How to Use Nmap | TryHackMe Nmap: The Basics
Introduction
This guide provides a comprehensive walkthrough of the TryHackMe room “Nmap: The Basics.” It introduces beginners to Nmap, a powerful network scanning tool, and covers fundamental scanning techniques essential for cybersecurity and penetration testing.
The article serves as an excellent primer for those new to Nmap and network scanning. It systematically breaks down the core functionalities of Nmap, starting from basic host discovery to more intricate scanning techniques.
By following this guide, readers can expect to gain a solid foundation in using Nmap for various reconnaissance tasks.
The inclusion of practical examples and command-line instructions enhances the learning experience, making complex concepts more accessible. Overall, this walkthrough is a valuable resource for aspiring cybersecurity professionals seeking hands-on experience with Nmap.
Scanning a “Local” Network with NMAP
In this context, “local” refers to the network we are directly connected to — typically through Ethernet or WiFi. In the first demonstration, we will scan the WiFi network to which our device is connected. Our current IP address is 192.168.66.89, and we’ll be scanning the 192.168.66.0/24 subnet using the following command:
nmap -sn 192.168.66.0/24
Since this is a local network scan, we can retrieve the MAC addresses of the discovered devices. This allows us to identify the hardware vendors of their network cards, which can be useful in identifying the types of devices present on the network.
When scanning a local network, Nmap uses ARP requests to detect active hosts. If a device responds, Nmap marks it as “Host is up.”
Scanning a “Remote” Network with NMAP
In this scenario, we’re dealing with a remote network, meaning at least one router lies between our system and the target network. Because of this, any traffic to the target must pass through one or more routers. Unlike scanning a local network, we can’t use ARP requests, since those only work within the same subnet.
Our system’s IP address is 192.168.66.89, part of the 192.168.66.0/24 subnet. We’re scanning a different subnet, 192.168.11.0/24, using the following Nmap command:
nmap -sn 192.168.11.0/24
This command performs a ping scan (host discovery only, no port scanning). According to the output, five hosts are up. How does Nmap figure that out?
By examining the network traffic, we see:
You can customize Nmap’s host discovery using options like:
Nmap also offers a list scan via -sL, which lists all target IPs in a range without sending any packets. For example:
nmap -sL 192.168.0.1/24
This simply displays all 256 possible IPs in that range — useful for confirming your target range before scanning.
Finally, remember that -sn scans are useful for quiet host discovery but don’t tell you which services are running. For that, a more detailed and noisier scan is needed, which will be covered in the next task.
Scanning TCP Ports
Basic TCP Port Check Using Telnet The simplest method to determine if a TCP port is open is by using a Telnet client to connect to it. This effectively tries to initiate a TCP connection. If the port is open, the connection will complete via the TCP three-way handshake. Closed ports won’t respond appropriately. This is essentially how Nmap’s connect scan works.
Connect Scan (-sT) A connect scan uses the -sT flag and attempts to complete the full TCP three-way handshake with each port. If the port is open, Nmap successfully connects, then immediately closes the connection. This method is more visible and may generate logs on the target system.
SYN Scan (-sS) – Stealthier Option The SYN scan, triggered by -sS, is more discreet. Instead of completing the handshake, it sends only the initial SYN packet. If the port responds, it’s considered open. Since the connection isn’t completed, this scan tends to be less detectable in logs, earning it the label “stealth scan.”
UDP Port Scanning (-sU) Although TCP is more common, many services use UDP, such as DNS, DHCP, NTP, SNMP, and VoIP. UDP scanning doesn’t involve establishing connections. Nmap uses the -sU flag to detect open UDP ports. If a UDP port is closed, it typically replies with an ICMP “port unreachable” message.
Controlling the Scope of Port Scans By default, Nmap scans the top 1,000 most common ports. You can adjust this:
Summary Table
OptionDescription-sTTCP connect scan – completes handshake-sSTCP SYN scan – sends SYN only (stealthier)-sUUDP scan-FFast mode – top 100 ports-p[range]Custom port range (e.g., -p1-1024, -p-)
Host Discovery with Nmap
We can ping every IP address on a target network and see who would respond to our ping (ICMP Type 8/Echo) requests with a ping reply (ICMP Type 0). Simple, isn’t it? Although this would be the most straightforward approach, it is not always reliable. Many firewalls block ICMP echo; new versions of MS Windows are configured with a host firewall that blocks ICMP echo requests by default. Remember that an ARP query will precede the ICMP request if your target is on the same subnet.
To use ICMP echo request to discover live hosts, add the option -PE. (Remember to add -sn if you don’t want to follow that with a port scan.)
