5 min read

How to Use Nmap for Host Enumeration

How to Use Nmap for Host Enumeration

Nmap is a robust network scanning, and host enumeration program developed originally by Gordon Lyon. Nmap is free and open-source, which has helped become the most popular network enumeration tool out there.

If you're thinking of taking the OSCP, PNPT, Pentest+, or any other red-team certificate, you'll have to be fluent in the operation of this tool.

First of all, what is Nmap for in plain English?

If you want to find out what hosts are on a network and what ports are open, this is what Nmap was built for. There are also advanced scripting options that can help further enumerate what's happening on the network, which can help both red and blue teams.


The simplest way to run Nmap is just by typing

nmap <ip address to scan>

That's it. That's all it takes to run your first scan. There are numerous options and ways to view this information so let's delve into that next.

Whenever you run Nmap against a host, you'll get one of three responses from each port that you scan:

Open -  The port is accepting a connection

Closed - No service is listening

Filtered - probes are not reaching the port, and no response is returned. This is typically due to a firewall.

If you want the best guess, Nmap has as to why something is open or closed, type "--reason" in the command line.  

Now, what happens if you do not see the response you expect? You can try a few different attack methods:

Primary Scanning Methods

-Perform a TCP connect scan using the -sT flag
This uses the operating system to send packets and completes the TCP connection. This does tend to create connection log records.

Sends a SYN:
--If closed, responds with RST
--If open, will respond with SYN/ACK
---Nmap will respond with ACK
--If the firewall blocks it, there will be no response and Nmap will report that the port is filtered

-Perform a Syn "half-open" or "stealth" scan using the -sS flag
Stealthy-ish scan
--Like a Connect scan except sends a RST instead of ACK to open ports
--Never completes TCP connection
--Risk of knocking some unstable services offline
--Requires sudo in Linux
--Default scan when run with sudo

-Perform a UDP scan using the -sU flag
nmap -sU <IP>

Sends UDP packet:
--If closed, victim responds with ICMP Unreachable
--If open, no response
Typically run with "--top-ports 20" to reduce scan time

Secondary Scanning Methods

If that didn't work, you can try some firewall evasion techniques by editing TCP flags directly:

TCP Null: -sN TCP Connect scan but with no flags set
nmap -sN <IP>

TCP Fin: -sF TCP Connect scan but with FIN flag set
nmap -sF <IP>

TCP Xmas (so called because it lights up flags like a Christmas tree and also tends to be noisy): -sX <IP>. This is a connect scan but with URG, PUSH, and FIN flag set
nmap -sX <IP>

Firewall Evasion Techniques

Let's say that didn't work either. Here's a short section on firewall evasion

Did you try -Pn ? (Caution: Will take a long time since it doesn't check for the host being online)

Try -f to fragment packets to reduce the chance of firewall or IDS detecting

Try --mtu <multiple of 8> to try different MTU sizes

Try --scan-delay <time>ms to delay packets. Can evade some IDS situations.

Try --badsum to send invalid checksums, which helps determine the presence of a firewall. The firewall may potentially respond automatically.

Try --data-length <num> to add arbitrary data to the end of packets

Misc. Options

If you're looking to perform host discovery using ICMP ping sweeping, you can type nmap -sn <IP>

What about if you want to enumerate the service versions being run? nmap -sV <IP>Attempts to determine the version of the port service

What about if you only are targeting a specific port or range of ports?

Try this:
Checks TCP port 22 and 25
nmap -p <port> <IP>nmap -p22,25

Checks for UDP port 53 and TCP 22 and 25
nmap -p U:53, T:22,25

Scan all ports:
nmap -p- <IP>

If you don't want to perform the full version detection for all ports on a host and just want to fingerprint the operating system, try nmap -O <IP>

If you expect a lot of hidden devices on the network, you can skip the host discovery phase of a scan by typing: nmap -Pn <IP>

This treats all hosts as online regardless of response and is very slow since it will ping offline machines

If you happen to have a pre-made file of all known IPs on the network and want to import that, use this command: nmap -iL <filename>

What about if you want to control the speed of a scan?
-T0 one port per 5 minutes
-T1 one port per 15 seconds
-T2 Slow
-T3 Normal
-T4 Extremely fast
-T5 May crash

If you want extra verbosity, try the -v or -vv switches

If you're doing a CTF and don't particularly care about alerting the world to what you're doing, you can bundle the service/OS fingerprinting/traceroute/common scripts all together and perform an aggressive scan using the -A switch

Output Control

We can also control our output format:

-oN Normal output
nmap -oN <filename> <IP>

-oG Grepable output
nmap -oG <filename> <IP>

-oX XML output
nmap -oX <filename> <IP>

-oA combined format
nmap -oA <filename> <IP>

Why would we want to save scans?

You could check before/after network conditions using the Linux ndiff command to see what's changing on your network:
ndiff <target1.xml> <target2.xml>

Nmap Scripting Engine

Nmap also comes with a powerful scripting engine that can be referenced here.

It can be easily used by typing --script=<script-name>

For example: --script=http-fileupload-exploiter

Commas can add more scripts if needed: --script=smb-enum-users,smb-enum-shares

Here's a link to the master script list

The local directory for scripts: /usr/share/nmap/scripts

Alternatively, you can run this command to try to find useful scripts.

Substitute your keyword of choice for ^ttp (which will find scripts that start with "http")
nmap --script-help "http*" | grep "

Here's a SMB attack script example: nmap -p 445 --script=smb-enum-shares.nse,smb-enumusers.nse <IP>

Here's a Nmap scan to show network file systems attached to port 111 using rpcbind:
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <IP>

Whenever reviewing the NSE script engine, here's an explanation of category terms:

Safe: won't affect target Intrusive: not safe

Vuln: scan for vulnerabilities

Exploit: attempt to exploit vulnerabilities Auth: attempt to bypass authentication for running services (like anonymous login) Brute: attempt to brute force

Discovery: attempt to query running services (i.e. SNMP) I hope this helps you with your CTF and certification exam studying.

Happy scanning!