Master the art of network reconnaissance with the industry’s most powerful scanning tool

Key Takeaways#

  • Nmap is more than a port scanner: It’s a complete network analysis framework with scripting capabilities, OS detection, and service enumeration.
  • Scan selection matters: Different scan types serve different purposes—from stealthy reconnaissance to aggressive enumeration.
  • NSE transforms Nmap: The Nmap Scripting Engine turns a scanner into a vulnerability assessment platform.
  • Evasion requires strategy: Modern networks have defenses; learn to adapt your approach.
  • Documentation is crucial: Every scan should be saved, analyzed, and incorporated into your methodology.

Table of Contents#

Introduction: Why Nmap Dominates Network Reconnaissance#

Network Mapper (Nmap) isn’t just another tool in your penetration testing arsenal—it’s the tool that bridges the gap between initial access and full network compromise. Written in C, C++, Python, and Lua, Nmap has evolved from a simple port scanner into a comprehensive network analysis framework that every security professional must master.

What Makes Nmap Essential#

Core Capabilities:
├── Host Discovery - Find live systems without triggering alarms
├── Port Scanning - Identify open services with surgical precision
├── Service Detection - Determine exact versions for vulnerability mapping
├── OS Fingerprinting - Identify systems for targeted exploitation
├── NSE Scripts - Extend functionality from enumeration to exploitation
└── Output Formats - Integration with every major security tool

Whether you’re conducting an authorized penetration test, auditing network security, or investigating an incident, Nmap provides the reconnaissance foundation that every subsequent action builds upon.

Installation & Initial Setup#

Platform-Specific Installation#

# Debian/Ubuntu
sudo apt update && sudo apt install nmap -y

# RHEL/CentOS/Fedora
sudo dnf install nmap -y

# macOS (using Homebrew)
brew install nmap

# Windows (using Chocolatey)
choco install nmap

# Verify installation and check version
nmap --version

Essential Configuration#

# Create a structured directory for your pentest projects
mkdir -p ~/pentest/{scans,scripts,reports}
cd ~/pentest/scans

# Download the latest NSE scripts
sudo nmap --script-updatedb

# Optional: Set up performance defaults in ~/.nmap/nmap.conf
echo "min-rate = 300" >> ~/.nmap/nmap.conf
echo "max-retries = 2" >> ~/.nmap/nmap.conf

Host Discovery: Finding Your Targets#

Before you can attack, you must discover. Host discovery is the critical first phase that maps your battlefield.

The Fundamentals of Host Discovery#

# ARP Discovery (Local Network Only - Most Reliable)
sudo nmap -sn -PR 192.168.1.0/24 -oA discovery/arp_sweep

# ICMP Echo Request (Classic "Ping Sweep")
sudo nmap -sn -PE 10.129.2.0/24 -oA discovery/ping_sweep

# TCP SYN Discovery (Port 443 - Often Allowed Through Firewalls)
sudo nmap -sn -PS443 10.129.2.0/24 -oA discovery/tcp_sweep

# TCP ACK Discovery (Good for Firewall Evasion)
sudo nmap -sn -PA80,443,8080 10.129.2.0/24 -oA discovery/ack_sweep

# UDP Discovery (Often Forgotten, Can Find DNS/SNMP Servers)
sudo nmap -sn -PU53,161,500 10.129.2.0/24 -oA discovery/udp_sweep

Advanced Discovery Techniques#

# List scan - No packets sent, only performs reverse DNS resolution
nmap -sL 10.129.2.0/24

# Discover hosts with timing control for IDS evasion
nmap -sn -T2 --scan-delay 5s 10.129.2.0/24

Parsing Discovery Results#

# Extract only the live IP addresses from your scan results
grep "Up" discovery/arp_sweep.gnmap | cut -d " " -f2 > targets.txt

# Count how many live hosts you found
wc -l targets.txt

Pro Tip: Always perform multiple discovery methods. Firewalls often block ICMP but allow TCP to certain ports. A host that appears down to a ping sweep might be fully accessible on TCP 443.