TCP SYN Ping
We can send a packet with the SYN (Synchronize) flag set to a TCP port, 80 by default, and wait for a response. An open port should reply with a SYN/ACK (Acknowledge); a closed port would result in an RST (Reset). In this case, we only check whether we will get any response to infer whether the host is up. The specific state of the port is not significant here.
If you want Nmap to use TCP SYN ping, you can do so via the option -PS followed by the port number, range, list, or a combination of them. For example, -PS21 will target port 21, while -PS21-25 will target ports 21, 22, 23, 24, and 25. Finally -PS80,443,8080 will target the three ports 80, 443, and 8080.
Privileged users (root and sudoers) can send TCP SYN packets and don’t need to complete the TCP 3-way handshake even if the port is open, as shown in the figure below. Unprivileged users have no choice but to complete the 3-way handshake if the port is open.
TCP ACK Ping
As you have guessed, this sends a packet with an ACK flag set. You must be running Nmap as a privileged user to be able to accomplish this. If you try it as an unprivileged user, Nmap will attempt a 3-way handshake.
By default, port 80 is used. The syntax is similar to TCP SYN ping. -PA should be followed by a port number, range, list, or a combination of them. For example, consider -PA21, -PA21-25 and -PA80,443,8080. If no port is specified, port 80 will be used.
UDP Ping
Finally, we can use UDP to discover if the host is online. Contrary to TCP SYN ping, sending a UDP packet to an open port is not expected to lead to any reply. However, if we send a UDP packet to a closed UDP port, we expect to get an ICMP port unreachable packet; this indicates that the target system is up and available.
OS Detection (-O)
Use the -O flag to enable operating system detection. This helps Nmap guess the target system’s OS based on network characteristics. For example, if Nmap reports Linux kernel 4.x or 5.x, it’s likely close—like detecting 5.15 as between 4.15 and 5.8. While helpful, OS detection isn’t 100% accurate.
Service & Version Detection (-sV)
The -sV option allows Nmap to identify what services are running on open ports and what versions they are. This adds a “VERSION” column to the scan results, showing detailed service info, such as the SSH server version.
Aggressive Scan (-A)
If you want to combine OS detection, version scanning, traceroute, and more in a single command, use -A. It’s an all-in-one option for thorough scanning.
Bypass Host Discovery (-Pn)
Some hosts don’t respond to pings or ICMP requests, causing Nmap to assume they’re offline. Adding the -Pn flag tells Nmap to skip host discovery and scan all specified hosts regardless of their response.
Quick Summary of Nmap Flags:
OptionDescription-ODetects the operating system-sVDetects service and version info-AEnables OS detection, version detection, traceroute, etc.-PnTreats all hosts as online; skips host discovery
Controling The Speed of The Scanning
Nmap offers flexible options to adjust scan speed and timing, which is crucial for evading detection by intrusion detection systems (IDS) and other security tools. By default, scans may run at a pace that raises alerts, so fine-tuning the timing is often necessary.
To help with this, Nmap includes six predefined timing templates:
You can set the timing by using either the number or the name, for example: -T0 or -T paranoid.
Timing Impact Example
Below is a sample test using nmap -sS MACHINE_IP -F, which performs a SYN scan on the 100 most common TCP ports. The scan was repeated using different timing templates (T0–T4), with the following durations:
TimingScan DurationT0 (paranoid)9.8 hoursT1 (sneaky)27.53 minutesT2 (polite)40.56 secondsT3 (normal)0.15 secondsT4 (aggressive)0.13 seconds
Note: Scan times will vary based on network conditions and the target system.
Additional Nmap Timing Controls
Verbosity and Debugging
Sometimes, a scan may take a long time to complete or appear unresponsive on the screen. If you want real-time feedback during the scan, use the -v option to enable verbose mode, which provides more details about the scan’s progress:
nmap 192.168.139.1/24 -v
For even more information, you can increase the verbosity level by adding extra vs (e.g., -vv, -vvvv) or by specifying a level directly like -v2 or -v4. You can even press v during the scan to increase the level on the fly.
If this still doesn’t provide enough detail, consider using the debug mode with -d. Just like verbosity, debugging levels can be increased (e.g., -d, -dd, -d3, up to -d9). Note that higher debug levels can produce thousands of lines of output, so be prepared.
Saving Scan Results
Nmap allows you to save scan results in several formats:
Example command:
nmap -sS 192.168.139.1 -oA gateway
This command creates three files:
TryHackMe Nmap: The Basics | Room Answers
Room answers can be found here.
Full Video WalkThroughs
Unemployed
7hVery informative. Excellent work