Nmap (Network Mapper) is the most popular network scanning tool used by security professionals and system administrators worldwide. This guide covers everything you need to know to start using Nmap effectively for network discovery and security auditing.
What is Nmap?
Nmap is a free, open-source tool designed for network discovery and security auditing. It can identify hosts on a network, detect open ports, determine what services are running, and even identify operating systems and vulnerabilities.
Installing Nmap
Nmap is available for Linux, Windows, and macOS. Here is how to install it on common platforms:
Linux (Debian/Ubuntu)
sudo apt update
sudo apt install nmapLinux (RHEL/CentOS/Fedora)
sudo dnf install nmapmacOS
brew install nmapBasic Nmap Scan Types
Simple Host Discovery
The simplest way to scan a target is to run Nmap with just the IP address or hostname:
nmap 192.168.1.1This performs a SYN scan on the 1000 most common ports and returns which ports are open.
Scan Multiple Hosts
# Scan a range
nmap 192.168.1.1-254
# Scan a subnet
nmap 192.168.1.0/24
# Scan from a file
nmap -iL targets.txtTCP Connect Scan (-sT)
This completes the full TCP three-way handshake. It is slower but does not require root privileges:
nmap -sT 192.168.1.1SYN Scan (-sS)
Also known as a “stealth scan”, this is the default scan type when running as root. It never completes the TCP handshake, making it faster and less likely to be logged:
sudo nmap -sS 192.168.1.1UDP Scan (-sU)
UDP scanning is slower but essential for finding services like DNS (53), SNMP (161), and DHCP (67/68):
sudo nmap -sU 192.168.1.1Port Specification
# Scan specific ports
nmap -p 22,80,443 192.168.1.1
# Scan a port range
nmap -p 1-1000 192.168.1.1
# Scan all 65535 ports
nmap -p- 192.168.1.1
# Scan top N ports
nmap --top-ports 100 192.168.1.1Service and Version Detection
The -sV flag probes open ports to determine what service and version is running:
nmap -sV 192.168.1.1Example output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1
80/tcp open http Apache httpd 2.4.52
443/tcp open ssl OpenSSL 3.0.2Operating System Detection
Nmap can fingerprint the target operating system using the -O flag:
sudo nmap -O 192.168.1.1Nmap Scripting Engine (NSE)
NSE allows you to run scripts for vulnerability detection, brute forcing, and more. Scripts are organized into categories:
# Run default scripts
nmap -sC 192.168.1.1
# Run specific script
nmap --script=http-title 192.168.1.1
# Run scripts by category
nmap --script=vuln 192.168.1.1
# Run multiple script categories
nmap --script="vuln,safe" 192.168.1.1Useful NSE Scripts
# HTTP enumeration
nmap --script=http-enum 192.168.1.1
# SMB vulnerabilities
nmap --script=smb-vuln* 192.168.1.1
# SSL/TLS information
nmap --script=ssl-enum-ciphers -p 443 192.168.1.1
# DNS zone transfer
nmap --script=dns-zone-transfer -p 53 192.168.1.1Common Nmap Command Combinations
Quick Scan
nmap -T4 -F 192.168.1.1Comprehensive Scan
sudo nmap -sS -sV -sC -O -p- 192.168.1.1Aggressive Scan
nmap -A 192.168.1.1The -A flag enables OS detection, version detection, script scanning, and traceroute.
Output Formats
# Normal output to file
nmap -oN scan.txt 192.168.1.1
# XML output
nmap -oX scan.xml 192.168.1.1
# Grepable output
nmap -oG scan.gnmap 192.168.1.1
# All formats at once
nmap -oA scan 192.168.1.1Timing and Performance
Nmap offers timing templates from T0 (slowest) to T5 (fastest):
# Paranoid (IDS evasion)
nmap -T0 192.168.1.1
# Sneaky
nmap -T1 192.168.1.1
# Polite
nmap -T2 192.168.1.1
# Normal (default)
nmap -T3 192.168.1.1
# Aggressive
nmap -T4 192.168.1.1
# Insane
nmap -T5 192.168.1.1Firewall and IDS Evasion
# Fragment packets
nmap -f 192.168.1.1
# Specify MTU
nmap --mtu 24 192.168.1.1
# Use decoys
nmap -D RND:10 192.168.1.1
# Spoof source port
nmap --source-port 53 192.168.1.1Summary
Nmap is an essential tool in any security professional’s toolkit. Start with basic scans and gradually incorporate service detection, NSE scripts, and advanced options as you become more comfortable. Always ensure you have proper authorization before scanning any network or system.
