Educational Purposes Only!

NMAP ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. NMAP uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. - https://nmap.org/

NMAP (ICMP Ping Based) Examples

ifconfig //to find network address segment to start looking, based of attacker location, you can always also guess other network segments to scan later.


wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet netmask broadcast

inet6 fe80::daa9:97f:e49:74a7 prefixlen 64 scopeid 0x20<link>\n ether 38:ba:f8:79:73:9a txqueuelen 1000 (Ethernet)

RX packets 38616 bytes 44083665 (42.0 MiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 21495 bytes 2530134 (2.4 MiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Host discovery

nmap -sn //192.168.43 is the network portion, .1 is the host, so we test all the possible hosts on the network. Add -n to port scan each.


Starting Nmap 7.40 ( https://nmap.org ) at 2019-11-20 00:37 GMT

Nmap scan report for <-- Actual VM

Host is up (0.0041s latency).

Nmap scan report for <-- Computer hosting VM

Host is up (0.00026s latency).

Nmap done: 254 IP addresses (2 hosts up) scanned in 11.97 seconds

Intense/Noisy Scan

nmap -sC -sV -vvv -oA ~/Documents/nmapscan.txt


Starting Nmap 7.40 ( https://nmap.org ) at 2019-11-20 00:44 GMT

Nmap scan report for

Host is up (0.021s latency). <-- host is up and responding

Not shown: 999 closed ports

PORT STATE SERVICE VERSION\n53/tcp open domain dnsmasq 2.51 <-- Useful Info

| dns-nsid:

| bind.version: dnsmasq-2.51

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 15.49 seconds

Top tip - You can use NSE scripts to test if something is vulnerable:

nmap --script ftp-vsftpd-backdoor -p 21

Netdiscover (ARP Based) Example

sudo netdiscover -r (if you know your subnet segment, use the above, and then find other machines easier!)


Currently scanning: Finished! | Screen View: Unique Hosts

3 Captured ARP Req/Rep packets, from 1 hosts. Total size: 126


IP At MAC Address Count Len MAC Vendor / Hostname

----------------------------------------------------------------------------- b4:c4:fc:f8:63:7e 3 126 Unknown vendor <-- My VM (must be on the same network, and subnet, accomodation wifi likes to mess with this)

The above mainly assumes DHCP because user defined static IPs tend to be harder to track.

Useful Link: https://pentester.land/tips-n-tricks/2018/06/26/How-to-get-the-IP-address-of-a-downloaded-vulnerable-machine.html