How to Use Nmap to Scan a Network: A Step-by-Step Guide

How To Use Nmap To Scan A Network

Using different scanning techniques, Nmap can help you identify the devices, services, and operating systems active on the network. With this information, you can perform a more comprehensive penetration test to uncover any vulnerabilities in the system.

This article will show you how to use Nmap to scan a network and explain the different scan types and options. We will then walk you through scanning an entire network and show you which scans and options to use.

Finally, we will touch on mitigating disruption while performing these Nmap scans.  

Install Nmap

Some of the most common penetration testing distributions, such as Kali, Parrot, and Black Arch, already include Nmap in their list of tools. If you need to install Nmap on something like Ubuntu, refer to our article “How to Install Nmap on Ubuntu: A Comprehensive Guide.” You can also install Nmap on Windows or MacOS.

Nmap Command Generator

Say goodbye to the hassle of trying to remember the exact syntax for your Nmap commands! With our Nmap Command Generator, you can simply say what you need Nmap to do, and we will generate the command for you.

Ensure You Have Permission

Before scanning a network with Nmap, you will need explicit permission from the network owner, or if performing a penetration test, you will need a clearly defined scope of work.

This scope of work, often detailed in a “Rules of Engagement,” outlines what systems can be tested, what types of tests can be performed, and any limitations or restrictions on the testing activities.

Also, before beginning, ensure you have the correct IP addresses for the network you are authorized to test. Misconfigurations or misunderstandings about the target IP range can lead to scanning or testing systems outside your authorized scope, which could lead to legal issues or unintended disruptions.

Select Network Range

Once you have the correct permissions to scan the network with Nmap, your next step is to ensure you have the correct IPs. This could be a specific list of addresses or the whole network, also known as a subnet.

An example of a subnet is 192.168.1.0/24, represented as a CIDR (Classless Inter-Domain Routing) notation.

CIDR notation, in simple terms, is a way to describe a group of IP addresses. In our example, 192.168.1.0 is the beginning of the group, and the /24 tells you how many addresses are included in the subnet. Our subnet has 256 addresses, 254 of which are usable for hosts.

Scan Types

Now, we will show you a few scan types that can be used, what they do, and when they would be useful.

Scan typeWhat does it do?Useful for?
TCP Connect Scan (-sT)Establishes a full TCP connection with each target port to determine whether the port is open.When you want a reliable method to identify open ports on a target system, you're not as concerned about being stealthy.
SYN Scan (-sS)Sends a TCP SYN packet to each target port and analyzes the responses to determine whether the port is open.When you want to quickly and discreetly identify open ports on a target system without alerting intrusion detection systems or disrupting normal operations.
Comprehensive (-sS -sU -sV -A -p-)Performs a thorough scan of the target, checking all possible ports, identifying the OS and service versions, and running additional checks through script scanning. When you want to conduct an in-depth analysis of a target system, identify open ports and the operating system service versions across all possible ports.

For more information on the TCP Connect Scan and the SYN Scan, see our article “Nmap Host Discovery: Your First Step in Ethical Hacking.”

And for more detail on the flags used in the Comprehensive Scan, see “The Top 20 Nmap Commands You Must Know.”

Scan Option

Next, we will explain the significance of three flags that can be used with Nmap to enhance your scanning.

  • -p This port specification flag lets you choose which ports you want Nmap to check.
  • -T This flag lets you choose at what speed between 1-5 you want to run Nmap. 1 being the slowest and 5 being the quickest.
  •  -n This flag tells Nmap to disable reverse DNS resolution, meaning it won’t try to convert IP addresses into hostnames.

See our article “Nmap Cheat Sheet: All the Commands, Flags & Switches” for more flag options.

Scanning an Entire Network Walkthrough

Next, we will demonstrate how to scan an entire network. We'll check for live IP addresses, determine OS versions, identify common services, and uncover any existing vulnerabilities. We'll also output the scan results to files for future reference.

Throughout this process, we'll strive to minimize network disruption as much as possible. For our example, we will be using the subnet of 192.168.52.0/24.

Check for Live Hosts

Our first step is to check the network for any live hosts, as this will enable us to focus our scanning on only the necessary hosts. We will do this by sending a ping to each host on the network. If we get a response, we can assume the host is live.

sudo nmap -sn 192.168.52.0/24 -oN live_hosts.txt  

Nmap Scan for Live Hosts

As you can see from the Nmap scan report, we have discovered six live hosts that we can use to investigate further.

