Nmap (Network Mapper) is arguably the most important tool in a security professional’s toolkit. Originally released in 1997, it remains the go-to choice for network discovery, port scanning, and vulnerability detection. Understanding Nmap is essential whether you’re doing penetration testing, hardening your own network, or preparing for security certifications like CEH or OSCP.
Important: Only scan networks and systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions.
Installing Nmap
# Linux (Debian/Ubuntu)
sudo apt install nmap
# Linux (RHEL/CentOS)
sudo yum install nmap
# macOS (with Homebrew)
brew install nmap
# Windows
# Download installer from nmap.org/download.htmlUnderstanding Nmap Output
Before diving into commands, understand Nmap’s port states:
- open — a service is actively listening on this port
- closed — the port is accessible but no service is listening
- filtered — a firewall is blocking Nmap’s probes (can’t determine if open or closed)
- open|filtered — Nmap can’t determine whether the port is open or filtered
Essential Nmap Commands
Basic Host Discovery
# Find all live hosts on a subnet (no port scan)
nmap -sn 192.168.1.0/24
# Scan a single host
nmap 192.168.1.1
# Scan multiple hosts
nmap 192.168.1.1 192.168.1.2 192.168.1.100
# Scan a range
nmap 192.168.1.1-50Port Scanning Techniques
# TCP SYN scan (default, requires root/admin) - fast and stealthy
sudo nmap -sS 192.168.1.1
# TCP Connect scan (no root needed, but noisier)
nmap -sT 192.168.1.1
# UDP scan (slower, finds services like DNS, SNMP, DHCP)
sudo nmap -sU 192.168.1.1
# Scan specific ports
nmap -p 80,443,22,3389 192.168.1.1
# Scan top 1000 most common ports (default)
nmap 192.168.1.1
# Scan all 65535 ports
nmap -p- 192.168.1.1
# Fast scan - top 100 ports
nmap -F 192.168.1.1Service and Version Detection
# Detect service versions on open ports
nmap -sV 192.168.1.1
# Aggressive version detection
nmap -sV --version-intensity 9 192.168.1.1
# Detect OS (requires root)
sudo nmap -O 192.168.1.1
# Combined: version + OS detection
sudo nmap -sV -O 192.168.1.1The Aggressive Scan (-A)
# Aggressive scan: OS detection, version detection, script scanning, traceroute
sudo nmap -A 192.168.1.1
# Same but for an entire subnet
sudo nmap -A 192.168.1.0/24The -A flag enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute in one command. It’s thorough but noisy — generates lots of traffic that will show up in logs.
Nmap Scripting Engine (NSE)
NSE is one of Nmap’s most powerful features — hundreds of scripts for vulnerability detection, exploitation, authentication testing, and more.
# Run default scripts
nmap -sC 192.168.1.1
# Run scripts for a specific category
nmap --script=vuln 192.168.1.1
# Check for specific vulnerabilities
nmap --script=smb-vuln-ms17-010 192.168.1.1 # EternalBlue / WannaCry
nmap --script=http-sql-injection 192.168.1.1
nmap --script=ssl-heartbleed 192.168.1.1 # Heartbleed
# Enumerate HTTP directories
nmap --script=http-enum 192.168.1.1
# Check for weak SSH algorithms
nmap --script=ssh2-enum-algos 192.168.1.1Timing and Performance
# Timing templates (T0=paranoid/slowest, T5=insane/fastest)
nmap -T4 192.168.1.1 # Aggressive (good for local networks)
nmap -T2 192.168.1.1 # Polite (slower, less disruptive)
# Speed up with parallel scanning
nmap -T4 --min-parallelism 100 192.168.1.0/24Output Formats
# Save output to file (normal format)
nmap -oN scan_results.txt 192.168.1.0/24
# XML format (for import into other tools)
nmap -oX scan_results.xml 192.168.1.0/24
# All formats at once
nmap -oA scan_results 192.168.1.0/24
# Grepable format
nmap -oG scan_results.gnmap 192.168.1.0/24Real-World Use Cases
Auditing Your Own Network
Run a full scan of your internal network to see what’s actually exposed. You’ll often find forgotten services, devices with unexpected open ports, or test servers that were never decommissioned.
# Comprehensive internal network audit
sudo nmap -sV -sC -O -T4 --script=vuln -oA network_audit 192.168.1.0/24Checking What’s Exposed to the Internet
Scan your own public IP address from an external perspective to see what attackers can see:
# Replace with your actual public IP
nmap -sV -T4 --script=vuln YOUR.PUBLIC.IP.ADDRESSFinding All Web Servers on a Network
nmap -p 80,443,8080,8443 --open 192.168.1.0/24Identifying Unpatched Windows Systems (EternalBlue)
sudo nmap --script smb-vuln-ms17-010 -p 445 192.168.1.0/24If any hosts come back as vulnerable, patch them immediately — EternalBlue is still actively exploited in 2025.
Nmap vs. Other Scanners
- Masscan — faster than Nmap for port scanning at scale (entire internet ranges), but less feature-rich
- Rustscan — modern Rust-based scanner, extremely fast, can feed results into Nmap
- Shodan — search engine for internet-facing devices; passive reconnaissance without scanning yourself
- Nessus (free for home use) — vulnerability scanner that goes deeper than Nmap’s NSE scripts
Summary
Nmap is an indispensable tool for any security professional or system administrator. Mastering its core functionality — host discovery, port scanning, service version detection, and NSE scripts — gives you a clear picture of your network’s attack surface. Regular Nmap scans of your own infrastructure catch misconfigurations before attackers do. Start with your own network, document your findings, and integrate scanning into your regular security operations.