129.2.28:80 S ttl=59 id=29822 iplen=44  seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 210.120.38.29:59289 > 10.129.2.28:80 S ttl=37 id=29822 iplen=44  seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 191.6.64.171:59289 > 10.129.2.28:80 S ttl=38 id=29822 iplen=44  seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 184.178.194.209:59289 > 10.129.2.28:80 S ttl=39 id=29822 iplen=44  seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 43.21.121.33:59289 > 10.129.2.28:80 S ttl=55 id=29822 iplen=44  seq=3687542010 win=1024 <mss 1460>
RCVD (0.1370s) TCP 10.129.2.28:80 > 10.10.14.2:59289 SA ttl=64 id=0 iplen=44  seq=4056111701 win=64240 <mss 1460>
Nmap scan report for 10.129.2.28
Host is up (0.099s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Nmap command

Description

10.129.2.28

Scans the specified target.

-p 80

Scans only the specified ports.

-sS

Performs SYN scan on specified ports.

-Pn

Disables ICMP Echo requests.

-n

Disables DNS resolution.

--disable-arp-ping

Disables ARP ping.

--packet-trace

Shows all packets sent and received.

-D RND:5

Generates five random IP addresses using a decoy that indicates the source IP the connection comes from.

Learn Nmap today

Nmap is an extremely powerful tool for all infosec professionals, whether you’re using it to protect your network or perform penetration tests, these commands are essential for all cybersecurity professionals to have at hand. 

However, remember it’s important to not only rely on tools to do your job. You need to also understand how and why these tools work and what the information you find actually means. 

Ready to dive in? 

Find out everything you need to know about Nmap with our Academy module:

 

Author bio: Dimitrios Bougioukas (Dimitris), Senior Director of IT Security Training Services, Hack The Box

Dimitrios has extensive experience in upskilling the IT security teams of Fortune 100/500 tech companies and government organizations. He enjoys analyzing the threat landscape as well as interpreting market and data analytics to assist Hack The Box in devising its training strategy and roadmaps, from go-to-market all the way to the syllabus level.

Prior to Hack The Box, Dimitrios directed the development of training and certifications through eLearnSecurity/INE and was behind certifications like eCPTX, eWPT, and eCIR. You can connect with him on LinkedIn here.

Hack The Blog

The latest news and updates, direct from Hack The Box