Skip to main content

Nmap

nmap (Network Mapper) is an open-source tool used for network discovery and security auditing. It can be used to discover hosts and services on a computer network, thus creating a "map" of the network.

warning

nmap uses scripts that are considered intrusive and can cause issues on production systems. Always have permission before scanning networks you do not own.

Basic Usage​

nmap <IP>
# Basic scan of a single IP address

nmap -sn <IP>
# -sn: Ping scan - disable port scan (useful for active host, network discovery)

nmap -sC -sV -oN <file> <IP>
# -sC: Run default scripts - https://nmap.org/nsedoc/categories/default.html
# -sV: Probe open ports to determine service/version info
# -oN: Output scan to file

nmap -A -O -T4 --script=vuln <IP>
# -A : Enable OS detection, version detection, script scanning, and traceroute
# -T4: Aggressive timing for faster scan
# -O: Enable OS detection
# --script=vuln: Run vulnerability detection scripts

nmap -p- -sS -T4 <IP>
# -p-: Scan all 65535 ports
# -sS: TCP SYN (stealth) scan
# -T4: Faster scan

nmap -p 22,80,443 <IP>
# -p: Scan specific ports (22, 80, 443)

nmap -sU -sS -p 1-1000 <IP>
# -sU: UDP scan
# -sS: TCP SYN scan
# -p : Scan ports 1-1000

nmap -O --osscan-guess <IP>
# -O: OS detection
# --osscan-guess: Guess OS more aggressively

nmap -iL targets.txt -oA scan_results
# -iL targets.txt: Scan list of targets from file
# -oA scan_results: Output in all formats (normal, XML, grepable)

nmap -Pn -sV --top-ports 100 <IP>
# -Pn: Treat all hosts as online (skip host discovery)
# -sV: Service/version detection
# --top-ports 100: Scan top 100 most common ports

nmap -sV -sC -T4 -min-rate 5000 -p- <IP>
# -sV: Service/version detection
# -sC: Run default scripts
# -T4: Aggressive timing for faster scan
# -min-rate 5000: Minimum rate of packets sent per second
# -p-: Scan all ports

Options Summary​

Options are case-sensitive. Use -h to see the help page. Latest version is available at nmap.usage.txt.

TARGET SPECIFICATION
# Can pass hostnames, IP addresses, networks, etc.
# Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename> # Input from list of hosts/networks
-iR <num hosts> # Choose random targets
--exclude <host1[,host2][,host3],...> # Exclude hosts/networks
--excludefile <exclude_file> # Exclude list from file

Example:
nmap 10.10.20.1
nmap scanme.nmap.org # you have permission to scan this host
nmap 10.10.10.1 10.10.10.2 10.10.10.3
nmap 10.10.10.1,2,3 # Scan multiple IPs
nmap 10.10.10.1-50 # Range of IPs
nmap 10.10.10.0/24 # CIDR notation
nmap 10.10.10.0/24 -iR 5 # Randomly choose 5 hosts from the specified network
nmap 192.168.0.0/24 --exclude 192.168.0.2 # Exclude a specific host
HOST DISCOVERY
-sP # Ping Scan - disable port scan (useful for host discovery)
-sL # List Scan - simply list targets to scan
-sn # Ping Scan - disable port scan
-Pn # Treat all hosts as online; skip host discovery
--dns-servers # serv1[,serv2],.. Specify custom DNS servers
--system-dns # Use OS's DNS resolver
--traceroute # Trace hop path to each host

Example:
nmap -sn -sL -Pn --traceroute --dns-servers 8.8.8.8,1.1.1.1 --system-dns 192.168.1.0/24
SCAN TYPES
-sT # TCP Connect scan (default scan)
-sS # TCP SYN scan (stealth scan)
-sA # TCP ACK scan
-sW # TCP Window scan
-sM # TCP Maimon scan
-sU # UDP Scan
-sO # IP protocol scan
-sN/sF/sX # TCP Null, FIN, and Xmas scans used to evade firewalls and packet filters. Microsoft Windows/Cisco devices respond with a RST to any malformed TCP packet
PORT SPECIFICATION AND SCAN ORDER
-p- # Scans for all TCP ports ranging from 0-65535
-p <port ranges> # Only scan specified ports: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F # Fast mode - Scan fewer ports than the default scan
-r # Scan ports sequentially - don't randomize
--top-ports <number> # Scan <number> most common ports
--exclude-ports <port ranges> # Exclude specified ports from scanning

