Nmap – The Network mapper a detailed Guide
A brief guide to Nmap including features, usage, scanning and video tutorial

Why We Use Nmap? How to Use it?
Why We Use Nmap? How to Use it?

Nmap is the most used network mapper. It is an open source tool developed by Gordon Lyon and written in C, C++, Python, Lua. It is available for all operating system including Linux, Windows. Mac OS. The stable version of Nmap was released on 21 March 2018. It is scanning and a network discovery tool. Network administrators are using Nmap to figure out what devices are running on their network. It is the best tool to identify hosts on a network. Nmap listing the hosts that respond to TCP ICMP requests. We can Enumerate the open ports on the network so can figure out the vulnerable ports. Also, we can detect the operating system running on the network devices. Nmap is also known as the information digger. We can do reverse DNS names, get MAC addresses, device types and much more.

Table of Contents

Features of Nmap

Vulnerable Ports:

Cyber Security Researcher, Hackers are using Nmap to identify vulnerable ports and get information about the target. They can exploit it easily. It’s the best and recommended tool for bug hunters. Many Hackers are using Nmap to brute-force passwords. Nmap has different scripts for brute force many protocols like HTTP-brute, SNMP-brute, oracle-brute and much more. You can find the vulnerable ports using Nmap.

Command: nmap –script exploit -Pn <target>


OS (Operating System) Detection:

OS (operating system) detection is one of the best features of NMAP. Nmap performs five probes to get the details of the Operating System. Each probe has one or more packets. These packets are sent to the target host to identify the Operating system.

  • TCP Explicit Congestion Notification
  • TCP
  • UDP
  • ICMP Echo
  • Sequence Generation

TCP Explicit Congestion Notification:

It sends a lot of packets which slow down the system. Nmap sends packets to the target system and gets a response from it. However, every OS handles the packets in their own different ways so the response identifies the exact Operating system.


Nmap sends 6 packets to the target host. Some packets are sent to closed ports and some to open ports with unique packets arrangement. Packets are sent with varying different flags which are:

  • no flags
  • SYN, FIN, URG, and PSH
  • ACK
  • SYN
  • ACK
  • FIN, PSH, and URG


In this probe, Nmap sends single packets to closed ports. SO if the response of a target system on a closed port and on ICMP port result Unreachable message. So it means there is no Firewall.

ICMP Echo:

Every probe has a different way to identify the OS. ICMP Echo sends two ICMP Request packets the target host which help us to identify the OS type.

Sequence Generation:

In this probe, it has six packets which are sent to the host 100 ms apart all TCP SYN packets. TCP SYN packets identify the OS type.

Command: nmap -v -Pn -O <target>

HOST Discovery:

Saving your time is the first priority. It’s hard to scan ports of every single IP address. It’s the common task for the network security researchers, System administrators to find live networks in a local network to enumerate and identify an active machine on a network. Nmap is the best choice it saves your 80% time. You can find live hosts on your local network just by a simple command

Command: nmap -sn <target>

Host Detection Using Nmap
Host Detection Using Nmap

Now the question is how this attack works? The answer is Nmap perform different techniques to get the results by sending TCP SYN packets to 443 port by default. It sends TCP ACK packets the default port 80 via syscall connect(). However, ARP requests to identify MAC addresses and vendors during the phase of ARP/Neighbor Discovery.

Explaining encryption, hash and cracking

PORTS Scanning:

Finding open ports is the common task for network security researchers, system administrators, hackers to identify open ports. Many tools can do it. ButNmap is at it’s best. You can identify open ports easily just by a simple command. Nmap converts hostname. into an IPv4 address using the Domain Naming system(DNS). This lookup skipped when IP address specified instead of hostname. It sending ICMP echo request packet and TCP ACK packet to the default port 80 and identify whether the host is up or not. It scans popular 1000 ports which are listed in Nmap-servers. NMAP can perform version detection too.

Port Scanning Command: nmap <target>

Version Detection: nmap -sV <target>

Open Ports Identification and Version Detection Using Nmap
Open Ports Identification and Version Detection Using Nmap

These are not just the End of Features. There are hundreds of features which we can’t cover them all in one article. We discussed the most commonly used features.

 Why We Use Nmap?

Most of the beginners searching on google why we use Nmap? if you are one of them you came to the right place. Nmap can be used for several purposes, Network Administrators, Cyber Security Researcher, Hackers are using Nmap to get good information about the host or the target. I’ve made a list of why we use Nmap? NMAP is also used for Analysis and measurement of the host or network. Also, we can Identify new server using Nmap, Discover of Open Ports, Getting the exact details about the network, Finding vulnerable ports, Sub Domain DNS queries to research, Network mapping, maintenance and much more. Wikipedia

Other Commands of Nmap

Nmap brute force Passwords: nmap –script brute -Pn <target>

Testing Dos Vulnerability: nmap –script dos -Pn <target>

Attemp Dos Attack: nmap –max-parallelism 750 -Pn –script http-slowloris –script-args http-slowloris.runforever=true

Video Tutorial: