How to Use Nmap: Tutorials for beginners (cheat sheet included)

nmap tutorials for beginners

When I was very new to Hacking, I check a post nmap commands for beginners.

At that time I was confused by nmap. I was totally unable to understand what nmap is?  How to use it? What is the use of it?. It is a handy tool in cybersecurity. It is an open source tool.

I’m sure if you are beginner you will too.

So what is nmap

It is networking scanning tool. It is used to gather information about any network. If you want to find service (http, FTP, ssh, etc.) running on a computer, the Operating system of any device, etc then you can use nmap.

How can it help in hacking?

It helps a lot. It shows service version, running service. Sometimes service is not up to then we can exploit that system and much more.

For example, you can find how can computer needs to take down web server using DDoS attack  😀

What is the port number?

For identity, every computer has the different IP address. Like so every separate service has the different port number. It helps us in security etc.

Right now you are connected to my blog using port number 443 (https runs on port number 443). If any site run has http protocol, then it will run on port number 80.

While scanning in nmap, you will see different port number running services.

There are total 65535.

Hope it will help if you if you are still unable to understand this then let me know by comments I will be happy to help you:).

Nmap practical guide

In Kali Linux, parrot sec it is pre-installed. But you can install it in windows too.

Nmap has both GUI (graphical user interface) and CLI (command line interface) user interface.

For GUI run zenmap. But I like command line interface. It does not matter which UI are you using both do the same work.

Open terminal and type nmap it will show you help menu

nmap menu: nmap tutorial for beginners

Let’s assume your target is I will scan my site during this tutorial because I have full permission to do that.

Basic scanning

nmap -vv

Let me explain this

-vv mean verbose output. It shows what is going on while scanning. Just run nmap and then with -vv you will know what the use of it is.

Here are results

nmap scanning result

Here is my website IP address. I told you about ports. It finds four ports open with running service. REASON is the way how it finds running service. Ignore it at that time. If you want to know then let me know by comment section.

Ok, You can specify the port number too. Here is example

nmap -vv -p 1-5000

Here are results

nmap scanning by port number

It finds ten open ports with different service cool. Off course more ports less speed.

Ok, Now we will try to find operating System.  Just pass -O before

Note: nmap is part of Linux commands so it is case sensitive -o is the wrong syntax. Use -O (capital O)

Here are results

operating system scanning result with nmap

No OS matcher for the host. Actually, nmap use some scripts sometimes it works sometimes not. But here is another way to Find operating system. There is two primary OS used for the web server.

  • Redhat (Linux distribution)
  • IIS ( Microsoft Windows)

Using nmap, you can scan a full network or a range of Ip address. It is beneficial. Suppose I want to find the connected device to my network.

First of all, I will find Default gateway (router IP address) Because all other Ip address will be same just different subnet (Ip address is  like last digits knows as subnet)

How to find Router Ip address.

Just type route. default gateway

So I will scan Here is command

nmap -vv

It will examine the whole network. 255 mean last address (why 255 last it is part of Ip address). Here are resultsnmap-scanning-a-network-1024x462

At that time only two devices were connected to my network. You can pass -sn argument for saving time. Basically -sn scan one port per host. It saves our time.

It also finds Mac address using mac address we can find hardware manufacturer. Just type first three characters in Google. In my case, these are CB:0B: CB. From Google, I found this. That’s true I’m using Xiaomi device  (using internet by mobile hotspot). Nmap does not always find mac address.

It is not a good way to scan network here is another way to find total device connected to your network with Ip address.

nmap -sn | grep “Nmap scan report for”

Here is the screenshot of above command.nmap find total number of host

I choose because my router or default gateway start from but your gateway will be something different you can find using route command.

 Let’s do something serious

I told you that nmap helps us to find how many bots required to take down web server down using DDoS attack here are commands

To find is can target take down using dos attack.

nmap -vv -script dos

It will take sometime  As you can see only 6.68% is complete and I need too much time.

But 14% it  reacher directly to 99% scanning dos attack using nmap

After 2 hours it is still not complete. I’m going to close the terminal. Actually, it depends upon website security.

You can find vulnerability using Nmap too

Run this command

nmap -vv –script vuln

Here are results

vuln script result

Saving results to a file

Here is what I found using nmap

saving nmap scan results

Just pass -oN then filename, it will save the result to File. o Means output N meaning normal file. You can keep results in XML file just pass -x argument.

Here is  example

nmap -oN opentechinfo.txt

saving result to file nmap tutorials

No need to pass .xml it is my mistake Here is how the file looks.

viewing results

Pro Tip: Run this command nmap -script dos -oN saveresult.txt; shutdown

This command will scan target and then save to File then turn off the computer. I run this command then go to sleep :).

Introduction to Zenmap

As I told you above zenmap is GUI version of nmap. To launch this type zenmap in terminal

You can install zenmap in window or mac os too. Zenmap is very straightforward as you can see in the screenshot.zenmap

Here target input field where you type your target Ip address or website.

Profile is related to scan. You will find enough profiles. By default, it is Intense scan. Here are some other profiles like Regular scan, quick scan, etc. For now, I will leave it as an Intense scan.

Command is basically nmap command you can modify it, or it will be changed when you change profile.

zenmap have some advantages it shows better output. You can find total Hosts in Hosts tab from service services running by the particular host.

Host details also show results in an excellent way. Here is the screenshot.zenmap

If you scan the whole network, you find all hosts under the Hosts tab.

Cheat sheet

Here is pdf cheat Sheet by stationx. It will be useful only if you know basic of nmap.

If you have any suggestion, problem let me know by comments. I will be happy to help you.

11 thoughts on “How to Use Nmap: Tutorials for beginners (cheat sheet included)”

  1. Can someone please help me on how to convert the xml output to csv format?
    Need to get the velnerabilty report in csv format

  2. Hello, recently I decided to go back to what is now called pentesting after nearly 20 years of break. Many new different things, tools… I installed latest Parrot Os with latest nmap(as of november of 2018). I have watched bunch of tutorials but their nmap shows totaly different results . I can’t post a screenshot here but if you are willing to help I can send you my screenshot.
    Thanks in advance.
    P.S. Does running from tor effects the scan?

  3. I am still a little confused but I did learn more in your tut than off several sites. I have many questions can I run zenmap without python? . Great job I’d like this for Droid .well written


    ALL OTHER SITES JUST COPY AND PAST CONTANT BUT in this site I found hand written and in simple English documentation with adding lot of hardwork, love and thoughts.

    Thanx bro

    • Ok did you read my kali Linux hacking tutorials post
      if not then read it and let me know if after reading it can’t understand this post


Leave a Comment