Nmap: A Comprehensive Guide to Scan Vulnerabilities

To be able to gain complete control of the system to even break the password of the computer so as you can see right here on the left side we have the hacker computer all right so this is hacker and what the hacker want to do is then to be able to first scan and then loose down all of those services for example do they have a file transfer protocol server do they have a secure shell being opened up do they have a website running so that we can take advantage of those weaknesses within it and so on and so forth and once we’re able to list down all of this we can get the version and then from there we can determine all right what are the different attack methods that we can go after so right here this is the place where we’ll be thinking and deciding about what are the different types of attack methods that we can use then after which we can launch a target against say the website okay launch an attack against into the ftp server into secure shell whichever the case is once we have uncovered exploit to use and once we’re in right here into the system right what we want to do then is to elevate our privileges so that from a normal user we now have the ability to get root access meaning that we can literally do anything we want with the device.


The first thing  you want to do is go ahead and open up terminal and once you’re on terminal what you want to do right here is to have the ability to begin scanning the device or the server or the system however you want to call it so the first thing you want to do is enter nmap.


Nmap is a free, open-source program for network discovery and security audits. In a nutshell, it’s a program that may assist you with port scanning, network inventory, and identifying vulnerabilities from various sources.

Nmap can swiftly scan a single target or a wide network, providing vital information on the network’s open ports, hosts, services, and operating systems. This enables you to study the data and inform your efforts, whether you’re searching for an avenue of attack for more penetration testing or locations to strengthen your defenses.


What is Nmap’s Scripting Engine?

Another useful feature of Nmap is the ability to perform scans using different scripts to automate your efforts or tailor security audits to your specific requirements. You may use these scripts to extend Nmap’s adaptability and usefulness using its native Nmap Scripting Engine (NSE).

The NSE includes a huge number of scripts by default. Many of these scripts are built and maintained by security professionals, who update them as vulnerabilities and exploits emerge. Before you begin each session, use the command (this needs if you are not in the root account).


Basic Scanning

Before we delve too far into this section, we’ll go over the Nmap command arguments.

An Nmap command consists of three elements:

Nmap Command Structure

Scan sort – This specifies the sort of scan Nmap will execute, for as -sS for a TCP SYN scan, -sU for a UDP scan, or -sn for a ping scan.

Options – This allows you to specify extra scan parameters such as -O for operating system, -p for port range, and -A for detailed information.

Target – The target might be a single IP address, a range of IP addresses, or a domain.

These instructions might be difficult to remember. Our Nmap Cheat Sheet has all of the commands, flags, and switches.


A well-crafted scan is said to be the cornerstone of searching for vulnerabilities using Nmap. The results of this sort of scan will show which ports are open and what services are operating on them.

The command to do such a scan is >.

This command instructs Nmap to scan all ports with the -p flag and deliver comprehensive information about the target host with the -A flag. These findings may then be utilized to discover possible security threats and vulnerabilities on the target host.


Scanning for vulnerabilities

As you can see above, even a simple scan yields important information about a network that may help you comprehend the network environment you’re examining. Scanning for ports is merely one of Nmap’s functions, but it is vital for hackers since a port is a communication endpoint that allows two devices to exchange information.

Each port is identified by a number, which corresponds to the services or protocols that execute on it. Understanding common port numbers is a useful topic for both hackers and cyber security experts.

Okay, we understand how Nmap scans for ports and how each port identifies a service or protocol. So, how does this benefit us?


Using Vuln.

As previously stated, Nmap includes a plethora of options that may be used to create a command tailored to your specific requirements. But what if you’re not certain which vulnerability set you’re looking for? Or what if you want to start with a broad overview and then go into a specific aspect that interests you?

Here is when the <–script vuln> comes into play. It instructs Nmap to execute all of the detection scripts found in the NSE against the target host. These vulnerability scripts are then ran, returning all known vulnerabilities that are associated with a running service as well as extensive information on each vulnerability.

You may also look at the references provided in the findings for each found vulnerability for a greater understanding of what it is and how it may be used or remediated.



Sometimes you don’t want to know about all vulnerabilities, especially those with low CVSS ratings.

You may use the argument <–script-args=mincvss=X.X> to only display vulnerabilities with a specific score or above.

The full command would look like this.



Using Vulners

The <–script vulners> option is a helpful tool for vulnerability scanning. Remember that this script is pre-installed with Nmap, so there is no setup required to begin using it.

To use this flag, make sure you use the <-sV> flag to have Nmap try to determine the version of the service running on each port. Otherwise, it is carried out in the same manner as the vuln scan you just completed.

The vulners script is amazing since it is designed to be run in a very simple manner. The fundamental command for executing this is:

Nmap -sV –script vulners .

Using VulnScan

The final vulnerability scan we will show is vulscan. This script improves Nmap’s capability by pulling vulnerability databases from a variety of sources, including NVD, CVE, and OVAL.

Vulscan runs the scan by examining the target’s banners and service versions. It is simply a bespoke Nmap scan that uses important, reliable sources to look for vulnerabilities.

One significant advantage of vulscan over programs like vulners is that the vulnerability databases are downloaded to your device rather being accessed online (like in vulners). This allows you to execute scans on a local network even when offline.


If you do not have root rights, use to run the git command.

Because this script is not included in Nmap, the databases will not be updated when you use the command mentioned at the start of this post. To update the vulscan database, use two instructions.

To begin, grant yourself permission to the file: .

To update the database, run the following command from the vulscan folder.




While this scan did not find any vulnerabilities for port 21 on our instance, you can observe how the findings are presented iteratively as vulscan analyzes each vulnerability database. This makes the organization easier to navigate and brings you to information about the vulnerability.