OS Detection

Now that we have our list of live hosts, our next step is to check for operating systems. We need to extract the IP addresses from the saved file and create a new one. You can use the following command to create a new file called ip-addresses.txt that will include only the live IP addresses.

grep "Nmap scan report for" live_hosts.txt | awk '{print $5}' > ip-addresses.txt

Now we can run our Nmap OS detection scan with the following:

sudo nmap -iL ip-addresses.txt -O -oN os_detection.txt  

Nmap OS detection Command
Nmap OS Detection Scan

Our Nmap scan results show us what it believes is the host's operating system. This information is important as it can help us understand potential vulnerabilities of the OS.

Nmap checks for the OS of each target by sending a series of specially crafted TCP and UDP packets and then analyzes the responses. Different operating systems send different types of responses. Nmap uses a database of known profiles to compare the response it receives.

However, it’s important to note that Nmap makes a best guess and may not always be accurate.

Service Scan

Now that we have determined what operating systems are running on some of the hosts, we can move on to checking for common services running. This is beneficial because it allows you to identify the specific services and versions running on the target, providing valuable context about potential vulnerabilities.

 nmap -iL ip-addresses.txt -sV -oN common_services.txt  

Nmap Service Detection

Our Nmap scan reveals the different services and even versions of those services running on the host. This is incredibly valuable information, as different versions of services can have different vulnerabilities. With this information, you can create a plan moving forward.

Nmap checks for service info by probing each port for responses. Each service responds differently, and Nmap can then use these responses to identify the type of service and even the version.

Vuln Scan

Next, we will run a vulnerability scan on our live hosts to identify potential weaknesses that could be exploited. This scan will leverage the Nmap scripting engine to check for a wide range of known vulnerabilities.

nmap -iL ip-addresses.txt -script vuln -oN vulnerabilities.txt    

Namp Vuln Scan

As you can see, the Nmap scripting engine provides us with a wealth of information that we can use better to understand our target system and its potential vulnerabilities. Whether it's outdated software, detecting misconfigurations, or even potential entry points into the system, the Nmap vuln scan can help us create a plan of attack.

To learn more about vulnerability scanning with Nmap, see our article “How to Scan Vulnerabilities With Nmap: A Comprehensive Guide.”

Disruption Mitigation

Let’s discuss ways you can mitigate disruption to a network when performing different types of Nmap scans.

We need to first warn you about the potential risks involved while performing Nmap scans. While these tasks are essential to a penetration test, they can also overwhelm or disrupt a network if not done properly.

This can lead to downtime, so understanding the impact of any scans you perform is important.

Here is some advice that can help you avoid network disruption.

  • Before starting your network scan, inform the network administrator or your point of contact. This advance notice helps prevent false positives and unnecessary alarm triggers, ensuring a smoother testing process.
  • Avoid aggressive scans such as the -T5, -A, or -p- flags. These flags are considered aggressive scanning due to their extensive and thorough nature, which can generate a significant amount of network traffic.
  • The -T5 flag sets the timing of the scan to “Insane,” ensuring the scan runs as fast as possible.  This can easily cause disruptions and overwhelm a target system.
  • The -A flag tells Nmap to perform an aggressive scan, including OS detection, version detection, script scanning, and traceroute. It does provide a lot of information but creates a lot of network traffic.
  • The -p- flag tells Nmap to scan all 65535 TCP ports, which can be time-consuming and generate much network traffic.
  • Try to perform your scanning during off-peak hours. This will ease the load on the network and reduce the likelihood of disrupting critical services when they are most needed. Off-peak hours typically see less network traffic, allowing your scans to run more smoothly and with less impact on other users.
  • Additionally, scanning during off-peak hours can help avoid unnecessary alarms, as unexpected network activity during regular business hours could be mistaken for a real cyber attack.
  • Use the --max-rate flag with Nmap to limit the number of packets send per second. This can be very useful in preventing network congestion or triggering any alarms.
  • Work with the network administrator while performing your scans and be in close communication enabling them to monitor progress and any issues that may arise. In this way, you can kill any scans if needed.

Conclusion

Learning to use Nmap to scan a network entails many different elements. We have discussed ensuring you have the correct permission to perform your scans, selecting your network range, and showing you different scan types and options.

We walked you through scanning an entire network, from checking for live hosts to OS detection, service, and vuln scans.

Finally, we discussed avoiding network disruption by following basic guidelines and using the appropriate flags.

With all this information, you should be well on your way to using Nmap to scan a network,

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Richard Dezso

    Richard is a cyber security enthusiast, eJPT, and ICCA who loves discovering new topics and never stops learning. In his home lab, he's always working on sharpening his offensive cyber security skills. He shares helpful advice through easy-to-understand blog posts that offer practical support for everyone. Additionally, Richard is dedicated to raising awareness for mental health. You can find Richard on LinkedIn, or to see his other projects, visit his Linktree.

>