Mastering Nmap: A Beginner's Guide to Network Scanning
Learn how to use Nmap to discover hosts, scan ports, and identify services running on your network.
Nmap (Network Mapper) is the world’s most popular network scanning tool. Used by system administrators and pentesters alike, it allows you to discover active hosts, open ports, and running services.
Installation
# Debian/Ubuntu
sudo apt install nmap
# macOS
brew install nmap
# Verify the version
nmap --versionBasic Scans
Simple Host Scan
# Scan the 1000 most common ports
nmap 192.168.1.1
# Scan an entire subnet
nmap 192.168.1.0/24
# Scan a range of addresses
nmap 192.168.1.1-50Scanning Specific Ports
# Scan a specific port
nmap -p 22 192.168.1.1
# Scan a port range
nmap -p 1-1000 192.168.1.1
# Scan all ports (1-65535)
nmap -p- 192.168.1.1
# Scan the most common ports
nmap --top-ports 100 192.168.1.1Scan Types
SYN Scan (Half-open) — The Most Common
# SYN scan (requires root)
sudo nmap -sS 192.168.1.1The SYN scan sends a SYN packet and waits for the response:
- SYN/ACK → Port open
- RST → Port closed
- No response → Port filtered
TCP Connect Scan
# Full TCP scan (no root required)
nmap -sT 192.168.1.1UDP Scan
# UDP scan (slower)
sudo nmap -sU 192.168.1.1
# Combine TCP and UDP
sudo nmap -sS -sU 192.168.1.1Service and Version Detection
# Detect service versions
nmap -sV 192.168.1.1
# Aggressive detection (versions + OS + scripts)
nmap -A 192.168.1.1
# Operating system detection
sudo nmap -O 192.168.1.1NSE Scripts (Nmap Scripting Engine)
Nmap includes hundreds of scripts to automate vulnerability detection:
# List available scripts
ls /usr/share/nmap/scripts/
# Scan with default scripts
nmap -sC 192.168.1.1
# Scan for vulnerabilities
nmap --script vuln 192.168.1.1
# Run a specific script
nmap --script ssh-brute 192.168.1.1
# Combine version detection + scripts
nmap -sV -sC 192.168.1.1Output Options
# Normal output to a file
nmap -oN scan_results.txt 192.168.1.0/24
# XML output (for import into other tools)
nmap -oX scan_results.xml 192.168.1.0/24
# All output formats at once
nmap -oA scan_results 192.168.1.0/24
# Grep-friendly output
nmap -oG scan_results.gnmap 192.168.1.0/24Evasion Techniques
# Fragment packets
nmap -f 192.168.1.1
# Use a decoy
nmap -D RND:5 192.168.1.1
# Change the source port
nmap --source-port 53 192.168.1.1
# Slow down the scan (T0=paranoid to T5=insane)
nmap -T2 192.168.1.1Practical Examples
Quick Local Network Audit
# Discover active hosts (ping scan)
nmap -sn 192.168.1.0/24
# Full scan of discovered hosts
nmap -sV -sC -O -p- --open 192.168.1.0/24 -oA full_auditWeb Server Verification
nmap -sV -sC -p 80,443,8080,8443 server.example.com⚠️ Legal Disclaimer
Only use Nmap on systems you are authorized to scan. Unauthorized scanning of systems may be illegal in many countries. Always use Nmap ethically and responsibly.
Conclusion
Nmap is an indispensable tool for any security professional. Its flexibility and power make it the go-to tool for network reconnaissance. Take the time to master its options — it’s an investment that pays off quickly.