As you may have realized, these scans may reveal a wealth of information about your target host. While it is feasible to read and refer to this information directly from the terminal printout, it is not always convenient.

Can you simply pipe the results to a file, like any other terminal command? Yes.

However, Nmap has previously considered this and provides a more elegant solution that remains within the original command.


The beautiful thing about utilizing Nmap’s flags is that the results are automatically printed to the terminal without the need for any further instructions.

You may use many flags to specify different output choices, but one handy option is to save it as an XML file that can be used in another application. To accomplish this, just use the <-oX> option followed by the filename.

The full command would look like this.

{nmap –script vuln -oX file.xml >

To make it even more beautiful for simple reading by humans, add the –webxml parameter, like follows:

{nmap –script vuln -webxml -oX file.xml >

This results in an easy-to-read format that can be opened in your browser. Much better, correct?





nmap is going to be the tool that we’ll use to help us scan the target device so here when you enter nmap you can see all the options are available for us to scan the device to look out for all the services so literally like knocking door on the house trying to scan a house looking out for openings that we can then of course be able to jump into the house and take out for example the cash and the valuables and the jewelries right, so this is exactly what we’ll be doing as part of launching the attack so the first thing you want to do is to scan the ip address all the hostname all the domain name the goal is that now you have a target in mind so you can enter for example the following which is nmap and what we want to do now is to enter say 1i2 168.00114


this is going to be target device that we’re going after so in this case i can enter dash as follow by v so this is for the service version that we’re going after dash capital o for the operating system version so we want to know whether it is a linux what version of linux is it if it is a windows computer what version of windows computer is it running on, and then after which we want to target the ports.


Ports are the services that can be made available from the target device so in this case we can target say from port one all the way to six five five three five so once you’re done with that hit enter and of course we asked to enter superuser do all right because it requires root privileges so enter on that enter your password hit enter and now we’re scanning the device to look up for all these different services that are running on the server and now the scan is completed so right here you can see the following all right we have all this different port numbers all right followed by the protocol so in this case there could be protocols like transmission control protocol and the state is of course open and you can see at the same time what kind of service is it running on is it a file transfer protocol secure shell all right http ipp and all of that all right so all of their services as well as the version on the most right side so this is a really wonderful way to quickly identify all right all of these different services all of the different versions and once you have the version you can then determine what kind of export you want to use to go after all these different type of services so that you can have access into the system and for today’s case we will be targeting on apigee and so you can see right here we have http 2.4.7 so we’ll be targeting the following so as part of targeted device all we got to do is just go ahead and enter the domain name of the ip address here and you can see right here this is the directory listing so you can see all of the directories the files within it so you can always click around to do your enumeration and find out right what is going on so this is a really quick way for you to look out for all these different ways and all these different services that can be helped fd for example in this case the apogee the web server level and what we can do next is jump over to use a tool called dirb so this is a way for us to be able to look out for all the different directories that is held by the server so that we can possibly look out for some of these openings which can give us an access into the server okay so here you can see the following all right all these are different options available and you can just simply enter the following all right so here we go all these examples the irb followed by the protocol of course in this case http and of course you have the url and of course a targeted directory so all you got to do now is enter dirb okay let me go ahead and clear this enter d-i-r-b for my http and once you’re done with that go ahead and hit enter, then  scroll all the way back to the top and look up for any interesting results                                                               and


To gain complete control of a system and break into the computer password, a hacker first needs to scan for open services such as FTP, secure shell, and websites. Once identified, the hacker can determine attack methods and launch targeted attacks, aiming to elevate privileges to gain root access. Using the tool nmap, the hacker would scan the target device’s IP address for service and operating system versions and target available ports. The following step involves using a tool called dirb to search for directories and files within the server. The hacker can leverage the common gateway interface (cgi bin) for exploiting the system.


In this scenario, the hacker uses the tool Metasploit to search for an exploit to target the server and utilizes a reverse shell to bypass potential firewall restrictions. Upon successful exploitation, the hacker gains access and can proceed to retrieve usernames and passwords. To elevate privileges further, the hacker uploads a file (37292.c) to the server and attempts to execute it, encountering permission issues.


Overall, the process involves scanning for vulnerabilities, targeting open services and ports, exploiting the system, and attempting to elevate privileges. The ultimate goal is to gain complete control of the system.


Remember, these tactics are illegal and unethical and should not be attempted. It is important to use one’s knowledge and skills for ethical and legal purposes.


To explain further, a hacker needs to have a good understanding of networking fundamentals and operating systems to carry out such an attack. They must have the knowledge to scan for vulnerabilities, stealthily exploit them, and evade detection. To achieve this, they may use a variety of tools and techniques, such as brute force attacks, social engineering tactics, and code injection.


Moreover, it is essential to remain up-to-date on the latest exploits and security patches as technology advances rapidly. As software and hardware evolve, new vulnerabilities and potential attack vectors emerge. Thus, it is a never-ending game of cat and mouse between the hackers and security professionals.


It is important to note that such attacks are illegal and unethical. Hacking and breaking into a system without permission are significant cybercrimes that can result in severe consequences, including imprisonment and hefty fines. Therefore, it is essential to use one’s knowledge and skills for ethical and legal purposes only.


In conclusion, understanding how a hacker operates and what their end goal is can help in implementing better security measures for networks and computer systems. Effective cybersecurity measures involve a multilayered approach, such as regular system updates, strong passwords, firewalls, and encryption. By being proactive and vigilant, one can reduce the risk of a successful cyberattack and protect sensitive information.


Get Our Free Book

Cybersecurity essentials for business owners

Subscribe to our SOS|Support newsletter!

Verified by MonsterInsights