·     Nmap basics

  • Nmap – blocked ports

  • Hping and Megaping as other tools to look for hosts

  • NB: If Nmap fails try Netscan Tools Pro – Angry ip scanner – IP Tools


A. nmap -n iprange (quickly finds other servers)

B. nmap -sS -sV -p- -O -A ipaddress (slow but everything on server)

CEH Suggested way

From Kali box (although doesn’t matter if windows)

A.      Ping Sweep nmap –sP ENTER

B.      Choose specific target and do Stealthy Syn scan – nmap –sS (lists all open ports)

C.      To enumerate the versions of the obtained services, type nmap -sSV -O, and press Enter. Nmap performs the scan and displays the versions of the services, along with an OS fingerprint

D.      Type nmap -sSV -O -oN Enumeration.txt, and press Enter. This ouputs results to Enumeration.txt



Nmap scans the entire network and displays information for all the hosts that were scanned, along with the open ports, device type, OS details, etc

From Windows box

A.      Double-click Nmap - Zenmap GUI shortcut icon from the Desktop to launch the application.

B.      In the Command text field, type the command nmap -O followed by the range of IP addresses. EG: nmap -O 10.10.10.* scan entire 10.10.10 subnet

C.      Click the Ports/Hosts tab, and choose a host’s IP address from the left pane to view all the open ports associated with the selected host.

D.      Click the Host Details tab and select a host’s IP address to view the details of the host that was discovered during the scan.

E.       Click the Scans tab to view the status of the scan

F.       Click the Services tab, and select each service to list all the ports on whom the service is running, their state (open/closed/unknown), version, and so on.


Network Inventory of target machine - Nmap displays the Port, Protocol, State, Service, and Version of the scan.

A.      type the command nmap --packet-trace followed by the IP address of the target machine.

B.      Click the Ports/Hosts tab to display more information on the scan results.


Slow Comprehensive Scan uses three different protocols -TCP, UDP and SCTP, and helps in determining what OS, services and versions the host are running based on the most common TCP and UDP services.

A.      Enter the IP address of the target machine in the Target field, select Slow comprehensive scan from the Profile drop-down list, and click Scan

Null scan

A.      To perform a Null Scan for a target IP address, you need to create a new profile. Click Profile --> New Profile or Command Ctrl+P. Click the Scan tab in the Profile Editor window. Select the Null Scan (-sN) option from the TCP scan drop-down list.

B.      Select None in the Non-TCP scans drop-down list, and Aggressive (-T4) in the Timing template list. Check the Enable all advanced/aggressive options (-A) option, and click Save Changes.


TCP Connect scan - TCP connect() scan uses a normal TCP connection to determine if a port is available

From kali box

A. nmap -sT -T3 -A ip address   (-T switch is used to set the timing template,-A switch is used to enable OS detection, version detection, script scanning, and traceroute)

The scan result includes all the open ports, Operating System Fingerprint Result, nbstat result, smb-os-discovery results, smb version,etc

Xmas Scan - opened/filtered which means a firewall is configured on the target machine.

A.      Type nmap -sX ipaddress to perform an Xmas scan

ACK Scan - No response means the port is filtered and an unfiltered response means the port is closed.

A.      Type nmap -sA -v ipaddress

Stealthy SYN scan with version detection along with OS detection

A.      nmap -sSV -O -oN output.txt.   Outputs results to output.txt file


Use nmap when ports are filtered – Different scans below may show all ports filtered. If ping sweep picks box up try Zombie scan from another active box

From Kali box

A.      Direct scan – nmap ipaddress

B.       Syn Scan – nmap –sS ipaddress

C.      Intense scan – nmap –T4 –A ipaddress

D.      Ping sweep – nmap –sP  (ip range)

E.       Zombie scan – nmap –sI  (Here target is and .12 is the zombie