Network Reconnaissance Using Nmap - One STOP Solution

Overview on Network Reconnaissance

Network reconnaissance is a critical part of any network pentesting operation. Knowing more information about the target’s network will let us know about the target’s infrastructure and will let us know any potential attack vectors and exploits leading to vulnerabilities. Using passive and active reconnaissance tools and technique ,an attacker can hold large amounts of information with less probability of detection.

Overview on Nmap

Nmap is a must-to-have tool for network reconnaissance. Nmap is basically a network scanner designed to find details about a network system and the protocols running on it. This can be done by using different scan types available in Nmap. We can launch scans against an IP address or CIDR and learn a significant amount of information about our target’s network.


Most useful Scan types of Nmap:

SYN Scan

This is the most useful type of Nmap scan because it does its work silent. It sends an SYN packet via TCP to all the required ports. If an acknowledgement packet or ACK is received back to the system, it is sure that a port is opened there. No response signifies that the port is either closed or not available. This scan is not shown in most of the scan logs and hence it is safe to use SYN scan to identify the ports.


TCP Scan

This is similar to the SYN Scan in various ways but with a tiny little bit of difference. The difference is that the full scan is done by sending the ACK packets back. The network logging systems can easily find TCP scans but this is also more accurate. But , you must also be careful not to overload the systems with TCP packets.


UDP Scan

This scan is mostly used for the windows systems to find if an UDP layer is open to vulnerability attacks or not. The responses are slower but it’s always better to be cautious to protect our UDP layer.


Idle Scan

This scan can be basically called the Stealth scan. This scan uses a zombie between the attacker and the target , so that if a network firewall finds the attack incoming then the zombie is the one to be blamed but not the attacker. This scan is mostly focused on finding the zombie for us and using the zombie to make the scan for us.


Ping Sweep

It is very important in network reconnaissance to find out live hosts to narrow our search and this scan is where Nmap pings all the IP addresses to check which IP address responds to an ICMP request. The user can easily find the live hosts with this scan and it is also very fast and the results can be fetched in various formats easily.



Nmap Installation

Nmap is pretty easy to use and is already available on most Linux/Unix distributions. If you notice that you do not have Nmap installed then you can install Nmap using the following commands

For Ubuntu/Debian

sudo apt-get install nmap 

For Fedora/Centos

sudo dnf install nmap

Find out if nmap is properly installed or not 

nmap –version 

Installation of Nmap

Now that we have installed Nmap. We can get our hands dirty by performing some active and passive recon with Nmap.


Using Nmap for Network Reconnaissance

Basic Nmap Scan against a host 


Network Reconnaissance Using Nmap - One STOP Solution

You can find ip address of your required target domain using nslookup 

Network Reconnaissance Using Nmap - One STOP Solution


Ping Sweep

nmap -sP

Network Reconnaissance Using Nmap - One STOP Solution

I have done the ping sweep against my local network in the above screenshot and found 2 live hosts. You can also do a ping sweep against remote hosts just like this.


Network Reconnaissance Using Nmap - One STOP Solution

You can also exclude the live hosts you discovered in Nmap like below :

nmap -sP --exclude

Network Reconnaissance Using Nmap - One STOP Solution


Scan specific ports

You can use -p option to scan range of ports against a remote or local host by using the following command:

nmap -p 1-10000

Network Reconnaissance Using Nmap - One STOP Solution

You can also scan top 1000 ports for fast scanning using the following command :

 nmap --top-ports 1000

Network Reconnaissance Using Nmap - One STOP Solution


TCP and UDP Scan

You can perform TCP Scan using Nmap with the following command:

nmap -sT

Network Reconnaissance Using Nmap - One STOP Solution

You can perform UDP Scan using Nmap with the following command:

Network Reconnaissance Using Nmap - One STOP Solution


OS & Services Detection

One of the best features of Nmap is OS detection.Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses.

nmap -A -T3

Network Reconnaissance

You can see that in the above screenshot nmap uses the Aggressive mode to scan various ports and services used by You can also just use -O to scan only the OS information.


Use T3 or T4 so that you dont generate more traffic.


Standard Service Detection

You can also scan only the services using the command below

nmap -sV

Network Reconnaissance Using Nmap - One STOP Solution

You can also increase the intensity of the scan by using the command below

nmap -sV --version-intensity 5

This increase in version intensity will generate more traffic which should never be the aim of a network reconnaissance. You should not use this to scan any external networks without prior permission or you can be dealt with legal laws depending upon the country and the state you live in.


Disabling DNS Name Resolution

Nmap performs DNS resolution on each host it finds which consumes little bit of scan time. You can disable the DNS resolution using the -n parameter. You can use the following command as an example:

nmap -Pn

Network Reconnaissance Using Nmap - One STOP Solution


CVE Detection

One of the nmap's best features every sysadmin and pentester love is Nmap Scripting Engine called NSE. This scripting engine allows users to use pre-defined scripts or write their own scripts using Lua programming language.

Nmap scripts can be used to automate vulnerability scans in an organisation's periodic vulnerability checks. For example if you want to run a full vulnerability scan against your target , use the following command :

Network Reconnaissance Using Nmap - One STOP Solution


If a host is vulnerable to any CVE then you can exploit using the following command

nmap --script exploit

Finding if a Host is Vulnerable to DOS

Nmap is an allrounder and can also be used to check whether a host is vulnerable to DOS attacks by using the following command:

nmap --script dos -Pn

Network Reconnaissance Using Nmap - One STOP Solution


Bruteforce Attacks

Nmap also contains lot of brute-force modules like http-brute , snmp-brute , oracle-brute. We can use these modules to bruteforce credentials of a remote server.

nmap --script brute -Pn

Do not bruteforce any organisations systems in the name of network reconnaissance else you can be dealt with legal law.


Further Reading

30 nmap command examples in Linux [Cheat Sheet]
man page for nmap



In this article , we have learnt how we can use Nmap to perform network reconnaissance. Nmap is a very powerful network tool which can be used for good and bad purposes. It depends on what the attacker wants to do, so make sure to only scan the networks you are authorized to do so. If you are not into command line then you can perhaps look into Zenmap , the GUI based version of Nmap. Zenmap is also a very easy to use Network reconnaissance tool which many security professionals use . If you are just getting started in security , then please check out our other articles on Ethical Hacking. Please let us know if you encounter any issues on the commands above in the comments.


Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment