Network Scanning by Nmap

Auntor Acharja
5 min readSep 24, 2020

Nmap is a powerful network security tool used for network mapping and port scanning.Although Nmap used for port scanning, Nmap offers many additional features:

  • host discovery.
  • operating system detection.
  • service version detection.
  • network information about targets, such as DNS names, device types, and MAC addresses.

You can find the Nmap source code here:

You can see this video also:

Now in this blog, I am discussing Nmap step by step. I am working on Kali Linux for used this tool(Nmap).

Installation of nmap in Kali Linux (if need):

Open a terminal and type nmap and enter, If in your machine Nmap is not installed previously then first you need to install it in your machine. For install open a terminal and go to the root directory, type apt-get install nmap.

Type nmap- -help to see all the functionality of nmap in the terminal. Nmap takes a long time to scan so we can use fast mood, for the first mood enable use -F for every scanning command.

We can scan network by domain name or IP address. The command procedure almost same, just use domain name instant of IP address.

For domain name: nmap -F OR For IP address: nmap -F

In this section, I am using metasploitable machine( A machine with some vulnerability to practice penetration testing ) and the Ip address for the machine is

  1. Type nmap -F and press enter, it will show the port, state and the service of the IP. Now we can find out which port is open and which are closed or filtered.

2. Type nmap -F -sV and press enter, it will show the service version.For example, port 3306 use MySQL 5.0.51a-3ubuntu5 version.

3. For scan multiple IP addresses we can use this command:

nmap -F

To see how many percentages of the scan is complete then press Up arrow button, Or we can use -v to see all the details .for this just use -v after IP address. Like: nmap -F -v

4. We can also scan multiple ports using this command:

nmap -F–12

Here 1–12 means it will scan on port 1 to 12, like:




5. If we need to scan some selected IP address then first make a text file(.txt) and write IP address inside of the text file.Then use this command to scan every IP address which is written on this file.

Command: nmap -F -iL myIp.txt

Here I use myIp.txt file to scan.

6. Nmap is one of a brilliant tool. we can use this tool for scan port. We know there may have 65000+ port in a server where 90% is unused. So we can scan server port also.Use this command to scan port:

nmap -p 1–20,80,443

Here 1–20,80,443 are port number of the IP address of

80: http port

443: https port

We can also use this command to scan a specific port:

nmap -p http,mysql,ftp

7. Now we go to learn an important command that can give us a bunch of important information. we can use this command:

nmap -F -A

Now see all the output. Here a traceRoute

Traceroute is a route map that the packet reaches from server to client. We can find out only traceroute using this command:

nmap -F — traceroute

Total HOP is the amount of Hub, here we have 1 hub

8. To see which operating system use for the server we can use this command: nmap -F -O

9. We can store our scan result into a text file using those command:

nmap -F >> result.txt


nmap -F -oN result.txt

10. To treat all hosts as online, we can use this command:

nmap -Pn

Let’s go to some deep of network scanning,

sS Use for: TCP SYN scan

sT Use for: TCP connect scan

sU Use for: UDP scan

sY Use for: SCTP INIT scan

sA Use for : detect firewall

sL Use for : identify Hostnames

11. For TCP connect scan, use this command:

nmap -sT

Same For evey command just replace sS/sT/sU/sY

Sometimes the target blocks your Nmap scanning,that’s way some scan show null or error. But we can bypass hosts and avoid the defence and continue our scanning process.

Let’s see :

12. To detect firewall settings:

nmap -sA

Detecting firewall settings can be useful during penetration testing and vulnerability scans. This will provide you with information about the firewall being active on the host. It uses an ACK scan to receive the information.

We can use this three command to avoid defences:

nmap -sA

nmap — source-port or nmap -g 80

nmap — data-length

Some Advance:

We can use some script which is already installed on nmap.To find all script go to this directory : /usr/share/nmap/scripts

>> Now we want to use ssh-brute.nse script for brute forcing to the target IP (

Now first go to this directory ( /usr/share/nmap/scripts) and type ,

nmap- -script=ssh-brute.nse

>> To find out ssh-hostkey we can use this command:

first go to this directory ( /usr/share/nmap/scripts) and type,

nmap- -script=ssh-hostkey.nse

You can see this video also:

-*- Happy Hacking -*-