Ethical Hacking 101: Getting started with Nmap

Abhishek Raj

Published in

GDSC KIIT

4 min readMar 7, 2021

In the previous tutorial, Anirban wrote that the very first step of hacking is reconnaissance.

In this tutorial, we will be learning “How to do Reconnaissance and how to use Nmap?”

NOTE: Port scanning is the same as checking locks on various doors. So, take prior permissions or you might get in trouble.

What is Nmap?

Nmap is a tool used to scan networks like a RADAR is used to scan air. It can be used to get details like:

Open PORTs
Software running the Ports
OS Name and Version
Software versions
Available hosts in a subnet
Finding exploits
And many more

Example

Suppose your friend asked you to hack his/her website😉. You used Nmap and found he is running Apache HTTP Server 2.4.24 and then with a simple google search you found it has high vulnerability risk and can easily DDoS your friend’s server.

Installation

First, you need to install Nmap before using it.

// For Debian Based
sudo apt install nmap

For any other OS, visit here.

Getting Started

In this tutorial, I will be using the IP Address of my router and a VPS (52.66.109.176).

Host Discovery

Host Discovery is used to check your target host is running or not. We can use certain args if the ping is disabled.

Port Scanning

Port scanning is used to know which ports are open, filtered, closed.

OS Detection

As the word suggests, OS Detection is used to know the OS host is running, so we can plan our attack according to that.

Read more on OS Detection.

abhishek@hp:~$ sudo nmap -O 52.66.109.176
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 00:47 IST
Nmap scan report for ec2-52-66-109-176.ap-south-1.compute.amazonaws.com (52.66.109.176)
Host is up (0.047s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  closed https
465/tcp  closed smtps
8000/tcp open   http-alt
Aggressive OS guesses: HP P2000 G3 NAS device (90%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%), Linux 3.7 (89%), Ubiquiti AirOS 5.5.9 (89%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), MikroTik RouterOS 6.36 (88%), Linux 2.6.32 - 3.13 (88%), Linux 3.0 - 3.2 (88%)
No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.62 seconds

Here, we can see Nmap has guessed the OS with its probabilities.

-O is used to detect OS.

Version Detection

As the word suggests, Version Detection is used to know the Service and its version running on the ports, so we can plan our attack according to that.

abhishek@hp:~$ sudo nmap -sV 52.66.109.176
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 00:55 IST
Nmap scan report for ec2-52-66-109-176.ap-south-1.compute.amazonaws.com (52.66.109.176)
Host is up (0.050s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE VERSION
80/tcp   open   http    nginx 1.18.0 (Ubuntu)
443/tcp  closed https
465/tcp  closed smtps
8000/tcp open   http    SimpleHTTPServer 0.6 (Python 3.8.5)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.66 seconds

Here, we can see the version and name of the software running on the ports.

-sV is used to detect the service and its version.

You can practice Nmap commands here: 52.66.109.176. I have also hidden an easter egg 🤫. Try to find it and tell me in the comments😎.

Thanks for reading.