Port Scanning Mastery: The Core of Network Enumeration#

Port scanning is where Nmap truly shines. Understanding the nuances of each scan type separates professionals from amateurs.

Understanding Port States#

  • open: The service is actively accepting connections. This is your primary target.
  • closed: The port is accessible, but no service is listening.
  • filtered: A firewall or IDS is blocking your probes. This requires a different approach.
  • unfiltered: The port is accessible, but its state can’t be determined (common with ACK scans).
  • open|filtered: Nmap can’t determine if the port is open or filtered (common with UDP scans).

TCP Scan Types Explained#

1. TCP Connect Scan (-sT)#

The most basic but reliable scan. Completes the full TCP three-way handshake.

  • Pros: Works without root privileges, highly accurate.
  • Cons: Easily detected and logged, slower than a SYN scan.
nmap -sT -p 80,443,8080 10.129.2.28

2. SYN “Stealth” Scan (-sS)#

The default scan when running as root. Sends a SYN, receives a SYN-ACK, but sends a RST instead of completing the handshake.

  • Pros: Fast, relatively stealthy, efficient.
  • Cons: Requires root/administrator privileges.
sudo nmap -sS -p- --min-rate 5000 10.129.2.28 -oA scans/syn_full

3. ACK Scan (-sA)#

Used to map firewall rulesets and determine if a firewall is stateful. It doesn’t determine if a port is open.

  • Result: unfiltered means the firewall allowed the ACK packet through; filtered means it did not.
sudo nmap -sA -p 1-1000 10.129.2.28

4. UDP Scan (-sU)#

Critical but often overlooked. UDP scans are inherently slow, so be targeted.

# Scan for the most common UDP services
sudo nmap -sU -p 53,67,69,123,161,500 10.129.2.28

# Combine TCP and UDP for a complete view
sudo nmap -sSU -p T:80,443,U:53,161 10.129.2.28

5. Exotic Scans (FIN/NULL/Xmas)#

These scans are designed for IDS evasion and work by sending malformed packets.

  • Effectiveness: Highly effective against older, non-compliant TCP/IP stacks. Modern systems (especially Windows) will typically report all ports as closed.
sudo nmap -sF 10.129.2.28  # FIN Scan
sudo nmap -sN 10.129.2.28  # NULL Scan
sudo nmap -sX 10.129.2.28  # Xmas Scan

Service Enumeration: Beyond Port Numbers#

Knowing port 80 is open is useful. Knowing it’s running Apache 2.4.41 on Ubuntu is actionable.

Version Detection (-sV)#

# Basic version detection on all open ports
nmap -sV 10.129.2.28

# More aggressive version detection (slower but more accurate)
nmap -sV --version-intensity 9 10.129.2.28

OS Detection (-O)#

# Perform OS and version detection together
sudo nmap -sV -O 10.129.2.28

# Make Nmap guess more aggressively if results are uncertain
sudo nmap -sV -O --osscan-guess 10.129.2.28

# Use the banner script for manual banner grabbing
nmap -sV -p 21,22,25,80 --script=banner 10.129.2.28

The Nmap Scripting Engine (NSE): Your Force Multiplier#

The NSE transforms Nmap from a scanner into a complete vulnerability assessment platform with over 600 scripts.

Essential NSE Scripts by Category#

  • auth: Test for default or weak credentials.
    nmap -p 22 --script=ssh-auth-methods 10.129.2.28
  • discovery: Enumerate more information (e.g., SNMP details, SMB shares).
    nmap -p 445 --script=smb-enum-shares 10.129.2.28
  • vuln: Actively check for known vulnerabilities.
    nmap --script=vuln 10.129.2.28
# Check for EternalBlue
nmap -p 445 --script=smb-vuln-ms17-010 10.129.2.28
  • exploit: Attempt to exploit known vulnerabilities (use with extreme caution and authorization).

