Back to guides
intermediate

Complete Guide to Nmap: From Zero to Hero

Last updated: August 26, 2025 · 9 min read

Nmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. This comprehensive guide will take you from a complete beginner to an advanced user capable of performing sophisticated network reconnaissance and enumeration.

First of all, it is always mandatory to operate within legal and ethical boundaries when using Nmap or any other network scanning tool.

Introduction

Nmap is an essential tool for network administrators, security professionals, and penetration testers. It allows users to:

  • Discover hosts on a network
  • Identify open ports and services
  • Determine service versions and operating systems
  • Bypass firewalls and intrusion detection systems
  • Automate network scanning tasks

Key features of Nmap include:

  • Host discovery
  • Port scanning
  • Service and version detection
  • Operating system detection
  • Scriptable interaction with target services
  • Firewall/IDS evasion techniques

Installation

Nmap is available for most operating systems and is typically pre-installed on many security-focused distributions.

Ubuntu/Debian

sudo apt update
sudo apt install nmap

Arch Linux

sudo pacman -S nmap

Fedora

sudo dnf install nmap

macOS

# Using Homebrew
brew install nmap

Windows

Download the installer from nmap.org and follow the installation wizard.

Basic Host Discovery

Before scanning for open ports, we need to identify which hosts are online. This is known as host discovery or ping scanning.

Basic Network Scan

To discover all live hosts in a network range:

nmap 10.129.2.0/24 -sn -oG - | awk '/Up$/{print $2}'

Windows (PowerShell):

nmap 10.129.2.0/24 -sn -oG - |
  Select-String 'Up$' |
  ForEach-Object { ($_ -split '\s+')[1] }

This command:

  • Scans the 10.129.2.0/24 network range
  • Uses -sn to disable port scanning (only performs host discovery)
  • Outputs in grepable format (-oG -) for easy parsing
  • Prints only IPs of live hosts

Scanning from a List of Hosts

When provided with a list of IP addresses to test:

# Create a list of hosts
cat > hosts.lst << EOF
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28
EOF

# Scan hosts from the list
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Scanning Specific IP Addresses

For scanning individual hosts or a range:

# Multiple specific IPs
sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20

# IP range (inclusive)
sudo nmap -sn -oA tnet 10.129.2.18-20

Single Host Discovery

To check if a specific host is alive:

sudo nmap 10.129.2.18 -sn -oA host

Understanding Nmap’s Default Behavior

Nmap’s host discovery works differently based on network configuration:

# Default behavior (uses ARP for local networks)
sudo nmap 10.129.2.18 -sn -oA host --packet-trace

# Force ICMP echo requests
sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping

Port Scanning Fundamentals

After identifying live hosts, the next step is to determine which ports are open and what services are running on them.

Understanding Port States

Nmap categorizes ports into six states:

  • open: Service is actively accepting connections
  • closed: Port is accessible but no service is listening
  • filtered: Nmap cannot determine state (firewall blocking)
  • unfiltered: Port is accessible but state is undetermined
  • **open filtered**: Port is either open or filtered
  • **closed filtered**: Port is either closed or filtered

Basic Port Scanning

Default Scan Behavior

Nmap’s scan type depends on user privileges:

  • Root user: SYN stealth scan (-sS)
  • Non-root user: TCP connect scan (-sT)
# Scan top 10 ports
sudo nmap 10.129.2.28 --top-ports=10

TCP Connect Scan

Useful when SYN scan isn’t possible or when being “polite”:

sudo nmap 10.129.2.28 -p 443 -sT --reason

Handling Filtered Ports

Filtered ports indicate firewall interference:

# No response (likely dropped)
sudo nmap 10.129.2.28 -p 139 -n -Pn --packet-trace

# ICMP error (actively rejected)
sudo nmap 10.129.2.28 -p 445 -n -Pn --packet-trace

UDP Scanning

UDP scanning is more challenging due to the stateless nature of UDP:

# Basic UDP scan
sudo nmap 10.129.2.28 -F -sU

# Confirming closed UDP port
sudo nmap 10.129.2.28 -sU -p 100 --packet-trace --reason

Service and Version Detection

Identifying services and their versions is crucial for vulnerability assessment.

Basic Version Detection

sudo nmap 10.129.2.28 -p 445 -sV --reason

Comprehensive Service Enumeration

A complete service enumeration approach:

# Initial quick scan to avoid detection
sudo nmap 10.129.2.28 -p- -sV --stats-every=5s

This command:

  • Scans all ports (-p-)
  • Performs version detection (-sV)
  • Shows progress every 5 seconds

Saving and Processing Results

Nmap can save scan results in multiple formats for later analysis.

