Mastering Nmap: The Ultimate Network Scanning Guide
A comprehensive guide to Nmap — the world's most powerful network scanner. Learn how to discover hosts, enumerate ports, detect services, and run scripts for ethical security assessments.
Mastering Nmap: The Ultimate Network Scanning Guide
Network visibility is the foundation of every solid security posture. You cannot protect what you cannot see — and Nmap (Network Mapper) is the tool the industry has trusted for over two decades to see everything.
Whether you are a network administrator auditing your infrastructure, a penetration tester scoping a target, or a student learning the basics of cybersecurity, Nmap belongs in your toolkit.
⚠️ Legal Disclaimer: Only scan networks and systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions.
What Is Nmap?
Nmap is a free, open-source tool for network discovery and security auditing. It was created by Gordon Lyon (Fyodor) and first released in 1997. Today it is a staple in:
- Penetration testing (recognized by tools like Metasploit)
- Network inventory and asset management
- Firewall rule auditing
- Vulnerability detection via the Nmap Scripting Engine (NSE)
Nmap runs on Linux, macOS, and Windows, and ships with a graphical front-end called Zenmap.
Installing Nmap
# Debian / Ubuntu
sudo apt update && sudo apt install nmap -y
# Arch Linux
sudo pacman -S nmap
# macOS (via Homebrew)
brew install nmap
# Windows
# Download the installer from https://nmap.org/download.htmlVerify installation:
nmap --version
# Nmap 7.95 ( https://nmap.org )Understanding Nmap Syntax
Every Nmap command follows a simple pattern:
nmap [Scan Type] [Options] {target}
Targets can be:
- A single IP:
192.168.1.1 - A hostname:
example.com - A CIDR range:
192.168.1.0/24 - A range of IPs:
192.168.1.1-50 - A file of targets:
-iL targets.txt
Core Scan Types
1. Default Scan (SYN Scan)
The most common scan. Sends a SYN packet and waits for a SYN-ACK (open) or RST (closed). Requires root/admin privileges.
sudo nmap 192.168.1.12. TCP Connect Scan (-sT)
Used when you don't have raw packet privileges. Completes the full TCP handshake — slower and more detectable.
nmap -sT 192.168.1.13. UDP Scan (-sU)
Scans UDP ports. Slower than TCP but critical — services like DNS (53), SNMP (161), and DHCP (67) run over UDP.
sudo nmap -sU 192.168.1.14. Ping Scan / Host Discovery (-sn)
Discovers live hosts without scanning ports. Great for mapping a network quickly.
sudo nmap -sn 192.168.1.0/245. Aggressive Scan (-A)
Enables OS detection, version detection, script scanning, and traceroute. Noisy but highly informative.
sudo nmap -A 192.168.1.1Specifying Ports
By default, Nmap scans the 1,000 most common ports. You can customize this:
# Scan a single port
nmap -p 80 192.168.1.1
# Scan a range of ports
nmap -p 1-1000 192.168.1.1
# Scan all 65,535 ports
nmap -p- 192.168.1.1
# Scan specific ports
nmap -p 22,80,443,8080 192.168.1.1
# Top 100 most common ports
nmap --top-ports 100 192.168.1.1Service and Version Detection
Knowing a port is open is just the start. Use -sV to identify what's actually running:
sudo nmap -sV 192.168.1.1Example output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu
80/tcp open http Apache httpd 2.4.52
443/tcp open https nginx 1.22.0
3306/tcp open mysql MySQL 8.0.32
Adjust detection intensity (0–9) with --version-intensity:
sudo nmap -sV --version-intensity 9 192.168.1.1OS Detection
Nmap can fingerprint the remote operating system using TCP/IP stack behavior:
sudo nmap -O 192.168.1.1Combine with version detection for a fuller picture:
sudo nmap -O -sV 192.168.1.1Output Formats
Saving your results is essential for reporting and further analysis:
