What Is Nmap?
Nmap (Network Mapper) is a free, open-source tool used for network discovery, port scanning, service detection, and security auditing. Originally released in 1997, it remains the most widely used network scanning tool in cybersecurity — relied on by penetration testers, sysadmins, and network engineers worldwide.
Nmap works by sending crafted packets to target hosts and analyzing the responses to determine which hosts are up, which ports are open, what services are running, and even what operating system is in use. It runs on Linux, Windows, and macOS, and its functionality can be extended with the Nmap Scripting Engine (NSE).
Important: Only scan networks and systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions.
Installation
Nmap comes pre-installed on Kali Linux and Parrot OS. For other systems:
- Debian/Ubuntu:
sudo apt install nmap - macOS (Homebrew):
brew install nmap - Windows: Download the installer from nmap.org
Basic Scan Types
Host Discovery (Ping Scan)
Before scanning ports, identify which hosts are online:
nmap -sn 192.168.1.0/24This sends ICMP echo requests and ARP requests (on local networks) to discover live hosts without scanning ports. Useful for quickly mapping a network.
Default Scan
nmap 192.168.1.1Scans the 1,000 most common TCP ports on a single host. A good starting point for most assessments.
SYN Scan (Stealth Scan)
sudo nmap -sS 192.168.1.1The most popular scan type. Sends SYN packets but never completes the TCP handshake, making it faster and less likely to appear in application logs. Requires root/administrator privileges.
UDP Scan
sudo nmap -sU 192.168.1.1Scans UDP ports — slower than TCP scans but essential, since many critical services (DNS, SNMP, DHCP) run over UDP and are often overlooked.
Service and Version Detection
nmap -sV 192.168.1.1Probes open ports to determine the specific service name and version number. This is critical for identifying outdated or vulnerable software. For example, discovering Apache httpd 2.2.14 immediately flags a potentially exploitable target.
OS Detection
sudo nmap -O 192.168.1.1Analyzes TCP/IP stack fingerprints to guess the target's operating system and version. Accuracy depends on having at least one open and one closed port visible.
Aggressive Scan
sudo nmap -A 192.168.1.1Enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute all at once. Very noisy — ideal for lab environments, not stealth-required engagements.
The Nmap Scripting Engine (NSE)
NSE allows Nmap to run automated scripts against discovered services. Scripts are categorized by type:
- default: Safe, commonly useful scripts run with
-sC - vuln: Check for known vulnerabilities
- auth: Test authentication bypass or default credentials
- brute: Brute-force login services
- discovery: Gather additional information about services
Example — scan for SMB vulnerabilities (like EternalBlue):
nmap --script smb-vuln-ms17-010 -p 445 192.168.1.1Useful Nmap Flags Reference
| Flag | Description |
|---|---|
-p 80,443 | Scan specific ports |
-p- | Scan all 65,535 ports |
-T4 | Faster timing (T0=paranoid, T5=insane) |
-oN output.txt | Save output in normal format |
-oX output.xml | Save output in XML format |
-v | Verbose output |
--open | Only show open ports |
Mastering Nmap is a fundamental milestone in any security professional's toolkit. Practice it in home lab environments and on platforms like TryHackMe and Hack The Box to build intuition for interpreting scan results in real-world contexts.