kali linux tools (Zenmap)

What is Zenmap?

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

How to download?

You can download Zenmap (often packaged with Nmap itself) from the Nmap download page. Zenmap is quite intuitive, but you can learn more about using it from the Zenmap User’s Guide or check out the Zenmap man page for some quick reference information. 


how to launch ?

 In linux hosts there are 2 ways of doing it, in case of kali linux and parrot os you can find the icon and click to start and later give it root privileges by entering your password .

The other way is you can simply run on terminal


How to use zenmap?

we will use the zenmap for legal test we will test on scanme.nmap.org this is the zenmap test website

Nmap can use for different reasons

1-Intense scan

Command: nmap -T4 -A -v

Should be reasonable quick, scan the most common TCP ports. It will make an effort in determining the OS type and what services and their versions are running. This comes from having a pretty fast timing template (-T4) and for using the -A option which will try determine services, versions and OS. With the verbose output (-v) it will also give us a lot of feedback as Nmap makes progress in the scan

open ports
SSh-hostkey & open ports

Zenmap’s “Topology” tab provides an interactive, animated visualization of the connections between hosts on a network. Hosts are shown as nodes on a graph that extends radially from the center. Click and drag to pan the display, and use the controls provided to zoom in and out. Click on a host and it becomes the new center. The graph rearranges itself in a smooth animation to reflect the new view of the network. Run a new scan and every new host and network path will be added to the topology automatically.


2-Intense scan plus UDP

Command: nmap -sS -sU -T4 -A -v

Same as the regular Intense scan, just that we will also scan UDP ports (-sU).

The -sS option is telling Nmap that it should also scan TCP ports using SYN packets. Because this scan includes UDP ports this explicit definition of -sS is necessary.

UDP open ports

3-Intense scan, all TCP ports

Command: nmap -p 1-65535 -T4 -A -v

Leave no TCP ports unchecked. Normally Nmap scans a list of 1000 most common protocols, but instead we will in this example scan everything from port 1 to 65535 (max). The 1000 most common protocols listing can be found in the file called nmap-services

All TCP ports

4-Intense scan, no ping

Command: nmap -T4 -A -v -Pn

Just like the other intense scans, however this will assume the host is up. Usefull if the target is blocking ping request and you already know the target is up

5-Ping scan

Command: nmap -sn

Do only a ping only on the target, no port scan

6-Quick scan

Command: nmap -T4 -F

Scan faster than the intense scan by limiting the number of TCP ports scanned to only the top 100 most common TCP ports.

7-Quick scan plus

Command: nmap -sV -T4 -O -F –version-light

Add a little bit of version and OS detection and you got the Quick scan plus.

8-Quick traceroute

Command: nmap -sn –traceroute

Use this option when you need to determine hosts and routers in a network scan. It will traceroute and ping all hosts defined in the target.

9-Regular scan

Command: nmap <domain name > or <IP of domain>

Default everything. This means it will issue a TCP SYN scan for the most common 1000 TCP ports, using ICMP Echo request (ping) for host detection.

10-Slow comprehensive scan

Command: nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)”

This scan has a whole bunch of options in it and it may seem daunting to understand at first. It is however not so complicated once you take a closer look at the options. The scan can be said to be a “Intense scan plus UDP” plus some extras features.

It will put a whole lot of effort into host detection, not giving up if the initial ping request fails. It uses three different protocols in order to detect the hosts; TCP, UDP and SCTP.

If a host is detected it will do its best in determining what OS, services and versions the host are running based on the most common TCP and UDP services. Also the scan camouflages itself as source port 53 (DNS).

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Select your currency
USD United States (US) dollar