// What is Nmap?
Nmap (Network Mapper) is an open-source network scanning tool used to discover hosts, enumerate open ports, identify running services and their versions, detect operating systems, and run scripted checks against network services. It's available on Windows, Linux, and macOS.
For blue team analysts, Nmap is used in asset discovery, vulnerability assessments, and verifying network segmentation controls. For penetration testers, it's the standard reconnaissance tool for mapping attack surface before exploitation.
Always have authorisation before scanning. Scanning networks or systems you don't own or have explicit written permission to test is illegal in most jurisdictions. Even within your own organisation, active scanning can trigger IDS/IPS alerts and should be coordinated with the security team.
// Basic Syntax
nmap [scan type] [options] [target]
# Target formats
nmap 192.168.1.1 # Single IP
nmap 192.168.1.1-20 # IP range
nmap 192.168.1.0/24 # CIDR subnet
nmap 192.168.1.1 10.0.0.1 # Multiple IPs (space separated)
nmap -iL targets.txt # Read targets from file
nmap scanme.nmap.org # HostnameScan speed (-T timing)
| Flag | Name | Use case |
|---|---|---|
-T0 | Paranoid | IDS evasion � extremely slow, one probe at a time |
-T1 | Sneaky | IDS evasion � slow, minimal footprint |
-T2 | Polite | Reduces network load � slow |
-T3 | Normal | Default � balanced speed and accuracy |
-T4 | Aggressive | Fast � assumes reliable network. Most common choice for authorised scans |
-T5 | Insane | Very fast but may miss results on slow networks or lose packets |
// Host Discovery
Before port scanning, Nmap checks whether hosts are up. By default it sends ICMP echo requests, TCP SYN to 443, TCP ACK to 80, and ICMP timestamp requests.
| Flag | Method | Notes |
|---|---|---|
-sn | Ping scan only � no port scan | Discovers live hosts quickly without scanning ports. Useful for asset inventory. |
-Pn | Skip ping � treat all hosts as up | Required when hosts block ICMP. Forces port scan on all targets even if they don't respond to ping. |
-PE | ICMP echo request | Standard ping |
-PS | TCP SYN ping | -PS80,443 � SYN to specified ports |
-PA | TCP ACK ping | Can bypass stateless firewalls that block SYN |
-PU | UDP ping | Useful for hosts that filter TCP but allow UDP |
-PR | ARP ping | Local network only � very reliable within the same subnet |
-n | No DNS resolution | Faster � skips reverse DNS lookups |
-R | Always resolve DNS | Resolve all targets including offline hosts |
// Port Scanning
Scan types
| Flag | Type | How it works | Notes |
|---|---|---|---|
-sS | TCP SYN (Stealth) | Sends SYN, reads SYN-ACK (open) or RST (closed), never completes handshake | Default when running as root. Faster, less logged than connect scan |
-sT | TCP Connect | Full three-way handshake using OS socket API | Default without root. Slower, more likely to be logged |
-sU | UDP | Sends UDP packets, listens for ICMP port unreachable (closed) or service response (open) | Slow � UDP has no handshake. Often combined with TCP: -sS -sU |
-sA | TCP ACK | Sends ACK � returns RST from both open and closed ports. Used to map firewall rules, not port state. | Shows which ports are filtered by a stateful firewall |
-sN / -sF / -sX | NULL / FIN / Xmas | Sends packets with no/FIN/FIN+PSH+URG flags � no response = open|filtered | Can bypass some non-stateful firewalls; doesn't work on Windows |
Port selection
| Flag | Behaviour |
|---|---|
-p 80 | Scan a single port |
-p 80,443,8080 | Scan specific ports |
-p 1-1024 | Scan port range |
-p- | Scan all 65,535 ports |
-F | Fast scan � top 100 most common ports |
--top-ports 1000 | Top N most common ports (default when no -p specified) |
-p U:53,T:80,443 | Mixed UDP and TCP port specification |
Port states
| State | Meaning |
|---|---|
open | A service is actively accepting connections on this port |
closed | Port is accessible but no service is listening � RST returned |
filtered | Firewall is dropping probes � no response received. Nmap can't determine if open or closed. |
open|filtered | Nmap can't distinguish � usually from UDP or stealth scans |
unfiltered | Port is accessible but Nmap can't determine open/closed (ACK scan result) |
// Service & Version Detection
Service detection probes open ports to identify the application and version running behind them � much more useful than just knowing a port is open.
| Flag | Description |
|---|---|
-sV | Enable service/version detection � sends probes and reads banners to identify the service |
--version-intensity 0-9 | How hard to probe (0 = light, 9 = all probes). Default is 7. Higher = more accurate but slower. |
--version-light | Intensity 2 � quick check, may miss some services |
--version-all | Intensity 9 � tries all probes, most accurate |
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.52 ((Ubuntu))
3306/tcp open mysql MySQL 8.0.32// OS Detection
OS detection works by analysing TCP/IP stack characteristics � TTL values, window sizes, IP flags, and responses to crafted probes. It requires at least one open and one closed port to work reliably, and must be run as root/Administrator.
| Flag | Description |
|---|---|
-O | Enable OS detection |
--osscan-guess | Guess OS even when confidence is low |
--osscan-limit | Only try OS detection when there's at least one open and one closed port |
OS detection is probabilistic � Nmap reports a confidence percentage (e.g. OS details: Microsoft Windows 10 (95%)). Firewalls and network address translation can reduce accuracy. Service banner grabbing with -sV often reveals more reliable OS information through application-layer banners.
