Introduction

Nmap is a powerful tool for discovering information about machines on a network or the Internet. It allows you to probe a machine with packets to detect everything from running services and open ports to the operating system and software versions.

Like other security tools, Nmap should not be misused. Only scan networks and machines that you own or have permission to investigate. Probing other machines could be seen as an attack and be illegal.

That said, Nmap can go a long way in helping to secure your own network. It can also help you to ensure that your servers are properly configured and don't have any open and unsecured ports. It will also report if your firewall is correctly filtering ports that should not be externally accessible.

Nmap is installed by default on Kali Linux, so you can just open it up and get started.

Basic Scans

Nmap has fairly intelligent defaults set, so you are able to just open up Nmap and run a scan without specifying anything but the target. So, why not try it out on a computer on your network. Scanning the computer running Kali isn't going to give you much of anything, so it's best to pick another computer that you own. If you already know the IP of one, awesome. If not, Nmap has a tool to get the IP addresses of the computers on your network.

Open up a terminal, if you haven't already, and run the following command.
# nmap -sn 192.168.1.0/24
If your home network doesn't use the 192.168.1.X IP structure, substitute in yours. The sequence ends with 0/24 to tell Nmap to scan the entire subnet.

What you'll see when Nmap finishes is a list of every devices that was reachable. Each device will have a name(if applicable), IP address, and MAC address with a manufacturer. By using the names and the hardware manufacturers, you should be able to tell what each device on your network is. Pick a computer that you own, and scan it.
# nmap 192.168.1.15
You can just write in the IP of that computer. Nmap will take a few seconds to probe the computer with packets and report back.

The report will be sort, but it will contain a list of ports with their state and which service they correspond to. It will also show that MAC address information and your IP again.

Useful Flags

Even though the defaults do give some useful information, and you can tell which ports are open, it would still be nice to get some more data. Nmap has tons of flags that you can set to specify just how you would like it to run. There are way too many to cover in this basic guide, but you can always check out Nmap's detailed manpage for more.

-sS

The -sS flag is the default scanning flag for Nmap. It just specifies the way that Nmap will scan. Even though it's the default, it's probably a good idea to specify it anyway.

-T

Timing can be important. Not only does the timing of the scan determine how long scanning will take, but it can also be instrumental in triggering or not triggering firewalls and other safeguards on a target system. While Nmap offers more fine-grained timing control, it also provides a set of six pre-built timing schemes with the -T flag. These timings range from 0 through 5, with 0 being the slowest and least invasive and 5 being the fastest and most overt. -T3 is the default timing flag, but many users prefer -T4 to speed up the scan.

-iL

You can use Nmap to scan multiple targets at once. Doing so can easily be done in-line when you run Nmap.
# nmap -sS -T4 192.168.1.4 192.168.1.35 192.168.1.102
For a small number of targets this works, but it can quickly become cumbersome and isn't all that readily repeatable. The -iL flag imports a list of targets for Nmap to use. This way, you can save targets and repeat scans at a later date.

Before running Nmap, open up your text editor of choice and enter in a couple of the IPs on your network.
$ vim ~/Documents/targets.txt
192.168.1.4
192.168.1.10
192.168.1.35
192.168.1.102
192.168.1.128
Save that file and run Nmap with the -iL flag.
# nmap -sS -T4 -iL /home/user/Documents/targets.txt
Nmap will read through the list and preform a scan on each entry.

-F

By default, Nmap will scan the 1000 most commonly used ports on a target machine. This, of course, takes time. If you know that you only need to or only want to scan the most common ports to reduce the run time of Nmap, you can use the -F flag. The -F flag tells Nmap to only scan the 100 most commonly used ports instead of the usual 1000.
# nmap -sS -T4 -F 192.168.1.105

-O

If you would like information on the operating system being run on the target machine, you can add the -O flag to tell Nmap to probe for operating system information as well. Nmap is not super accurate when it comes to operating system information, but it usually gets very close.
# nmap -sS -T4 -O 192.168.1.105

--open

If you are only looking for which ports are open on a specific machine, you can tell Nmap to only look for open ports with the --open flag.
# nmap -sS -T4 --open 192.168.1.105

-sV

Sometimes, it's useful to know what software and what versions of that software a machine is running. This is especially good for investigating your own servers. It also gives you insight into what server information others can see. Nmap's -sV allows you to get as detailed information as possible about the services running on a machine.
# nmap -sS -sV -T4 192.168.1.105

-p

Occasionally, you may only want to scan select ports with Nmap. The -p flag allows you to specify specific ports for Nmap to scan. Nmap will then only scan those specified ports on the target machine.
# nmap -sS -T4 -p 25,80,443 192.168.1.105
Nmap will then only scan ports 25, 80, and 443 on the computer at 192.168.1.105.

If you don't know the port number of a common service, you can use the name of the service instead, and Nmap will know to look at the right port.
# nmap -sS -T4 -p http,https,imap 192.168.1.105

-p-

There are many more ports on a computer than the 1000 that Nmap scans by default. As a result, some my be missed in a basic scan. If you are absolutely concerned about the security of your system, it is worth doing a complete scan of every port. To do this, use the -p- flag.
# nmap -sS -p- 192.168.1.105
This will take a long time, so it should not be done lightly.

-A

By now, you've acquired a lot of flags to use. Using all of them together can be very awkward. Nmap has the -A for just this reason. It's sort of the "kitchen sink" flag that tells Nmap to aggressively gather as much information as it can.
# nmap -A 192.168.1.105

Logging Output

It would sure be able to store the results from Nmap. Well, you can. Nmap has yet another flag that allows you to store output in a variety of different formats. This is excellent for long scans like ones with the -p- flag. To use Nmap's logging capabilities, pass the -oN or -oX along with the name of the file. -oN logs the normal output. -oX logs the output as XML. By default, Nmap will overwrite existing logs with new ones, so be careful not to overwrite anything you don't want to.
# nmap -sS -p- -oN  Documents/full-scan.txt 192.168.7.105
You can find the full log in the text file when Nmap completes.

If you want something ridiculous, try the -oS flag instead.

Closing Thoughts

Finally, that's it. Actually, that's not even close, but it's certainly enough for a quick crash course. You can play around with different flags and different combinations of flags to tune Nmap to get the exact output that you want. Just be sure to only do this on your own machines and networks, and you will have an interesting experience that just may save your data.