Example:
nmap -p 22,80,443 192.168.1.10 # Scan only ports 22, 80, and 443 on the target
nmap -p 1-1000 10.0.0.5 # Scan ports 1 through 1000
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.15 # Scan UDP ports 53, 111, 137 and TCP ports 21-25, 80, 139, 8080
SERVICE VERSION DETECTION
-sV # Enables service/version detection, what version of the service is running on the port
SCRIPT SCAN
-sC # Runs a set list of default scripts
--script-args-file=<filename> # provide NSE script args in a file
--script-trace # Show all data sent and received
--script-updatedb # Update the script database.

Example:
nmap --script "default,vuln,auth,brute,discovery,exploit" -p 1-1000 <IP>
OS DETECTION
-O             # Enable OS detection
--osscan-limit # Limit OS detection to promising targets
--osscan-guess # Guess OS more aggressively
--fuzzy-osscan # Use fuzzy OS detection

Example:
nmap -O --osscan-limit --osscan-guess --fuzzy-osscan 192.168.1.1
TIMING AND PERFORMANCE
--max-retries <tries> # Caps number of port scan probe retransmissions.
--host-timeout <time> # Give up on target after this long
--min-rate <number> # Send packets no slower than <number> per second
--max-rate <number> # Send packets no faster than <number> per second
--scan-delay/--max-scan-delay <time> # Adjust delay between probes

Example:
nmap -T4 --max-retries 2 --host-timeout 30s --min-rate 1000 --max-rate 5000 <IP>
FIREWALL/IDS EVASION AND SPOOFING
-f; --mtu <val> # fragment packets (optionally w/given MTU)
-S <IP_Address> # Spoof source IP address
-e <iface> # Use specified interface
--badsum # Send packets with a bogus TCP/UDP/SCTP checksum
--ttl <val> # Set the IP time-to-live field
-D <decoy1,decoy2,...> # Decoy scan using specified decoy IPs
--data-length <number> # Append random data to sent packets
--spoof-mac <mac address> # Spoof the MAC address of the interface
--proxies <proxy1,proxy2,...> # Use specified proxies for the scan

Example:
nmap -f --mtu 8 -S 192.0.2.123 -e eth0 --badsum 192.168.1.100
nmap -D nmap -D 10.10.10.44,10.10.10.12,10.10.10.15 10.10.10.5
OUTPUT
-oN/-oX/-oS/-oG <file> # Output scan
-v # Increase verbosity level (use -vv or more for greater effect)
-d # Increase debugging level (use -dd or more for greater effect)
--reason # Display the reason a port is in a particular state
--open # Only show open (or possibly open) ports
--iflist # Print host interfaces and routes (for debugging)
--packet-trace # Show all packets sent and received
--append-output # Append to rather than clobber specified output files

Example:
nmap -oN scan_results.txt -oX scan_results.xml -oG scan_results.grepable
MISCELLANEOUS
-A # Aggressive Scan. Enables OS detection "-O", version detection "-sV", script scanning "-sC", and traceroute "--traceroute"
-V # Print version number
-h # Print this help summary page.
-d # Increase debugging level (use -dd or more for greater effect)
-v # Increase verbosity level (use -vv, -vvv or more for greater effect)

Ping Sweep​

A ping sweep is a network scanning technique to identify active devices on a network by pinging a range of IP addresses. Compared to other methods, ping sweeps can be harder to detect as it is not as aggressive and can skip regular scan stages, making it more of an advantage. Using -sn, nmap disables port scanning and only relies on ICMP echo packets (or ARP requests for local networks) to check if hosts are up.

nmap -sn 192.168.1.0/24
or
nmap -sn 192.168.1.1-254

Port States​

Nmap categorizes ports into several states based on the responses received during the scan