Writing Custom NSE Scripts#

You can extend Nmap by writing your own scripts in Lua.

-- Custom script template: http-api-enum.nse
description = [[
Enumerates common API endpoints on web servers.
]]

categories = {"discovery", "safe"}
portrule = shortport.http

action = function(host, port)
    local endpoints = {"/api/v1/users", "/api/v1/admin", "/.git/config"}
    local results = {}
    
    for _, endpoint in ipairs(endpoints) do
        local response = http.get(host, port, endpoint)
        if response.status == 200 then
            table.insert(results, endpoint .. " - Found")
        end
    end
    
    return stdnse.format_output(true, results)
end

Advanced NSE Usage#

# Run scripts with arguments
nmap --script=mysql-brute --script-args="userdb=users.txt,passdb=pass.txt" 10.129.2.28

# Debug a script's execution to see what it's doing
nmap --script=http-enum --script-trace 10.129.2.28

IDS/IPS Evasion Techniques#

Modern networks are defended. Adapt your approach to avoid detection.

Timing and Performance Control#

# Timing templates (T0=Paranoid to T5=Insane)
nmap -T0 10.129.2.28  # 5 minutes between probes
nmap -T2 10.129.2.28  # 0.4 seconds between probes (good for slow scanning)

# Custom timing controls
nmap --scan-delay 5s --max-retries 1 10.129.2.28

Fragmentation and Packet Manipulation#

# Fragment packets to bypass simple packet inspection firewalls
sudo nmap -f 10.129.2.28

# Use a specific MTU to create smaller packets
sudo nmap --mtu 16 10.129.2.28

# Spoof your source port to look like legitimate traffic (e.g., DNS)
sudo nmap --source-port 53 10.129.2.28

# Add random data to packets to change their signature
sudo nmap --data-length 50 10.129.2.28

Decoy Scanning and Spoofing#

# Decoy scan hides your true source IP among fakes
sudo nmap -D RND:10,ME 10.129.2.28

# Spoof your MAC address on a local network
sudo nmap --spoof-mac Apple 10.129.2.28

Advanced Firewall Bypass Techniques#

  • Idle/Zombie Scan (-sI): The ultimate stealth scan. You bounce the scan off a “zombie” machine, making it appear as though the zombie is scanning the target. This is complex and requires specific network conditions.
    sudo nmap -sI zombie.host.com target.host.com
  • FTP Bounce Scan (-b): A legacy technique that relays a scan through a misconfigured FTP server.
    nmap -b ftp-relay.host.com target.host.com

Performance Optimization: Scanning at Scale#

When scanning large networks, speed and efficiency are key.

Speed Optimization Strategies#

# Maximum speed scan (can be inaccurate and dangerous)
sudo nmap -sS -p- --min-rate 10000 --max-retries 0 -T5 10.129.2.0/24

# A balanced, fast scan for reliable networks
sudo nmap -sS -p- --min-rate 5000 --max-retries 1 -T4 10.129.2.0/24

# A two-phase approach for large subnets:
# Phase 1: Fast discovery of only live hosts
sudo nmap -sn -T5 --min-rate 5000 10.129.2.0/16 -oG - | \
    awk '/Up$/{print $2}' > live_hosts.txt

# Phase 2: Detailed scan on the much smaller list of live hosts
sudo nmap -sV -sC -O -iL live_hosts.txt --min-rate 2000

Output Management for Large Scans#

# Use -oA to save in all formats, with a timestamp for uniqueness
nmap -oA scans/network_sweep_$(date +%F_%T) 10.129.2.0/24

# Resume an interrupted scan
nmap --resume scans/interrupted_scan.gnmap

Real-World Scanning Scenarios#

The following are complete scripts demonstrating multi-phase scanning methodologies.

