Nmap (“Network Mapper”) is a reconnaissance utility (or footprinting tool) which you use to discover hosts and services on a computer network by sending packets and analyzing the responses. The general premise is to probe as many listeners as possible, and then keep track of the responses that are useful.

Getting Nmap

Nmap is available on all popular operating systems (Linux, Windows, and Mac) and comes pre-installed on Kali Linux, BlackArch, and Parrot OS.

Authorized Targets

Nmap is a very noisy scanner by default. It can be easily detected by firewalls and servers. (Though it can be a loud as you want it to be.) Please be sure that you have written permission to scan your intended targets.

Nmap provides a site which you may use to test your Nmap installation, or port scanners: scanme.nmap.org

Using Nmap

Type nmap --help to see a list of commands and options you can use with nmap.

nmap -v -A scanme.nmpa.org -v: is for verbose output. It’ll tell you everything it’s doing. -A: enables OS detection, script scanning, and traceroute.

nmap -v -sn 192.168.0.0/16 10.0.0.0/8 -sn: Nmap will scan a range of IP addresses.

Note: the example addresses are from the private network space. They’re commonly used for local area networks (LANs) in home, office, and enterprise spaces.

Most IP blocks are allocated and assigned for internet providers and hosting companies based upon country. This makes it easy to whitelist and blacklist IP ranges. Look up major IP blocks by country for more information.

Using Whois

On Unix-like operating systems, the whois command is a client for the WHOIS directory service. Most versions of whois try to guess the right server to ask for the specified object. If nothing is found, whois will connect to whois.networksolutions.com for NIC handles, or whois.arin.net for IPv4.

whois scanme.nmap.org Use whois on the scanme nmap site.

If you do not have whois on your local machine, searching whois scanme.nmap.org into your search engine will often get you the results you want (though they can be stale).

Using Nslookup

Nslookup is a utility to query DNS servers for resource records. To use nslookup, you must have dnsutils installed. It is often pre-installed on Unix-like and Windows operating systems. Running nslookup will allow you to get the IP address or name of the machine or server.

nslookup scanme.nmap.org Look up the scanme nmap site.

nslookup scanme.nmap.org >> nsresults.txt Save the scan results to a local text file for later parsing.

And that is the tip of the iceberg.