Nmap for Vulnerability Discovery

Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing.

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts.

Nmap is a very powerful utility that can be used to:

  • Identify the open ports on the host (port discovery or enumeration)
  • Detect the live host on the network (host discovery)
  • Detect the software and the version to the respective port (service discovery)
  • Identify the operating system, hardware address, and the software version
  • Detect the vulnerability and security holes (Nmap scripts)


nmap [Scan Type(s)] [Options] {target specification}

 Overview of Basic Scanning Options:

This section will cover basic of network scanning with Nmap.


Figure: Nmap Basic Scanning Option


Figure: Nmap Aggressive Scan

The aggressive scan selects some of the most commonly used options within Nmap. The -A parameter is a synonym for several advanced options (like -O -sC –traceroute) which can also be accessed individually.

Nmap Scan Types:

The two basic scan types used most in Nmap are TCP connect() scanning [-sT] and SYN scanning (also known as half-open, or stealth scanning) [-sS]. For more detail please visit http://nmap.org/book/man-port-scanning-techniques.html


Figure: Nmap Scan Types


The TCP SYN scan is the default option. The default TCP SYN scan attempts to identify the 1000 most commonly used TCP ports by sending a SYN packet to the target and listening for a response. This type of scan is said to be stealthy because it does not attempt to open a full-fledged connection to the remote host. This prevents many systems from logging a connection attempt from your scan.

TCP Connect Scan:

TCP connect( ) port scanning is the most simple type of probe to launch. There is no stealth whatsoever involved in this form of scanning. This scan method uses the same TCP handshake connection that every other TCP-based application uses on the network.

Version Detection:


Figure : Version Detection

The -sV option will attempt to identify the vendor and software version for any open ports it detects. An interesting, relatively new feature in Nmap is its ability to attain version information for various TCP and UDP services on target machines. This is done in conjunction with whatever other scans you choose to run.

Overview of Port Scanning Options:

Sometimes, need to scan outside the default range of ports to look for uncommon services or ports. This section covers the options which allow this and other port specific features.


Figure: Port Scanning Options

Overview of Version Detection Options:

The process of identifying a target’s operating system and software versions is known as fingerprinting. This section covers the option which allows to do Operating system detection and service version detection.


Figure: Version Detection Options

Overview of Timing Options:

There are six templates (numbered 0-5) that can be used to speed up scanning (for faster results) or to slow down scanning (to evade firewalls). The table below describes each timing template.


Figure: Timing Options

Overview of Output Options:

Nmap offers several options for creating formatted output. In addition to displaying the standard output on a screen, nmap offers to save scan results in a text file, XML file, or a single line grepable file.


Figure: Output Options


In this article, we discussed in detail various NMAP scan types, and the practical use of these commands to scan various devices and networks. There are so many other things that you can do with the Nmap, and we will discuss them in the future articles.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s