Output Formats

Nmap supports three primary output formats:

  • Normal (-oN): Human-readable format
  • Grepable (-oG): Machine-parsable format
  • XML (-oX): Structured data format
# Save in all formats
sudo nmap 10.129.2.28 -p- -oA target

Converting Results

XML output can be converted to HTML for reporting:

xsltproc target.xml -o target.html

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine extends Nmap’s capabilities through Lua scripts.

Script Categories

NSE scripts are organized into 14 categories:

  • auth: Authentication credential determination
  • broadcast: Host discovery through broadcasting
  • brute: Credential brute-forcing attacks
  • default: Scripts executed with -sC option
  • discovery: Accessible services evaluation
  • dos: Denial of service vulnerability checks
  • exploit: Known vulnerability exploitation
  • external: Scripts using external services
  • fuzzer: Vulnerability identification through fuzzing
  • intrusive: Potentially harmful scripts
  • malware: Malware infection checks
  • safe: Non-intrusive defensive scripts
  • version: Service detection extensions
  • vuln: Specific vulnerability identification

Using NSE Scripts

# Default scripts
sudo nmap <target> -sC

# Specific category
sudo nmap <target> --script <category>

# Defined scripts
sudo nmap <target> --script <script-name>,<script-name>,...

# Practical example
sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Aggressive Scanning

Combining multiple techniques for comprehensive analysis:

sudo nmap 10.129.2.28 -p 80 -A

This includes:

  • Service detection (-sV)
  • OS detection (-O)
  • Traceroute
  • Default scripts (-sC)

Performance Optimization

Scanning performance is crucial for large networks or low-bandwidth environments.

Timing Templates

Nmap provides six predefined timing templates:

  • Paranoid (-T 0): Extremely slow, stealthy
  • Sneaky (-T 1): Very slow, stealthy
  • Polite (-T 2): Slow, less conspicuous
  • Normal (-T 3): Default balanced speed
  • Aggressive (-T 4): Faster, more detectable
  • Insane (-T 5): Maximum speed, very detectable

RTT Optimization

Adjusting timeout values for better performance:

--initial-rtt-timeout 50ms --max-rtt-timeout 100ms

Packet Rate Control

Setting minimum packet rates:

--min-rate 300

Retry Limitations

Reducing retries for faster scanning:

--max-retries 0

Firewall and IDS/IPS Evasion

Modern networks often employ firewalls and intrusion detection/prevention systems that can interfere with scanning.

Understanding Firewalls

Firewalls may:

  • Drop packets (no response)
  • Reject packets (ICMP error)

Common ICMP error codes:

  • Net Unreachable
  • Host Unreachable
  • Port Unreachable
  • Proto Unreachable

ACK Scanning

Mapping firewall rules (does not discover open ports):

sudo nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace

ACK scans help differentiate filtered vs unfiltered paths (stateless filtering), but they do not identify open services.

Decoy Scanning

Using decoy IP addresses to obscure the real source:

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

This generates 5 random IP addresses with your real IP randomly placed among them.

Source IP Spoofing

Testing firewall rules with different source IPs:

sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

DNS Proxying

Using trusted DNS ports to bypass filtering:

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Connecting through trusted ports:

ncat -nv --source-port 53 10.129.2.28 50000

Important Considerations

When using Nmap, consider these important factors:

  • Legality: Only scan networks you own or have explicit permission to test
  • Network Impact: Aggressive scans can affect network performance
  • Detection Risk: Stealth techniques reduce but don’t eliminate detection risk
  • Result Accuracy: Filtered ports may require manual verification
  • Firewall Rules: Modern firewalls may block or rate-limit scanning attempts
  • Ethical Use: Always follow responsible disclosure practices when identifying vulnerabilities

Conclusion

Nmap is an incredibly versatile tool that forms the foundation of network reconnaissance. From basic host discovery to advanced firewall evasion techniques, mastering Nmap requires understanding both its technical capabilities and the network environments in which it operates.

Key takeaways:

  1. Start with host discovery before port scanning
  2. Save all scan results for documentation and comparison
  3. Use appropriate scan types for your privilege level and network position
  4. Leverage NSE scripts for enhanced service enumeration
  5. Optimize performance based on network conditions
  6. Apply evasion techniques when encountering defensive systems
  7. Always operate within legal and ethical boundaries

With practice and understanding of these concepts, you’ll be able to effectively enumerate networks and identify potential security weaknesses while minimizing impact on target systems.