As a cybersecurity professional, you may often need to scan networks for vulnerabilities and open ports. However, manually checking each port on every system can be daunting, especially when time is of the essence.
Fortunately, a powerful tool available in Kali Linux can make this process much easier: Nmap. Nmap is a popular open-source network scanner that can quickly and efficiently scan large networks, identify hosts, and determine which ports are open and what services are running on them.
In this article, we’ll dive deeply into Nmap and show you how to use it effectively in Kali Linux.
Whether you’re a beginner or an experienced cybersecurity professional, this guide will provide the knowledge and tools you need to scan networks and identify potential vulnerabilities quickly and easily.
So, let’s get started and see how Nmap can help you in your cybersecurity efforts.
How to Use Nmap in Kali Linux?💁
Nmap may be used for certain utilities, and the many choices provided in Nmap can be utilized to complete specific jobs. The primary purpose of Nmap is to secure the system by sniffing traffic and conducting in-depth network analysis.
The operator who created the security infrastructure can receive adequate details about the packet flow using specific network analysis. However, the operator can respond quickly to attacks if they are vigilant and prepared.
The first time you use Nmap, you’ll use the command to search a single IP address. For example, a “network analyst” who sees some strange activity from a single IP can use this to search for false negatives and false positives and find the target if the IP is well-known.
False positives cause unnecessary alerts, which can mask any threat. Using utility to distinguish false positives from false negatives can uncover false positives, keeping network analysts alert and ready to respond to any actual positive attack without fear of false positives.
Nmap is also used to analyze a host for details that could make it a valuable target for hackers on a network. Attackers may, for example, identify a specific victim that has financial information.
A person can use Nmap to analyze a range of IP addresses for cases or vulnerabilities that could be exploited to start an attack in more complex situations. In a more complicated port selecting situation, Nmap could be quite useful.
Nmap offers the ability to scan ports in addition to scanning IP addresses and ranges of IP addresses. Anyone may quickly verify if malware is attacking by using the scanning port, as malware normally targets a particular port on the host.
One can now check a spread of ports, similar to how we could search a range of IP addresses when we’re not sure which ones are problematic.
Nmap can also scan all 65535 ports, including the top 100 most regularly used ports. Note, this scanning always takes a lot of time.
To understand Nmap in detail, I will recommend watching this video on “How Does NMAP Actually Works”
Nmap syntax in Kali Linux
In Kali Linux, network analysis, or “sniffing network” as it is referred to in the hacking world, is a crucial skill and solution that is undoubtedly an imperative necessity. Using network analysis, we can discover potential assaults in the network’s weak points and correct them to protect our system.
Some syntaxes that can help with “network sniffing” are listed below.
Running a Default Scan
nmap -v -A scanme.nmap.org
This triggers the scanner and it discovers open ports. Also, it detects the IP address of the host. The service scan gives you a list of services that are running.
Running a Service Scan
nmap -sV scanme.nmap.org
The results here are very similar to the default scan. Like the default scan, it triggers the scanner and discovers lots of ports. These were the ports we discovered in the previous scan. You equally obtain information about the operating system. This also detects the IP address of the host. The service scan gives you a list of services that are running.
The Syntax for Single IPs Scanning
nmap < 192.168.100.1>
Here, the set of numbers in the angle bracket represents the IP address you would use to perform the scan. You will obtain the same results if you entered Nmap and the hostname. This command shows you all the ports
The Kali Linux Nmap Syntax for Host Scanning
nmap <www.example.com >
‘www.example.com’ is the name of the host URL that you need to perform the network sniffing.
The Syntax For Scanning a Range of IPs
Here, the set of numbers’ 192.168.80.1–100′ represents the range of IPs of which you are performing the network sniffing. You have to put the range’s first and last IP addresses and put a dash in between.
This would take a little longer because it is a wide range of IP addresses.
The Syntax For Single Port Scanning
nmap -p <80> <192.168.1.67>
Here we would be finding a specific port ’80’for the IP Address ‘192.168.1.67.’
Scanning For Multiple Ports For a Specific IP Address
nmap -p 80,443,21 192.168.80.130
Here, we have three ports, 80, 443, and 21, and the IP address is 192.168.80.130. We begin the command with the -p parameter and separate the ports with the sign and no space in between.