Scenario 1: External Penetration Test#

#!/bin/bash
# External pentest recon script
TARGET="client.com"
OUTPUT_DIR="scans/external"
mkdir -p $OUTPUT_DIR

echo "[*] Phase 1: DNS & Subdomain Enumeration"
nmap --script=dns-brute,hostmap-crtsh $TARGET -oA $OUTPUT_DIR/dns_enum

# Extract found hosts for the next phase
grep "report for" $OUTPUT_DIR/dns_enum.nmap | awk '{print $5}' > $OUTPUT_DIR/discovered_hosts.txt

echo "[*] Phase 2: Port scanning discovered hosts"
sudo nmap -sS -sV -O -p- --min-rate 1000 -iL $OUTPUT_DIR/discovered_hosts.txt -oA $OUTPUT_DIR/full_port_scan

echo "[*] Phase 3: Vulnerability assessment"
nmap --script=vuln,exploit --script-args=unsafe=1 -iL $OUTPUT_DIR/discovered_hosts.txt -oA $OUTPUT_DIR/vuln_scan

Scenario 2: Internal Network Assessment#

#!/bin/bash
# Internal network assessment script
NETWORK="192.168.1.0/24"
OUTPUT_DIR="scans/internal"
mkdir -p $OUTPUT_DIR

echo "[*] Phase 1: Fast ARP discovery to find live hosts"
sudo nmap -sn -PR $NETWORK -oA $OUTPUT_DIR/arp_discovery
grep "Up" $OUTPUT_DIR/arp_discovery.gnmap | cut -d' ' -f2 > $OUTPUT_DIR/live_hosts.txt

echo "[*] Phase 2: Finding low-hanging fruit (Common services)"
sudo nmap -sS -sV -p 21,22,80,139,445,3389,8080 -iL $OUTPUT_DIR/live_hosts.txt -oA $OUTPUT_DIR/common_services

echo "[*] Phase 3: Deep SMB enumeration on relevant hosts"
grep "445/open" $OUTPUT_DIR/common_services.gnmap | cut -d' ' -f2 > $OUTPUT_DIR/smb_hosts.txt
if [ -s $OUTPUT_DIR/smb_hosts.txt ]; then
    nmap --script="smb-enum-*,smb-vuln-*" -iL $OUTPUT_DIR/smb_hosts.txt -oA $OUTPUT_DIR/smb_enum
fi

Scenario 3: Web Application Infrastructure Mapping#

#!/bin/bash
# Web infrastructure mapping script
TARGET="10.129.2.0/24"
OUTPUT_DIR="scans/web_infrastructure"
mkdir -p $OUTPUT_DIR

echo "[*] Finding web servers"
nmap -sS -p 80,443,8080,8443 -oG - $TARGET | awk '/open/{print $2}' > $OUTPUT_DIR/web_hosts.txt

echo "[*] HTTP methods, headers, and technologies"
nmap --script=http-methods,http-headers,http-enum,http-title -iL $OUTPUT_DIR/web_hosts.txt -oA $OUTPUT_DIR/web_tech

echo "[*] Detecting WAFs"
nmap --script=http-waf-detect,http-waf-fingerprint -iL $OUTPUT_DIR/web_hosts.txt -oA $OUTPUT_DIR/waf_detection

Expert-Level Techniques#

Custom Scan Combinations#

# Comprehensive, stealthy scan for a single host
sudo nmap -sS -sV -O -T2 --script="default and not intrusive" \
     --scan-delay 100ms --max-retries 2 --source-port 88 \
     --data-length 32 -f -D RND:5 10.129.2.28

Advanced Service Interaction#

# SMTP user enumeration (requires a wordlist of usernames)
nmap -p 25 --script=smtp-enum-users --script-args=smtp-enum-users.methods={VRFY,EXPN,RCPT},userdb=users.txt 10.129.2.28

# Kerberos user enumeration (requires a wordlist and realm)
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='CORP.LOCAL',userdb=users.txt" 10.129.2.28

IPv6 Scanning Mastery#

# IPv6 host discovery on local segment
nmap -6 -sn -PR fe80::/64

# Port scan an IPv6 range
nmap -6 -sS -p 80,443,22 2001:db8::/32

Building Your Scanning Methodology#

The following is a complete, production-ready script that follows a professional multi-phase methodology.

