What Is Nmap?
Nmap (Network Mapper) is a free, open-source tool used for network discovery and security auditing. It's been a staple in every security professional's toolkit for decades — used by pen testers, network admins, and defenders alike. Understanding Nmap is non-negotiable if you're serious about cybersecurity.
Important: Only scan networks and systems you own or have explicit written permission to test. Unauthorized scanning may be illegal in your jurisdiction.
Installing Nmap
Nmap is pre-installed on Kali Linux. For other platforms:
- Linux (Debian/Ubuntu):
sudo apt install nmap - macOS:
brew install nmap - Windows: Download the installer from nmap.org — includes the Zenmap GUI.
Core Scan Types
| Scan Type | Command Flag | Use Case |
|---|---|---|
| TCP SYN Scan (Stealth) | -sS | Fast, default for root users; less likely to be logged |
| TCP Connect Scan | -sT | Full 3-way handshake; used without root privileges |
| UDP Scan | -sU | Discovers UDP services (DNS, SNMP, DHCP) |
| Version Detection | -sV | Identifies service versions running on open ports |
| OS Detection | -O | Attempts to fingerprint the target's operating system |
| Script Scan | -sC | Runs default NSE scripts for common vulnerabilities |
Essential Nmap Commands
Basic Host Discovery
Check if hosts are up without port scanning:
nmap -sn 192.168.1.0/24
Scan Specific Ports
nmap -p 22,80,443 192.168.1.1
Scan all 65,535 ports: nmap -p- 192.168.1.1
Aggressive Scan (All-in-One)
nmap -A 192.168.1.1
Enables OS detection, version detection, script scanning, and traceroute. Noisy — use in authorized environments only.
Save Output to File
nmap -oN output.txt 192.168.1.1 — normal format
nmap -oX output.xml 192.168.1.1 — XML format (great for importing into other tools)
Nmap Scripting Engine (NSE)
NSE is one of Nmap's most powerful features. Scripts are categorized by purpose:
- auth: Test default credentials on services.
- vuln: Check for known vulnerabilities. Try
nmap --script vuln 192.168.1.1 - brute: Brute-force login attempts (use with extreme caution and proper authorization).
- discovery: Gather more information about the target.
Timing Templates
Control scan speed with -T0 (slowest/stealthiest) to -T5 (fastest/noisiest). For lab environments, -T4 is a good balance of speed and reliability. For real assessments, consider -T2 or -T3 to avoid triggering IDS alerts.
Practical Tip: Combine Flags
A solid starting scan for a pen test target:
nmap -sS -sV -sC -O -p- --open -T4 -oN full_scan.txt 192.168.1.1
This gives you open ports, service versions, default scripts, and OS detection in one pass — saved to a file for your report.
Going Deeper
Nmap's official documentation at nmap.org is excellent and comprehensive. Once you're comfortable with the basics, explore the NSE script library and practice on platforms like Hack The Box or TryHackMe where you can legally run scans against intentionally vulnerable machines.