Nmap
nmap (Network Mapper) is an open-source tool used for network discovery and security auditing. It can be used to discover hosts and services on a computer network, thus creating a "map" of the network.
warning
nmap uses scripts that are considered intrusive and can cause issues on production systems. Always have permission before scanning networks you do not own.
Basic Usageβ
nmap <IP>
# Basic scan of a single IP address
nmap -sn <IP>
# -sn: Ping scan - disable port scan (useful for active host, network discovery)
nmap -sC -sV -oN <file> <IP>
# -sC: Run default scripts - https://nmap.org/nsedoc/categories/default.html
# -sV: Probe open ports to determine service/version info
# -oN: Output scan to file
nmap -A -O -T4 --script=vuln <IP>
# -A : Enable OS detection, version detection, script scanning, and traceroute
# -T4: Aggressive timing for faster scan
# -O: Enable OS detection
# --script=vuln: Run vulnerability detection scripts
nmap -p- -sS -T4 <IP>
# -p-: Scan all 65535 ports
# -sS: TCP SYN (stealth) scan
# -T4: Faster scan
nmap -p 22,80,443 <IP>
# -p: Scan specific ports (22, 80, 443)
nmap -sU -sS -p 1-1000 <IP>
# -sU: UDP scan
# -sS: TCP SYN scan
# -p : Scan ports 1-1000
nmap -O --osscan-guess <IP>
# -O: OS detection
# --osscan-guess: Guess OS more aggressively
nmap -iL targets.txt -oA scan_results
# -iL targets.txt: Scan list of targets from file
# -oA scan_results: Output in all formats (normal, XML, grepable)
nmap -Pn -sV --top-ports 100 <IP>
# -Pn: Treat all hosts as online (skip host discovery)
# -sV: Service/version detection
# --top-ports 100: Scan top 100 most common ports
nmap -sV -sC -T4 -min-rate 5000 -p- <IP>
# -sV: Service/version detection
# -sC: Run default scripts
# -T4: Aggressive timing for faster scan
# -min-rate 5000: Minimum rate of packets sent per second
# -p-: Scan all ports
Options Summaryβ
Options are case-sensitive. Use -h to see the help page. Latest version is available at nmap.usage.txt.
TARGET SPECIFICATION
# Can pass hostnames, IP addresses, networks, etc.
# Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename> # Input from list of hosts/networks
-iR <num hosts> # Choose random targets
--exclude <host1[,host2][,host3],...> # Exclude hosts/networks
--excludefile <exclude_file> # Exclude list from file
Example:
nmap 10.10.20.1
nmap scanme.nmap.org # you have permission to scan this host
nmap 10.10.10.1 10.10.10.2 10.10.10.3
nmap 10.10.10.1,2,3 # Scan multiple IPs
nmap 10.10.10.1-50 # Range of IPs
nmap 10.10.10.0/24 # CIDR notation
nmap 10.10.10.0/24 -iR 5 # Randomly choose 5 hosts from the specified network
nmap 192.168.0.0/24 --exclude 192.168.0.2 # Exclude a specific host
HOST DISCOVERY
-sP # Ping Scan - disable port scan (useful for host discovery)
-sL # List Scan - simply list targets to scan
-sn # Ping Scan - disable port scan
-Pn # Treat all hosts as online; skip host discovery
--dns-servers # serv1[,serv2],.. Specify custom DNS servers
--system-dns # Use OS's DNS resolver
--traceroute # Trace hop path to each host
Example:
nmap -sn -sL -Pn --traceroute --dns-servers 8.8.8.8,1.1.1.1 --system-dns 192.168.1.0/24
SCAN TYPES
-sT # TCP Connect scan (default scan)
-sS # TCP SYN scan (stealth scan)
-sA # TCP ACK scan
-sW # TCP Window scan
-sM # TCP Maimon scan
-sU # UDP Scan
-sO # IP protocol scan
-sN/sF/sX # TCP Null, FIN, and Xmas scans used to evade firewalls and packet filters. Microsoft Windows/Cisco devices respond with a RST to any malformed TCP packet
PORT SPECIFICATION AND SCAN ORDER
-p- # Scans for all TCP ports ranging from 0-65535
-p <port ranges> # Only scan specified ports: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F # Fast mode - Scan fewer ports than the default scan
-r # Scan ports sequentially - don't randomize
--top-ports <number> # Scan <number> most common ports
--exclude-ports <port ranges> # Exclude specified ports from scanning
Example:
nmap -p 22,80,443 192.168.1.10 # Scan only ports 22, 80, and 443 on the target
nmap -p 1-1000 10.0.0.5 # Scan ports 1 through 1000
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.15 # Scan UDP ports 53, 111, 137 and TCP ports 21-25, 80, 139, 8080
SERVICE VERSION DETECTION
-sV # Enables service/version detection, what version of the service is running on the port
SCRIPT SCAN
-sC # Runs a set list of default scripts
--script-args-file=<filename> # provide NSE script args in a file
--script-trace # Show all data sent and received
--script-updatedb # Update the script database.