# Normal output (human-readable)
nmap -oN scan_results.txt 192.168.1.1
# XML output (for tools like Metasploit)
nmap -oX scan_results.xml 192.168.1.1
# Grepable output
nmap -oG scan_results.gnmap 192.168.1.1
# All formats at once
nmap -oA scan_results 192.168.1.1Nmap Scripting Engine (NSE)
The NSE is Nmap's most powerful feature. It ships with 600+ scripts organized into categories:
| Category | Purpose |
|---|---|
auth | Authentication bypass and credential tests |
vuln | Known vulnerability checks |
discovery | Network and service discovery |
exploit | Exploitation scripts (use with care) |
brute | Brute-force credential attacks |
safe | Scripts safe to run on any target |
default | Scripts run with -sC flag |
Running Scripts
# Run default scripts
sudo nmap -sC 192.168.1.1
# Run a specific script
sudo nmap --script=http-title 192.168.1.1
# Run a category of scripts
sudo nmap --script=vuln 192.168.1.1
# Run multiple scripts
sudo nmap --script=http-headers,http-methods 192.168.1.1Practical NSE Examples
Check for SMB vulnerabilities (EternalBlue):
sudo nmap --script=smb-vuln-ms17-010 -p 445 192.168.1.1Enumerate HTTP headers:
nmap --script=http-headers -p 80,443 192.168.1.1Check SSL/TLS configuration:
nmap --script=ssl-enum-ciphers -p 443 192.168.1.1Brute-force SSH login:
sudo nmap --script=ssh-brute -p 22 192.168.1.1Timing and Performance
Nmap has six timing templates (-T0 through -T5):
| Template | Name | Use Case |
|---|---|---|
-T0 | Paranoid | IDS evasion, extremely slow |
-T1 | Sneaky | IDS evasion |
-T2 | Polite | Low bandwidth usage |
-T3 | Normal | Default |
-T4 | Aggressive | Fast networks, CTF labs |
-T5 | Insane | Very fast, may miss results |
# Fast scan on a local network
sudo nmap -T4 192.168.1.0/24
# Stealthy scan against a monitored target
sudo nmap -T1 192.168.1.1Firewall and IDS Evasion
Nmap includes several techniques to slip past firewalls and intrusion detection systems:
# Fragment packets to confuse firewalls
sudo nmap -f 192.168.1.1
# Use decoy IPs to mask your real address
sudo nmap -D RND:10 192.168.1.1
# Spoof source IP (requires routing knowledge)
sudo nmap -S 10.0.0.99 192.168.1.1
# Randomize target host order
nmap --randomize-hosts 192.168.1.0/24
# Slow the scan to evade rate-limiting IDS
sudo nmap -T1 --scan-delay 500ms 192.168.1.1Real-World Workflow Example
Here is a typical recon workflow for an authorized penetration test:
# Step 1: Discover live hosts
sudo nmap -sn 10.10.10.0/24 -oN live_hosts.txt
# Step 2: Full port scan on a target
sudo nmap -p- -T4 10.10.10.5 -oN all_ports.txt
# Step 3: Service and version detection on open ports
sudo nmap -sV -sC -p 22,80,443,8080 10.10.10.5 -oN services.txt
# Step 4: Vulnerability scan
sudo nmap --script=vuln 10.10.10.5 -oN vulns.txtUseful Nmap Cheat Sheet
# Quick scan
nmap -F 192.168.1.1
# Scan with OS + version + scripts + traceroute
sudo nmap -A 192.168.1.1
# Scan entire subnet, skip host discovery
sudo nmap -Pn 192.168.1.0/24
# Show open ports only
sudo nmap --open 192.168.1.0/24
# Verbose output
sudo nmap -v 192.168.1.1
# Very verbose
sudo nmap -vv 192.168.1.1Conclusion
Nmap is more than a port scanner — it is a complete network intelligence platform. From a simple host discovery sweep to deep vulnerability analysis via NSE scripts, it adapts to almost any network security task.
Mastering Nmap takes practice. Set up a home lab using tools like VirtualBox + Metasploitable or use legal practice platforms like Hack The Box and TryHackMe to sharpen your skills in a safe environment.
The best security professionals are not the ones with the most expensive tools — they are the ones who understand their tools deeply. And Nmap is one tool worth knowing deeply.
Happy (ethical) scanning! 🔍