The Syntax For Scanning a Range of Ports
nmap -p 1-100 192.168.80.130
The set of numbers’ 1-100′ is an example of a range of ports, while ‘192.168.80.130’ is the IP address. Like in the scanning for multiple ports for a specific IP address, we use the -p parameter.
Scanning the Entire Range of Ports of an IP Address
nmap -p- 192.168.80.130
In this example, we would be scanning all the ports on the IP address ‘192.168.80.130’. This time, we would use the -p- parameter just before the IP address.
Running a Ping Sweep
nmap -sn 192.168.80.130
Most of the time, you would run a full scan using Nmap, but sometimes it is not necessary, especially when you only want to check if the system is alive. This can be done using the ping sweep command.
For this, you input the -sn parameter before the IP address.
In this example, we see that the host is up. This tells us that the host has life.
Running a Ping Agnostic Scan
nmap -pn 192.168.80.130
In Kali Linux Nmap, you run the ping agnostic scan because sometimes, systems have firewalls, and therefore if they detect the ping, they would block it. Making it impossible to detect what is running on that particular system.
Hence, you can avoid running the ping sweep command by inputting the ping agnostic scanning command.
This is done by inputting the ‘-pn’ parameter before the IP address. For example, we would be able to detect all the open ports.
Scanning UDP services
sudo nmap -sU 192.168.80.130
Unlike the connection-oriented TCP services, UDP services are connectionless, making it really difficult to scan then them. When scanning for UDP services, we make such that we use the administrative privileges.
We enter the ‘sudo’ command before inputting the ‘nmap’ command. Then we write -sU before entering the IP address.
The command for UDP services takes a little bit of time.
Running Different Tcp Flags on Scans—Such as the Xmas Tree Scan
sudo nmap -sX -T2 192.168.80.130
The Kali Linux Nmap enables us to run this polite scan. You input it by writing the parameter ‘-sX’ followed by the T2 parameter and the IP address. The -T2 raises the value. This scan also requires the root privileges (sudo) before inputting nmap.
If you wanted an aggressive scan input -T4 and -T5 would yield a paranoid scan.
Because the T2 command is a polite scan, it works at a prolonged speed so expect it to take some time.
The Kali Linux Nmap Syntax for Scanning 100 Most Common Ports
nmap -f <192.168.1.67>
‘192.168.1.67’ is an example of an IP address
The Syntax When Using a TCP SYN Scan
nmap -sS <192.168.1.67>
‘192.168.1.67’ is an example of an IP address
Scanning Different Sets of IP Addresses
nmap 192.168.80.1 192.168.80.2 192.168.80.130
Here, we are targeting only three IP addresses.
Here’s a detailed table on Nmap syntax in Kali Linux:-
||Scan a specific port or range of ports (e.g.
||TCP SYN scan (default)|
||TCP connect scan|
||TCP null scan|
||TCP FIN scan|
||TCP Xmas scan|
||TCP ACK scan|
||Aggressive scan (enables OS detection, version detection, script scanning, and traceroute)|
||Timing template (higher numbers increase speed and aggressiveness)|
||Output scan results to a file in normal format|
||Output scan results to an XML file|
||Output scan results to a grepable file|
||Output scan results to all three file formats with the given basename|
||Script scan using the default set of NSE scripts|
||Script scan using a specific NSE script|
||Specify arguments to pass to NSE scripts|
||Update the NSE script database|
||Scan all 65535 ports|
||Idle scan using a zombie host|
||Treat all hosts as online (skip host discovery)|
||Do not perform DNS resolution|
||Read targets from a file|
||Exclude hosts from the scan|
||Display help message|
||Display Nmap version|
Nmap command in Linux for open ports
The “nmap” command is a powerful network exploration tool used in Linux to discover hosts and services on a computer network and create a network map.
To scan for open ports on a target host, you can use the following syntax:-
nmap <target IP or hostname>
For example, if you want to scan a host with the IP address 192.168.1.1 for open ports, you would run the following command:-
By default, nmap will scan the 1000 most commonly used ports. If you want to scan all ports, you can add the “-p-” option to the command:-
nmap -p- <target IP or hostname>
This will scan all 65,535 ports. However, scanning all ports may take considerable time and can be detected by some network security tools as suspicious activity.
It’s always a good idea to check with your organization’s security policies before performing any network scans.
