Quick Summary: Nmap (Network Mapper) is the most popular open-source network scanning tool. It discovers hosts and services on a network by sending packets and analyzing responses. System administrators use Nmap to inventory network devices, detect open ports, and identify security vulnerabilities. This guide covers everything from basic scans to advanced scripting.
What Is Nmap?
Nmap is a free, open-source tool for network discovery and security auditing. Created by Gordon Lyon in 1997, Nmap has become the industry standard for network reconnaissance. It sends specially crafted packets to target hosts and analyzes responses to determine what hosts are available, what services they run, what operating systems they use, and what security measures are in place.
Nmap is included in virtually every penetration testing toolkit and is used daily by network administrators worldwide for legitimate security auditing.
Installing Nmap
- Debian/Ubuntu:
sudo apt install nmap - RHEL/AlmaLinux/Rocky:
sudo dnf install nmap - macOS:
brew install nmap - Verify:
nmap --version
Essential Nmap Scan Types
| Scan Type | Command | Purpose | Speed |
|---|---|---|---|
| TCP Connect | nmap -sT target | Full TCP connection (reliable) | Moderate |
| SYN Stealth | nmap -sS target | Half-open scan (stealthier, root required) | Fast |
| UDP Scan | nmap -sU target | Scan UDP ports (DNS, DHCP, SNMP) | Slow |
| Ping Sweep | nmap -sn 192.168.1.0/24 | Discover live hosts, no port scan | Very Fast |
| Version Detection | nmap -sV target | Identify service versions | Moderate |
| OS Detection | nmap -O target | Identify operating system | Moderate |
| Aggressive | nmap -A target | OS + version + scripts + traceroute | Slow |
Practical Nmap Commands
Host Discovery
- Single host:
nmap 192.168.1.1β Scans 1000 most common ports - Subnet:
nmap 192.168.1.0/24β All devices on a /24 network - Multiple targets:
nmap 192.168.1.1 192.168.1.5 192.168.1.10 - From file:
nmap -iL targets.txt - Exclude hosts:
nmap 192.168.1.0/24 --exclude 192.168.1.1
Port Scanning
- Specific ports:
nmap -p 80,443,8080 target - Port range:
nmap -p 1-1024 target - All 65535 ports:
nmap -p- target(thorough but slow) - Top 100:
nmap --top-ports 100 target - Fast scan:
nmap -F target
Service and OS Detection
- Service versions:
nmap -sV target - Intense detection:
nmap -sV --version-intensity 5 target - OS detection:
nmap -O target(requires root) - Combined:
nmap -sV -O -sC target
Nmap Scripting Engine (NSE)
NSE extends Nmap with hundreds of scripts for vulnerability detection and information gathering:
nmap --script vuln targetβ Run all vulnerability scriptsnmap --script ssl-heartbleed targetβ Check specific vulnerabilitynmap --script http-title targetβ Get webpage titlesnmap --script dns-brute targetβ DNS subdomain enumerationnmap --script ssh-auth-methods targetβ Check SSH auth methodsnmap --script-help ssl*β Help on SSL scripts
Output Formats
nmap -oN scan.txt targetβ Normal textnmap -oX scan.xml targetβ XML (for tools)nmap -oG scan.gnmap targetβ Grepable outputnmap -oA scan targetβ All three formats
Understanding Port States
| State | Meaning | Implication |
|---|---|---|
| open | Service listening, accepting connections | Accessible β verify if intentional |
| closed | Port accessible but no service | Host reachable, port unused |
| filtered | Cannot determine state (firewall) | Firewall dropping packets |
| unfiltered | Accessible but state uncertain | Rare β ACK scans |
| open|filtered | Cannot distinguish open/filtered | Common with UDP scans |
Timing and Performance
Nmap timing templates control scan speed and stealth:
| Flag | Name | Use Case |
|---|---|---|
-T0 | Paranoid | IDS evasion (extremely slow) |
-T1 | Sneaky | IDS evasion (slow) |
-T2 | Polite | Reduced bandwidth usage |
-T3 | Normal | Default timing |
-T4 | Aggressive | Fast, reliable networks |
-T5 | Insane | Very fast, may miss ports |
Ethics and Legal Considerations
- Only scan networks you own or have explicit written permission to scan
- Unauthorized scanning is illegal in most jurisdictions
- Start with less aggressive scans and escalate only when needed
- Save results for documentation and compliance
- Schedule regular scans to detect unauthorized changes
Frequently Asked Questions
Which is the best Nmap command for port scanning?
For comprehensive scanning use nmap -sV -sC -O target which combines version detection, default scripts, and OS detection. For quick scans use nmap -F target which scans only the top 100 ports.
Is Nmap legal to use?
Nmap itself is legal software. However, scanning networks without authorization is illegal in most countries. Always scan only your own systems or those you have written permission to test.
What is the difference between -sS and -sT scans?
-sS (SYN scan) sends SYN and waits for SYN-ACK without completing TCP handshake β faster, stealthier, requires root. -sT (Connect scan) completes the full connection β slower but works without root.
How long does a full port scan take?
A full scan of all 65535 ports typically takes 15-30 minutes per host. Use -T4 to speed up or --top-ports 1000 to scan common ports in seconds.
