Nmap (Network Mapper) is the most widely used network scanning tool in cybersecurity. Security professionals, penetration testers, and system administrators use it daily to discover hosts, identify open ports, detect running services, and uncover vulnerabilities. This guide walks you through the essentials — starting from your first scan.
Important disclaimer: Only scan networks and systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions.
Installing Nmap
# Linux (Debian/Ubuntu):
sudo apt install nmap
# macOS (via Homebrew):
brew install nmap
# Windows:
# Download installer from nmap.org/download.html
# Also installs Zenmap (GUI version)
# Verify installation:
nmap --versionUnderstanding Nmap Output
# Basic scan output explained:
$ nmap 192.168.1.1
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for router.local (192.168.1.1)
Host is up (0.0015s latency). ← Host responded, measured latency
Not shown: 995 closed ports ← 995 ports closed (no service listening)
PORT STATE SERVICE
22/tcp open ssh ← Port 22, protocol TCP, SSH service running
53/tcp open domain ← DNS service
80/tcp open http ← Web server
443/tcp open https ← HTTPS web server
8080/tcp open http-proxy ← Proxy or alternate web serverEssential Nmap Scans
Discover Live Hosts on Your Network
# Ping scan — find all live hosts without port scanning:
nmap -sn 192.168.1.0/24
# Output: List of hosts that responded
# 192.168.1.1 — router
# 192.168.1.5 — laptop
# 192.168.1.10 — smart TV
# 192.168.1.22 — NAS
# Verbose output to see hostnames:
nmap -sn 192.168.1.0/24 -vBasic Port Scan
# Scan top 1000 most common ports (default):
nmap 192.168.1.1
# Scan specific ports:
nmap -p 22,80,443,8080 192.168.1.1
# Scan all 65535 ports (thorough but slow):
nmap -p- 192.168.1.1
# Scan a range of ports:
nmap -p 1-1024 192.168.1.1Service Version Detection
# -sV flag detects the exact service version running on each port
nmap -sV 192.168.1.1
# Example output with version detection:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.52
# Why this matters: Knowing the exact version lets you check for known CVEs
# CVE-2023-XXXX might affect "Apache 2.4.52" specificallyOS Detection
# -O flag attempts to identify the operating system
# Requires root/administrator privileges
sudo nmap -O 192.168.1.5
# Example output:
OS details: Linux 5.4 - 5.15 (likely Ubuntu 20.04 or 22.04)
# Or: Microsoft Windows 11 21H2Aggressive Scan (All-in-One)
# -A enables OS detection, version detection, script scanning, traceroute
# Great for thorough analysis of a single host
sudo nmap -A 192.168.1.1
# This runs:
# -sV (service detection)
# -O (OS detection)
# -sC (default scripts)
# --tracerouteNmap Scripting Engine (NSE)
# NSE scripts automate many common security checks
# Check for vulnerabilities (vuln category):
sudo nmap --script vuln 192.168.1.1
# Check for HTTP vulnerabilities specifically:
nmap --script http-vuln-* 192.168.1.1
# Check for default credentials on common services:
nmap --script http-default-accounts 192.168.1.1
# SMB vulnerability check (EternalBlue/MS17-010):
nmap --script smb-vuln-ms17-010 192.168.1.0/24
# Check SSL/TLS configuration:
nmap --script ssl-enum-ciphers -p 443 192.168.1.1Output Formats
# Save scan results for later analysis:
# Normal text output:
nmap -oN scan_results.txt 192.168.1.0/24
# XML output (importable into other tools like Metasploit):
nmap -oX scan_results.xml 192.168.1.0/24
# Grepable format (easy to grep for specific data):
nmap -oG scan_results.gnmap 192.168.1.0/24
# All formats at once:
nmap -oA scan_results 192.168.1.0/24
# Creates: scan_results.nmap, scan_results.xml, scan_results.gnmapPractical Home Network Audit
# Full audit of your home network:
# Step 1: Discover all hosts
nmap -sn 192.168.1.0/24 -oN hosts.txt
# Step 2: Scan discovered hosts for services
nmap -sV -p- --open 192.168.1.0/24 -oN services.txt
# Step 3: Review unexpected open ports
# Your router should only have: 53 (DNS), 80/443 (management)
# IoT devices: should have minimal open ports
# Computers: should have no open server ports in most cases
# Step 4: Check for known vulnerabilities
sudo nmap --script vuln -iL hosts.txt -oN vulns.txtNmap Cheat Sheet
nmap -sn 192.168.1.0/24 # Discover hosts (no port scan)
nmap 192.168.1.1 # Basic port scan (top 1000)
nmap -p- 192.168.1.1 # All ports
nmap -sV 192.168.1.1 # Service version detection
sudo nmap -O 192.168.1.1 # OS detection
sudo nmap -A 192.168.1.1 # Aggressive (OS+services+scripts)
nmap --open 192.168.1.0/24 # Show only open ports
nmap -sU -p 53,123,161 192.168.1.1 # UDP scan specific ports
nmap -oA results 192.168.1.1 # Save in all formatsWrap Up
Nmap is an invaluable tool for understanding what’s exposed on your network. Run it against your own systems regularly as part of security hygiene — you might be surprised what you find. Every service you don’t need is an attack surface you can eliminate.