How to install Zenmap in Kali Linux
Zenmap is a graphical interface for the open-source network scanner Nmap, which is included in Kali Linux by default. To install Zenmap on Kali Linux, you can follow these steps:-
Step 1:- Open a terminal window by clicking on the terminal icon in the top menu bar or pressing
Step 2:- Update the package list by running the following command:-
sudo apt update
Step 3:- Install Zenmap by running the following command:-
sudo apt install zenmap
Step 4:- After the installation is complete, you can launch Zenmap by typing
zenmap in the terminal, or by searching for it in the applications menu.
Note that Zenmap requires root privileges to run, so you may need to use the
sudo command to launch it as an administrator. Also, since Nmap is a powerful network scanning tool, it is important to use it responsibly and with the appropriate permissions.
What is a Nmap scripting engine?
Nmap Scripting Engine (NSE) is a feature within Nmap that enables users to write and execute scripts for automating diverse tasks during network scans.
NSE provides a potent scripting language that interacts with network services, gathers information about hosts, and performs security checks. It includes many pre-built scripts that can be readily modified per specific requirements and allows for creating custom scripts.
Using NSE, users can execute tasks such as vulnerability scanning, service discovery, network inventory, and much more. These scripts can automate repetitive tasks and save time during the scanning process.
NSE can extend the functionality of Nmap beyond the inbuilt features, making it a versatile and powerful tool for network exploration and security auditing.
Here’s a table with some examples of Nmap Scripting Engine scripts:-
|http-title.nse||Retrieves the title of web pages|
|smb-os-discovery.nse||Detects the operating system of SMB servers|
|ftp-anon.nse||Checks if FTP servers allow anonymous access|
|ssh-auth-methods.nse||Identifies SSH authentication methods|
|dns-zone-transfer.nse||Attempts a zone transfer on a DNS server|
|http-open-proxy.nse||Checks if an HTTP proxy allows open proxying|
|ssl-heartbleed.nse||Tests for the OpenSSL Heartbleed vulnerability|
|smb-vuln-cve2009-3103||Checks for the MS09-050 vulnerability in SMBv2|
|mysql-empty-password||Checks if MySQL servers allow empty passwords|
|telnet-brute.nse||Brute forces Telnet authentication|
|smb-enum-users.nse||Enumerates users on SMB servers|
|snmp-brute.nse||Brute forces SNMP community strings|
|smtp-open-relay.nse||Checks if an SMTP server allows open relaying|
|ms-sql-info.nse||Retrieves information about Microsoft SQL Server|
|http-shellshock.nse||Tests for the Shellshock vulnerability in HTTP servers|
How do I scan IP addresses on my network?
To scan IP addresses on your network, you can use the Nmap tool with the appropriate command syntax and the range of IP addresses for your network. For example, the command “nmap -sn 192.168.0.0/24” will scan all devices on a network with the IP address range of 192.168.0.0/24.
How do hackers use Nmap?
Hackers can use Nmap as a reconnaissance tool to gather information about a target network, such as open ports, operating system versions, and software versions. This information can then identify vulnerabilities and launch attacks against the target.
Why is Nmap illegal?
Nmap is not illegal, but it can be used for illegal activities such as hacking and unauthorized network scanning. It is important to use Nmap ethically and legally, and only with proper authorization.
What are the 3 main functions of Nmap?
The three main functions of Nmap are host discovery, port scanning, and service identification. These functions allow Nmap to gather information about a target network, such as what hosts are present, what ports are open, and what services are running on those ports.
How do I use Nmap tools?
To use Nmap tools, open the terminal and enter the appropriate Nmap command syntax for the tool you want to use. For example, to use the Zenmap GUI tool, type “zenmap” in the terminal.
Can I use Nmap on myself?
Yes, you can use Nmap on yourself to test your own network security and identify any vulnerabilities or open ports that an attacker could exploit.
How do I scan a local network?
To scan a local network, use the Nmap tool with the appropriate command syntax and the range of IP addresses for your local network. For example, the command “nmap -sn 192.168.0.0/24” will scan all devices on a local network with the IP address range of 192.168.0.0/24.
How do I scan a file in Linux?
To scan a file in Linux, you can use antivirus software or other security tool that supports file scanning. Nmap is primarily used for network scanning and is not designed for file scanning.
How to see all ports using Nmap?
To see all ports using Nmap, use the appropriate command syntax with the “-p-” option, which scans all ports. For example, the command “nmap -p- [IP address]” will scan all ports on the specified IP address.
How do I write Nmap commands?