// NSE Scripts
The Nmap Scripting Engine (NSE) extends Nmap with Lua scripts for vulnerability detection, service enumeration, brute forcing, and more. Scripts live in /usr/share/nmap/scripts/.
| Flag / Category | Description |
|---|---|
-sC | Run default scripts � equivalent to --script=default. Safe, informational scripts for common services. |
--script=vuln | Run vulnerability detection scripts � checks for known CVEs and misconfigurations |
--script=auth | Run authentication-related scripts � default credentials, anonymous access |
--script=banner | Simple banner grabbing � reads the initial bytes sent by a service |
--script=smb-vuln* | All SMB vulnerability checks � includes EternalBlue (MS17-010) detection |
--script=http-title | Retrieve the title from HTTP responses � quick web service enumeration |
--script=ssl-cert | Extract SSL/TLS certificate details � hostname, expiry, issuer |
--script=dns-brute | Brute-force DNS subdomains |
# Default scripts + version detection (standard recon)
nmap -sV -sC -T4 192.168.1.0/24
# Check for EternalBlue (MS17-010) / WannaCry vulnerability
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.0/24
# HTTP service enumeration
nmap -p 80,443,8080,8443 --script http-title,http-headers,http-methods 192.168.1.0/24
# SSL certificate inspection
nmap -p 443 --script ssl-cert,ssl-enum-ciphers 192.168.1.1
# SMB enumeration
nmap -p 445 --script smb-enum-shares,smb-enum-users,smb-security-mode 192.168.1.0/24// Output Formats
Always save scan output � you'll want to refer back to it during an investigation or report.
| Flag | Format | Best for |
|---|---|---|
-oN file.txt | Normal � human-readable text | Quick review, sharing with colleagues |
-oX file.xml | XML � structured data | Importing into other tools (Metasploit, vulnerability scanners, custom scripts) |
-oG file.gnmap | Grepable � one line per host | Shell scripting and grep-based parsing |
-oA basename | All three formats simultaneously | Standard choice � saves basename.nmap, basename.xml, basename.gnmap |
-v / -vv | Verbose output | See results as they come in rather than waiting for the scan to complete |
--reason | Show reason for port state | Understand why a port is flagged open/filtered � which packet triggered the classification |
--open | Only show open ports | Filter output to relevant results on large subnet scans |
# Extract all hosts with port 22 open
grep "22/open" scan.gnmap | awk '{print $2}'
# List all open ports across all hosts
grep "Ports:" scan.gnmap | grep -oP '\d+/open' | sort -t/ -k1 -n | uniq -c | sort -rn// Common Ports Reference
| Port | Protocol | Service | Notes |
|---|---|---|---|
| 21 | TCP | FTP | Plaintext � check for anonymous login |
| 22 | TCP | SSH | Check version for known CVEs |
| 23 | TCP | Telnet | Plaintext � should not be open on modern systems |
| 25 | TCP | SMTP | Email � check for open relay |
| 53 | TCP/UDP | DNS | UDP for queries; TCP for zone transfers (AXFR) |
| 80 | TCP | HTTP | Web � check for admin interfaces, default creds |
| 110 / 995 | TCP | POP3 / POP3S | Legacy auth � check for legacy protocol exposure |
| 135 | TCP | RPC | Windows RPC endpoint mapper |
| 139 / 445 | TCP | NetBIOS / SMB | File sharing � check for EternalBlue, open shares |
| 143 / 993 | TCP | IMAP / IMAPS | Email � check for legacy auth |
| 389 / 636 | TCP | LDAP / LDAPS | Active Directory � check for anonymous bind |
| 443 | TCP | HTTPS | Check cert validity, TLS version, cipher suites |
| 3306 | TCP | MySQL | Check if exposed externally � should be localhost only |
| 3389 | TCP | RDP | Windows Remote Desktop � high-value attack target |
| 5985 / 5986 | TCP | WinRM | PowerShell Remoting � HTTP/HTTPS |
| 8080 / 8443 | TCP | HTTP/HTTPS alt | Web apps and management interfaces on non-standard ports |
// Tips & Best Practices
Use -A for comprehensive single-host scans. The -A flag enables OS detection, version detection, script scanning, and traceroute in one flag � nmap -A -T4 192.168.1.1. Good for deep inspection of a specific target.
Scan large subnets in two passes. First do a fast ping sweep (-sn -T4) to identify live hosts, then port scan only the live hosts from the results. Much faster than port scanning the whole range blind.
Zenmap is Nmap's GUI. If you prefer a graphical interface, Zenmap ships with Nmap on Windows and provides a command builder, topology map, and results comparison feature. Useful for visualising large subnet scans.
Nmap generates significant network noise. Even a T3 SYN scan of a /24 subnet sends thousands of packets and will appear in firewall and IDS logs. Don't scan production networks without coordination � and be aware that aggressive scanning (-T4 / -T5) can temporarily impact service performance on sensitive hosts.