Hacking Tool: nmap

The free Network Mapper

Hacking Tool: nmap

posted in security on

Before Trinity could take down the electric grid, she had to find an attack vector. Her hack started with… nmap!

And then used an actual SSH exploit. Nmap can obviously do more than tell you whether SSH is on port 22 ;)


nmap/nmap : Github mirror of official SVN repository.

A CLI tool to discover hosts and services on a computer network by sending packets and analyzing the responses.

If you rather have a GUI, there is zenmap.


List all bells & whistles:

nmap --help

Fast Scan

+/- 10s

nmap -sT -T4 -Pn

This lists all ports that have something running.
The service name displayed is the default port of a known service for the port but there is no telling if that is actually the case.

Flags used:

  • -sT: Scan Technique: TCP connect scan, will show up in server logs.
    • -sS: Quick (thousands/sec), unobtrusive and stealthy with clear, reliable differentiation between the open, closed, and filtered states. The default and most popular.
    • -sU: UDP scans
  • -T<0-5>: Set timing template (higher is faster)
    • paranoid (0) & sneaky (1): Enable IDS (Intrusion Detection System) evasion
    • polite (2): Don’t overload to the target machine
    • normal (3): (default)
    • aggressive (4): for fast and reliable networks
    • insane (5): for extraordinarily fast networks
  • -Pn: Treat all hosts as online – skip host discovery

Slow Scan

+/- 10m

nmap -sT -T4 -Pn -sV -O -p-

Flags used:

  • -sV: Probe open ports to determine service/version info
  • -O: Enable OS detection
  • -p <port ranges>: Only scan specified ports


There is an Docker image for that…

docker run --rm -it instrumentisto/nmap -A -T4 scanme.nmap.org

Flags used:

  • -A: Enable OS detection, version detection, script scanning, and traceroute


At the start of the itenium Security Bootcamp at least one player per team should do an nmap scan to discover services that are not (yet) available directly from the Portal.

Tags: tutorial hacking