Example:
nmap --script "default,vuln,auth,brute,discovery,exploit" -p 1-1000 <IP>
OS DETECTION
-O # Enable OS detection
--osscan-limit # Limit OS detection to promising targets
--osscan-guess # Guess OS more aggressively
--fuzzy-osscan # Use fuzzy OS detection
Example:
nmap -O --osscan-limit --osscan-guess --fuzzy-osscan 192.168.1.1
TIMING AND PERFORMANCE
--max-retries <tries> # Caps number of port scan probe retransmissions.
--host-timeout <time> # Give up on target after this long
--min-rate <number> # Send packets no slower than <number> per second
--max-rate <number> # Send packets no faster than <number> per second
--scan-delay/--max-scan-delay <time> # Adjust delay between probes
Example:
nmap -T4 --max-retries 2 --host-timeout 30s --min-rate 1000 --max-rate 5000 <IP>
FIREWALL/IDS EVASION AND SPOOFING
-f; --mtu <val> # fragment packets (optionally w/given MTU)
-S <IP_Address> # Spoof source IP address
-e <iface> # Use specified interface
--badsum # Send packets with a bogus TCP/UDP/SCTP checksum
--ttl <val> # Set the IP time-to-live field
-D <decoy1,decoy2,...> # Decoy scan using specified decoy IPs
--data-length <number> # Append random data to sent packets
--spoof-mac <mac address> # Spoof the MAC address of the interface
--proxies <proxy1,proxy2,...> # Use specified proxies for the scan
Example:
nmap -f --mtu 8 -S 192.0.2.123 -e eth0 --badsum 192.168.1.100
nmap -D nmap -D 10.10.10.44,10.10.10.12,10.10.10.15 10.10.10.5
OUTPUT
-oN/-oX/-oS/-oG <file> # Output scan
-v # Increase verbosity level (use -vv or more for greater effect)
-d # Increase debugging level (use -dd or more for greater effect)
--reason # Display the reason a port is in a particular state
--open # Only show open (or possibly open) ports
--iflist # Print host interfaces and routes (for debugging)
--packet-trace # Show all packets sent and received
--append-output # Append to rather than clobber specified output files
Example:
nmap -oN scan_results.txt -oX scan_results.xml -oG scan_results.grepable
MISCELLANEOUS
-A # Aggressive Scan. Enables OS detection "-O", version detection "-sV", script scanning "-sC", and traceroute "--traceroute"
-V # Print version number
-h # Print this help summary page.
-d # Increase debugging level (use -dd or more for greater effect)
-v # Increase verbosity level (use -vv, -vvv or more for greater effect)
Ping Sweepβ
A ping sweep is a network scanning technique to identify active devices on a network by pinging a range of IP addresses. Compared to other methods, ping sweeps can be harder to detect as it is not as aggressive and can skip regular scan stages, making it more of an advantage. Using -sn, nmap disables port scanning and only relies on ICMP echo packets (or ARP requests for local networks) to check if hosts are up.
nmap -sn 192.168.1.0/24
or
nmap -sn 192.168.1.1-254
Port Statesβ
Nmap categorizes ports into several states based on the responses received during the scan
| State | Description |
|---|---|
| Open | Port is open and accepting connections |
| Closed | Port is closed, no application is listening on it |
| Filtered | Port is filtered by a firewall or packet filter, preventing nmap from determining its state |
| Unfiltered | Port is reachable but nmap cannot determine if it is open or closed |
| Open/Filtered | Port is either open or filtered, nmap cannot determine which |
| Closed/Filtered | Port is either closed or filtered, nmap cannot determine which |
Timing Templatesβ
Nmap provides timing templates to control the speed and stealthiness of scans. The templates range from 0 (paranoid) to 5 (insane). The default is 3 (normal).
