If you have not reviewed the Hacker Methodology write up now is a good time to check it out. It will provide you with a much better overview of how we are logically gathering intelligence in order to create a solid basis for the later phases of hacking or penetration testing.

In this overview we’re going to learn about some of the common uses of nmap, go over a few of the switches or options and how they work and then wrap it up with an example of a scan.

Disclaimer: nmap is considered to be recon for further action and can be taken as hostile intent. It’s a grey area between illegal and not, depending on how good of a lawyer you have. I recommend ONLY using this in our Hacker Lab. Used incorrectly it is VERY obvious when you are scanning.

What is nmap?

In short, nmap is a network discovery scanner. Some of its features include host discovery, port mapping, and OS detection. nmap on its own is an art. The most comprehensive book on nmap is Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning and covers a whole slew of things you can do with nmap. You can obtain half of the book for free at this link. Another book that I often refer to is the Rtfm: Red Team Field Manual. I often carry this book with me out in the field to quick refrence when I’m having a mind fart. It has many of the common switches that I list here as well as a brief description of them.

Command Syntax

nmap uses a very simple command syntax structure which is:

nmap [scan types] [options] [targets]

For example: ‘nmap -A -T4’ -A will enable OS and version detection, script scanning, traceroute, -T4 will execute faster and is our target.

You can also target host names as long as they can be resolved by DNS.

Common Options

  • -iL <path>: scan from a target list word document
  • -Pn: This treats all hosts as online. Without this switch nmap by default will ping sweep to determine if a host is online. If there is no response nmap will skip it. This is important because if a host has ICMP protocol disabled or blocked, it will not respond to pings and nmap will assume it is offline, even if it is not.
  • -sV: Probe open ports to obtain service information. This is the bread and butter of nmap. This will tell you what services the target is hosting as well as its version
  • -sU: UDP Scan
  • -sN/sF/sX: TCP Null, FIN, Xmas Scans: These change how the scan is conducted if you’re getting the result CLOSED for ports. Link for more info/
  • -p <port range>: scan specific ports
  • -O: Enable OS detection by making an educated guess using returned parameters. For example: TTL values, default ports/services etc.
  • -S <adddress>: spoof source address
  • -oN/-oX/-oS/-oG <filename>- Output file types, normal, XML, l33t, Grepable format. This is helpful if you want to save your scans for later analysis. Highly recommended.
  • -A: This is kind of like throwing everything out there. Basically the all switch.


Here is an example of results when scanning from my kali VM to the metasploitable VM I created in my hacker lab write-up. nmap can take a bit to finish, especially when you’re using a large range so be patient.

nmap -O -Pn -sV

So how do we interpret these results. Great question! The long list that dominates the screenshot is a list of ports and the protocol its using. Moving to the right you’ll find the state of the port, the service its running, and the name/version of the service. Below the port/service information you’ll find information about the machine such as macaddress, operating system, and network distance.

Remember when I said nmap was very obvious? Below you’ll find a capture from wireshark that I was running on my Kali box when running an nmap scan against it. You can see nmap sequentially going down the port list looking methodically for open ports. Are there ways to avoid this type of detection? Absolutely, but that is beyond the scope of this lesson. I show you this to illustrate how easy it is to be caught if you don’t know what you’re doing.



nmap is just one of many tools used during active recon. Its considered an active recon tool because you’re actually “touching” the target and leaving behind a trace of your presence. We went over the syntax of the command some commonly used switches. We ran an example scan and interpreted some results and finally I showed you how stupid it is to run nmap against a real target when you don’t know what you’re doing.

Now that we have gathered information about our target including services that it is running and operating system detection we can move on into the next phase of the Hacker Methodology and attempt to exploit our way into the metasploitable box in our Hacker Lab. Stay tuned.

Note: This tutorial will help you understand the Bandit 17 tutorial a little better.