Nmap | What is scanning? Do Network, Port & Service Scanning!

Scanning is an active technique of information gathering, unlike footprinting which is all passive. Scanning is performed just after footprinting; it’s a post reconnaissance and pre-attack step.


About Scanning

Scanning can be broadly divided into following categories:

  • Network Scanning
  • Port Scanning
  • Vulnerability Scanning

The main objectives of these scanning are:

  • Detecting live machines and devices on the network (Network Scanning)
  • Detecting open ports and services on live machines and devices (Port Scanning)
  • Finding security flaws which can be exploited later (Vulnerability Scanning)

Network Scanning

In this process, we scan the network or certain range of IP’s of the network to find live machines.

To scan any network, we have different tools and techniques available. Some tools facilitate to send ping requests only while others are highly customizable and allow us to send different types of packets/request as needed.

Port Scanning

In this process, we already know the IP addresses of live machines. Now, we further scan these machines to find open ports and running services.

There are many tools available for port scanning and at the same time they perform service scanning as well.

Vulnerability Scanning

When we are done with network and port scanning, it’s time for vulnerability scanning.

In vulnerability scanning, we use some sort of automated or semi-automated tools to scan online systems / web applications for locating security flaws. We then begin targeting critical security flaw that can be exploited.

We’ll learn vulnerability scanning in later tutorials. We have dedicated few tutorials only for vulnerability scanning and exploitation.

Setting-Up a Local Area Network (LAN)

Before you plan to scan any network, let me tell you – it’s illegal. Scanning any network without prior permission from network administrator and owner is a crime. Never scan any network that you don’t own or have no prior permission.

Most probably, you’ll be having a LAN at your house. If not, then you can easily create it using any router or you smart phone. To create a LAN at your home:

  • Switch on the router and connect few devices like mobile, tablet, pc or laptop etc.
  • Or switch on hotspot on your mobile phone and connect few devices to it.

Just for your information, I have these two inexpensive routers and using the same throughout this hacking course.

  • Assus (3 in 1 – Router, Repeater and Bridge).
  • Dlink 2750U (An adsl Router)

Nmap Commands for Network Scanning

So, you are already running Kali, open the terminal, and fire up the following nmap (network-mapper) command:

nmap -sP

The above nmap command sends ICMP ping packets to all the IP’s on the network. These ping request/packets are received by all the live machines in the IP address range of to

To identify live machines on the network, ping request command relies on reply that it receives from these live machines.

Please note that, Ping Scan is by nature very loud and less effective now. Secure machines don’t reply to ping request. Moreover, it raises security flags by IDS/IPS (Intrusion detection/prevention system) that runs on network server. They catches you and bans your IP address and network access.

Therefore, we need do it another way.

nmap -sS

The above commands do a SYN scan. It provides better and accurate results.

This command tries to initiate a connection with all the machines on the network using synchronization/SYN request. Then, all the live machines send acknowledgement/AKN packets in return to the SYN request. These AKN packets include basic information about the respective machine and also proves that it’s live and running.

Nmap Commands to Elevate Scanning!

  • You can use -v option that will show detailed information. Example: nmap -v -sS
  • You can use -f option that will fragment data packets and sometimes help in bypassing firewall.
  • When not in a hurry, use -T3 or -T2 for detailed and accurate scanning. E.g. Nmap -T3
  • You can also define the IP ranges in nmap commands as 192.168.1.* or or All are same!
  • Use –exclude option to exclude some IP’s from your scanning. Example: nmap –exclude
  • For more commands just type nmap in terminal or read the network-mapper manual page, type the command: man nmap.

Nmap | How To Do Port Scanning and Service Scanning?

Now we are at the point where we have the IP addresses of live machines. Now, we can target each IP individually to further scan them for open ports and services they are running.

We’ll obviously use Nmap (Network Mapper) for port scanning and as well as service scanning.

NMAP Commands for Port Scanning

As usual, open the terminal, and try the following nmap command (don’t forget to replace the following IP’s with live IP’s of your network, get them via network scanning):

  • Scan a Single Host: nmap
  • Scan multiple IP address or subnet: nmap (be careful, there’s a space between each IP)
  • Scan by Excluding a Host (This will Exclude the Host while Scanning): nmap –exclude (be careful, it’s hyphen-hyphen-exclude)
  • Fast Scanning for a Network range: nmap -F (be careful, it’s a capital F)
  • To See Packets send and receving using Network mapper: nmap –packet-trace
  • Scan for a Particular Port: nmap -p 22
  • Scan multiple ports: nmap -p 80, 22, 21
  • Sacn all Ports of an IP address: nmap -p “*”

NMAP Commands for Service Scanning

Here are few network-mappers’ switches and commands that can be used to perform service scanning. These commands and switches can be combined with nmap port scanning:

  • nmap –sV
  • Nmap –sU –sV
  • nmap –T4 –F –sV
  • nmap –O
  • nmap –O –osscan-guess

You may also like...

Would You Like to Contribute Something?