Termux Nmap: Complete Guide

Nmap (Network Mapper) is a powerful open-source tool for network scanning, security auditing, and vulnerability detection. In Termux (Android terminal emulator), Nmap can be installed and used to scan networks, discover hosts, detect open ports, and analyze services.

1. Installing Nmap in Termux

Before using Nmap, install it in Termux:

pkg update && pkg upgrade
pkg install nmap

Verify installation:

nmap --version

2. Basic Nmap Commands in Termux

A. Scan a Single IP

nmap 192.168.1.1

Scans the target IP for open ports and services.

B. Scan a Hostname

nmap example.com

Resolves the domain and scans its IP.

C. Scan Multiple Targets

nmap 192.168.1.1 192.168.1.2

Scans multiple IPs.

D. Scan a Range of IPs

nmap 192.168.1.1-100

Scans IPs from 192.168.1.1 to 192.168.1.100.

E. Fast Scan (Only Top 100 Ports)

nmap -F 192.168.1.1

Faster scan but less thorough.

F. Full Port Scan (All 65535 Ports)

nmap -p- 192.168.1.1

Takes longer but checks every possible port.

G. Detect OS and Services

nmap -A 192.168.1.1

Aggressive scan: OS detection, service version, and script scanning.

H. Scan Using TCP SYN (Stealth Scan)

nmap -sS 192.168.1.1

Doesn't complete TCP handshake (less likely to be logged).

I. UDP Port Scan

nmap -sU 192.168.1.1

Scans UDP ports (slower than TCP).

J. Save Scan Results to a File

nmap -oN scan.txt 192.168.1.1

Saves output to scan.txt.

3. Advanced Nmap Commands

A. Nmap Scripting Engine (NSE)

Nmap has built-in scripts for advanced scanning:

nmap --script=http-title 192.168.1.1

Runs a specific script (http-title in this case).

B. Vulnerability Scanning

nmap --script=vuln 192.168.1.1

Checks for known vulnerabilities.

C. Bypass Firewalls (Fragmentation)

nmap -f 192.168.1.1

Splits packets to evade detection.

D. Timing Options (Speed Control)

nmap -T4 192.168.1.1

-T0 (Paranoid, slowest) to -T5 (Insane, fastest).

4. Limitations of Nmap in Termux

Root Access Required for Some Scans
- Some scans (-sS, -O) require root. Use:
  bash
  Copy
  Download
```
sudo nmap -sS 192.168.1.1
```
  (Termux may not have sudo; use tsu if rooted.)
No Raw Packet Support in Non-Root Mode
- Without root, Nmap uses TCP connect scan (-sT), which is slower and detectable.
Limited Performance on Android
- Android devices are slower than PCs for intensive scans.
Wi-Fi Restrictions
- Some networks block scanning; mobile data may not allow LAN scans.
Legal & Ethical Concerns
- Scanning networks without permission is illegal in many countries.

1. OS Detection Without Root (Workarounds)

Since you don’t have root, Nmap will fall back to TCP Connect Scan (`-sT`) instead of SYN Stealth Scan (`-sS`), which limits OS detection accuracy.

A. Basic OS Guess (Less Accurate)

nmap -O --osscan-guess <target_IP>

--osscan-guess tries to estimate the OS based on available data (not as reliable as root scans).
Example:
bash
Copy
Download
```
nmap -O --osscan-guess 192.168.1.1
```

B. Service Version Detection (Indirect OS Guess)

Since OS detection is unreliable without root, you can check service versions to infer the OS:

nmap -sV <target_IP>

Example:
bash
Copy
Download
```
nmap -sV 192.168.1.1
```
If you see services like Windows RPC, SMB, or Linux SSH versions, you can guess the OS.

C. Using NSE Scripts for OS Clues

Some Nmap scripts can hint at the OS without raw packet access:

nmap --script=smb-os-discovery <target_IP>  # For Windows
nmap --script=ssh2-enum-algos <target_IP>   # For Linux SSH

Example:

nmap --script=smb-os-discovery 192.168.1.1

2. Why OS Detection Fails Without Root?

Raw packet access is needed for precise OS fingerprinting (`-O`).
TCP Connect Scan (`-sT`) is used instead, which is noisier and less accurate.
Many networks block ICMP and unusual probes, making OS detection harder.

3. Best Alternative: Use Service Banners

Since OS detection is unreliable without root, check service banners:

nmap -sV -A <target_IP>

Example:
bash
Copy
Download
```
nmap -sV -A 192.168.1.1
```
Look for clues like:
- Windows: SMB, MSRPC, IIS, NetBIOS
- Linux: OpenSSH, Apache, Nginx, Postfix

4. Conclusion

Method Command Accuracy
OS Guess (No Root) `nmap -O --osscan-guess` Low
Service Version Scan `nmap -sV` Medium
NSE Scripts `nmap --script=smb-os-discovery` Medium (if services are found)
Since full OS detection requires root, your best bet is to analyze services (`-sV`) and use NSE scripts to make educated guesses.

Method	Command	Accuracy
OS Guess (No Root)	`nmap -O --osscan-guess`	Low
Service Version Scan	`nmap -sV`	Medium
NSE Scripts	`nmap --script=smb-os-discovery`	Medium (if services are found)

5. Best Practices

Use VPN or Proxy to hide your IP.
Avoid Aggressive Scans (-A) on unknown networks.
Check Legal Compliance before scanning.

Conclusion

Nmap in Termux is a powerful tool for network analysis, but it has limitations due to Android’s restrictions. Use it responsibly and ethically.

Termux-Hacker(Daemon0018)

Thursday, 19 June 2025