What Is Nmap?
Nmap (Network Mapper) is a free, open-source tool used for network discovery, port scanning, service detection, OS fingerprinting, and vulnerability scanning. Originally released by Gordon "Fyodor" Lyon in 1997, it remains the single most important tool in any security professional's toolkit over two decades later.
Nmap works by sending raw packets to target hosts and analyzing the responses to determine what's alive, what ports are open, and what software is running. It's available on Linux, Windows, and macOS.
Core Nmap Scan Types
TCP SYN Scan (Stealth Scan)
The default scan type when run as root/administrator. It sends a SYN packet and waits for a response without completing the TCP handshake — making it faster and less likely to appear in application logs.
nmap -sS 192.168.1.0/24TCP Connect Scan
Completes the full TCP handshake. Used when SYN scan isn't available (no root privileges). Slower and more detectable, but more reliable in some environments.
nmap -sT 192.168.1.100UDP Scan
Often overlooked, UDP services like DNS (53), SNMP (161), and DHCP (67/68) can expose serious vulnerabilities. UDP scanning is slower because there's no handshake to confirm a closed port.
nmap -sU -p 53,161,67 192.168.1.100Essential Nmap Flags Every Pentester Should Know
| Flag | Description |
|---|---|
-p- | Scan all 65,535 ports (default only scans top 1,000) |
-sV | Version detection — identify service versions |
-O | OS detection fingerprinting |
-A | Aggressive mode: OS detection + version + scripts + traceroute |
-T4 | Timing template (T0–T5); T4 is fast, T5 is fastest but noisy |
-oN / -oX | Save output to normal text or XML file |
--script | Run Nmap Scripting Engine (NSE) scripts |
-Pn | Skip host discovery — treat all hosts as online |
Nmap Scripting Engine (NSE)
One of Nmap's most powerful features is its scripting engine, which ships with hundreds of built-in scripts for vulnerability detection, brute-forcing, and service enumeration.
Run all default scripts against a target:
nmap -sC 192.168.1.100Run a specific script (e.g., check for SMB vulnerabilities):
nmap --script smb-vuln-ms17-010 192.168.1.100Run all scripts in a category:
nmap --script vuln 192.168.1.100Practical Scanning Workflow for a Pentest
- Host discovery: Find live hosts before deep scanning —
nmap -sn 10.10.10.0/24 - Fast top-port scan: Get quick results —
nmap -T4 --top-ports 1000 10.10.10.5 - Full port scan: Find non-standard ports —
nmap -p- -T4 10.10.10.5 - Version & script scan on open ports:
nmap -sV -sC -p 22,80,443,8080 10.10.10.5 - Save results:
nmap -oA scan_results 10.10.10.5
Staying Stealthy: Avoiding Detection
In red team engagements, avoiding IDS/IPS detection matters. Techniques include:
- Using slow timing (
-T1or-T2) to avoid rate-based detection - Fragmented packets with
-fto confuse deep packet inspection - Decoy scans with
-D RND:10to spoof source IPs alongside yours - Specifying a source port (
--source-port 53) to bypass simple firewall rules
Key Takeaways
- Nmap is essential for network discovery, port scanning, and service fingerprinting.
- Always use
-p-for complete port coverage during pentests. - NSE scripts dramatically expand Nmap's capability into vulnerability detection.
- Only scan networks and systems you are explicitly authorized to test.