StateDescription
OpenPort is open and accepting connections
ClosedPort is closed, no application is listening on it
FilteredPort is filtered by a firewall or packet filter, preventing nmap from determining its state
UnfilteredPort is reachable but nmap cannot determine if it is open or closed
Open/FilteredPort is either open or filtered, nmap cannot determine which
Closed/FilteredPort is either closed or filtered, nmap cannot determine which

Timing Templates​

Nmap provides timing templates to control the speed and stealthiness of scans. The templates range from 0 (paranoid) to 5 (insane). The default is 3 (normal).

nmap -T0 <IP> # Paranoid   - Serial, very slow scan
nmap -T1 <IP> # Sneaky - Slow scan, good for avoiding detection
nmap -T2 <IP> # Polite - Slows down scan to use less bandwidth and target machine resources
nmap -T3 <IP> # Normal - Default scan speed
nmap -T4 <IP> # Aggressive - Faster scan, good for most cases
nmap -T5 <IP> # Insane - Very fast scan, can overwhelm networks and devices

Understanding Network Traffic​

A TCP Connect scan works by performing the three-way handshake (Syn -> Syn-Ack -> Ack) with each target port. Nmap tries to connect to each specified TCP port, and determines whether the port is OPEN, CLOSED, or FILTERED based on the response received.

With sudo privileges, users exectues an -sS (SYN scan). Without sudo privileges, users executes an -sT (TCP Connect scan).

info

RFC 9293 states that: "If the connection is CLOSED or doesn’t exists, then a RST is sent in response."

  • If the connection is OPEN, then the target server responds with SYN-ACK packet, indicating that is ready to establish a connection.
  • If port is OPEN, but behind a firewall, the target may not respond at all, or it may respond with an ICMP unreachable message, indicating that the port is filtered.
  • Browser: When accessing a web page, the browser initiates a full TCP connection to the server. This involves a three-way handshake (SYN, SYN-ACK, ACK) to establish the connection before sending HTTP requests.

  • nmap -sT (TCP Connect Scan) - Default without sudo:

    • Uses the full TCP handshake (SYN -> SYN-ACK -> ACK) for each target port
    • This method is more easily detected by loggin systems and firewalls
    • Slower than SYN scans because it completes the full handshake
  • nmap -sS (Stealth Scanning, TCP SYN Scan or "half-open" scan) - Requires sudo:

    • Sends a SYN packet and expects a SYN-ACK if the port is open, but never completes the TCP handshake (sends RST instead of ACK), known as a "half-open" scan
    • Considered stealthier than -sT because it avoids full connection establishment
    • Faster than -sT because it does not wait for the full handshake to complete
    • Requires root priviliges to send raw packets
    • ⚠️ Not invisible! Modern IDS/IPS (eg. Snort, Suricata, Zeek) can still detect SYN scans via:
      • Unfinished handshakes (SYN β†’ SYN-ACK β†’ RST)
      • High-frequency or patterned SYN probes
      • "Low and slow" techniques that still show atypical behavior

To do: Add Wireshark example of TCP SYN scan and TCP Connect scan.

Advanced Scanning Techniques​

Understanding NSE Scripts​

Nmap's NSE (Nmap Scripting Engine) allows users to use NSE scripts to automate various tasks, such as vulnerability detection, service discovery, automate exploits and more.

CategoryDescription
DefaultRun with -sC; safe and fast info-gathering
SafeWon't affect the target, non-intrusive, safe for production
IntrusiveNot safe: likely to affect the target, may crash services, heavy scanning
VulnScan for vulnerabilities
ExploitAttempt to exploit a vulnerability, known bugs (rare and risky)
AuthAttempt to bypass authentication for running services (e.g. Log into an FTP server anonymously, brute force, bypass)
BruteAttempt to bruteforce credentials for running services
DiscoveryAttempt to query running services for further information about the network (e.g. query an SNMP server, HTTP headers)
# Runs only scripts from category "vuln" which target an active service, in this case only vulnerability detection scripts against ports 80 and 443 on the target.
nmap --script=vuln -p 80,443 192.168.100.1

References​

Tools​

  • nmap Automator - This script is to automate the process of enumeration and scanning with nmap.