nmap -T0 <IP> # Paranoid - Serial, very slow scan
nmap -T1 <IP> # Sneaky - Slow scan, good for avoiding detection
nmap -T2 <IP> # Polite - Slows down scan to use less bandwidth and target machine resources
nmap -T3 <IP> # Normal - Default scan speed
nmap -T4 <IP> # Aggressive - Faster scan, good for most cases
nmap -T5 <IP> # Insane - Very fast scan, can overwhelm networks and devices
Understanding Network Trafficβ
A TCP Connect scan works by performing the three-way handshake (Syn -> Syn-Ack -> Ack) with each target port. Nmap tries to connect to each specified TCP port, and determines whether the port is OPEN, CLOSED, or FILTERED based on the response received.
With sudo privileges, users exectues an -sS (SYN scan).
Without sudo privileges, users executes an -sT (TCP Connect scan).
info
RFC 9293 states that: "If the connection is CLOSED or doesnβt exists, then a RST is sent in response."
- If the connection is OPEN, then the target server responds with SYN-ACK packet, indicating that is ready to establish a connection.
- If port is OPEN, but behind a firewall, the target may not respond at all, or it may respond with an ICMP unreachable message, indicating that the port is filtered.
-
Browser: When accessing a web page, the browser initiates a full TCP connection to the server. This involves a three-way handshake (SYN, SYN-ACK, ACK) to establish the connection before sending HTTP requests.
-
nmap -sT(TCP Connect Scan) - Default withoutsudo:- Uses the full TCP handshake (SYN -> SYN-ACK -> ACK) for each target port
- This method is more easily detected by loggin systems and firewalls
- Slower than SYN scans because it completes the full handshake
-
nmap -sS(Stealth Scanning, TCP SYN Scan or "half-open" scan) - Requiressudo:- Sends a SYN packet and expects a SYN-ACK if the port is open, but never completes the TCP handshake (sends RST instead of ACK), known as a "half-open" scan
- Considered stealthier than
-sTbecause it avoids full connection establishment - Faster than
-sTbecause it does not wait for the full handshake to complete - Requires
rootpriviliges to send raw packets - β οΈ Not invisible! Modern IDS/IPS (eg. Snort, Suricata, Zeek) can still detect SYN scans via:
- Unfinished handshakes (SYN β SYN-ACK β RST)
- High-frequency or patterned SYN probes
- "Low and slow" techniques that still show atypical behavior
To do: Add Wireshark example of TCP SYN scan and TCP Connect scan.
Advanced Scanning Techniquesβ
Understanding NSE Scriptsβ
Nmap's NSE (Nmap Scripting Engine) allows users to use NSE scripts to automate various tasks, such as vulnerability detection, service discovery, automate exploits and more.
| Category | Description |
|---|---|
| Default | Run with -sC; safe and fast info-gathering |
| Safe | Won't affect the target, non-intrusive, safe for production |
| Intrusive | Not safe: likely to affect the target, may crash services, heavy scanning |
| Vuln | Scan for vulnerabilities |
| Exploit | Attempt to exploit a vulnerability, known bugs (rare and risky) |
| Auth | Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously, brute force, bypass) |
| Brute | Attempt to bruteforce credentials for running services |
| Discovery | Attempt to query running services for further information about the network (e.g. query an SNMP server, HTTP headers) |
# Runs only scripts from category "vuln" which target an active service, in this case only vulnerability detection scripts against ports 80 and 443 on the target.
nmap --script=vuln -p 80,443 192.168.100.1
Referencesβ
- Official Nmap Guide to Network Discovery
- Nmap Script Engine (NME) Default scripts
- Try Hack Me - Nmap Room
- Try Hack Me - Further Nmap Room
- Nmap Cheat Sheet by StationX
- Nmap scan techniques explained by Record Future
- Nmap basics for capture the flag CTF by Sagar Chamling
- Nmap by Code Academy
- Getting started with nmap by ittavern
- Port Scanning by d00mfist
- TryHackMe: Nmap Advanced Port Scans
Toolsβ
- nmap Automator - This script is to automate the process of enumeration and scanning with nmap.