To write Nmap commands, use the appropriate syntax and options for the specific scan or function you want to perform. The Nmap documentation provides a detailed reference for the available commands and options.
How do I scan an IP range in Nmap?
To scan an IP range in Nmap, use the appropriate command syntax with the IP address range you want to scan. For example, the command “nmap -sn 192.168.0.0/24” will scan all devices on a network with the IP address range of 192.168.0.0/24.
How do I check if a port is open?
To check if a port is open, use the Nmap tool with the appropriate command syntax and the port number you want to check. For example, the command “nmap -p [port number] [IP address]” will check if the specified port is open on the specified IP address.
How to open port 8080 in Linux?
To open port 8080 in Linux, you must configure the firewall rules to allow incoming traffic on port 8080. The commands and configuration steps may vary depending on the Linux distribution and firewall software used.
How to check port with command?
To check a port with command, use the appropriate command syntax with the port number and the IP address or hostname you want to check. For example, the command “telnet [IP address] [port number]” will check if the specified port is open on the specified IP address.
How to enable Nmap in Linux?
Nmap is already installed and enabled in most Linux distributions. If it’s not installed or enabled, you can install it using the appropriate package manager command for your distribution, such as “sudo apt-get install nmap” for Debian-based distributions.
What is the command for TCP scan in Nmap?
The command for TCP scan in Nmap is “nmap -sS [target]”, which uses the TCP SYN scan technique to identify open ports on the target.
How to connect to VPN on Kali?
To connect to a VPN on Kali, first install a VPN client such as OpenVPN. Then, configure the VPN connection by entering the appropriate settings and credentials. Once configured, you can connect to the VPN using the VPN client software.
Does Kali Linux have a built in VPN?
Kali Linux does not have a built-in VPN, but it supports many VPN clients and can be configured to connect to various VPN services.
How do I start a VPN in a Linux terminal?
To start a VPN in Linux terminal, use the appropriate command syntax for your VPN client software. For example, the command “sudo openvpn [configuration file]” will start a VPN connection using the OpenVPN client.
Does Nmap scan every port?
Nmap can scan every port on a target system by using the “-p-” option, which scans all ports. However, scanning every port can take a long time and may be detected by intrusion detection systems.
Does Nmap scan all open ports?
By default, Nmap only scans common ports and ports that are specified in the command options. However, you can use the “-p-” option to scan all ports, including open and closed ports.
How long should Nmap take?
The time it takes for Nmap to complete a scan depends on the size of the target network, the scanning techniques used, and the available system resources. A basic scan of a single host can take only a few seconds, while a more comprehensive scan of a large network can take hours or even days.
Can Nmap find an IP address?
Nmap can find IP addresses by scanning a network range or using DNS queries to resolve hostnames to IP addresses.
How do I find all IP addresses on a network using Nmap?
To find all IP addresses on a network using Nmap, use the appropriate command syntax with the network range you want to scan. For example, the command “nmap -sn 192.168.0.0/24” will scan all devices on a network with the IP address range of 192.168.0.0/24 and display their IP addresses.
What does Nmap 192.168.1.1 do?
The command “nmap 192.168.1.1” scans the specified IP address (in this case, 192.168.1.1) for open ports and services using the default Nmap scanning techniques.
How do I identify devices on my network?
To identify devices on your network, you can use the Nmap tool to scan the network range and display information about the detected hosts, including their IP addresses, MAC addresses, and operating systems.
How can I see all devices on my network?
To see all devices on your network, you can use the Nmap tool to scan the network range and display information about the detected hosts. You can also use other network scanning and monitoring tools, such as Wireshark or Fing, to identify devices on your network.
After exploring the powerful scanning capabilities of Nmap in Kali Linux, it’s clear that this tool is an invaluable asset for any security professional or enthusiast.
Whether trying to identify vulnerabilities in your network or seeking to conduct surveillance on an external target, Nmap offers a wide range of features and customization options to help you achieve your goals.
From basic ping scans to advanced version detection and scripting, Nmap in Kali Linux is a versatile and powerful tool that should be a part of every security practitioner’s toolkit.
By understanding how to use Nmap effectively and incorporating it into your security workflow, you can better understand your network and take proactive steps to protect against potential threats.
So, whether you’re a seasoned security professional or just starting on your journey, be sure to explore the many capabilities of Nmap in Kali Linux and discover how this tool can help you achieve your security goals.