The Professional’s Workflow Script#

#!/bin/bash
# Professional penetration testing Nmap methodology script

# --- Configuration ---
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <TargetNetwork> <ProjectName>"
    exit 1
fi
TARGET_NETWORK=$1
PROJECT_NAME=$2
SCAN_DIR="scans/$PROJECT_NAME/$(date +%Y%m%d)"
mkdir -p $SCAN_DIR

# --- Logging Function ---
log() {
    echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1" | tee -a $SCAN_DIR/scan.log
}

# --- Phase 1: Discovery ---
discovery_scan() {
    log "Starting discovery phase..."
    sudo nmap -sn -PE -PS21,22,80,443,3389 -PA80,443 -PU53,161 -T4 \
         $TARGET_NETWORK -oA $SCAN_DIR/01_discovery
    grep "report for" $SCAN_DIR/01_discovery.nmap | awk '{print $5}' > $SCAN_DIR/live_hosts.txt
    log "Discovered $(wc -l < $SCAN_DIR/live_hosts.txt) live hosts."
}

# --- Phase 2: Port Scanning ---
port_scan() {
    log "Starting port scanning phase..."
    sudo nmap -sS -p- --min-rate 1000 -iL $SCAN_DIR/live_hosts.txt -oA $SCAN_DIR/02_full_ports
    log "Completed full port scanning."
}

# --- Phase 3: Service Enumeration ---
service_enum() {
    log "Starting service enumeration..."
    grep "Ports:" $SCAN_DIR/02_full_ports.gnmap | while read line; do
        host=$(echo $line | awk '{print $2}')
        ports=$(echo $line | grep -oP '\d+/open' | cut -d/ -f1 | tr '\n' ',' | sed 's/,$//')
        if [ ! -z "$ports" ]; then
            sudo nmap -sV -sC -O -p $ports $host -oA $SCAN_DIR/03_service_enum_$host
        fi
    done
    log "Completed service enumeration."
}

# --- Phase 4: Vulnerability Assessment ---
vuln_scan() {
    log "Starting vulnerability assessment..."
    nmap --script="vuln and safe" -iL $SCAN_DIR/live_hosts.txt -oA $SCAN_DIR/04_vuln_safe
    log "Completed vulnerability assessment."
}

# --- Main Execution ---
main() {
    log "Starting Nmap methodology for project: $PROJECT_NAME"
    discovery_scan
    port_scan
    service_enum
    vuln_scan
    log "Scan complete!"
}

main

Scan Result Analysis Framework#

For large scans, manual analysis is inefficient. Use a script to parse the XML output.

#!/usr/bin/env python3
# nmap_analyzer.py - Parse and analyze Nmap XML results
import xml.etree.ElementTree as ET
import sys
from collections import defaultdict

def parse_nmap_xml(xml_file):
    tree = ET.parse(xml_file)
    root = tree.getroot()
    results = defaultdict(list)
    for host in root.findall('.//host'):
        if host.find('.//status').get('state') == 'up':
            ip = host.find('.//address[@addrtype="ipv4"]').get('addr')
            for port in host.findall('.//port'):
                if port.find('.//state').get('state') == 'open':
                    service_info = port.find('.//service')
                    service = service_info.get('name', 'unknown')
                    version = service_info.get('version', '')
                    port_id = port.get('portid')
                    results[f"{service}:{port_id}"].append(f"{ip} ({version})")
    return results

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <nmap_xml_file>")
        sys.exit(1)
    
    analysis = parse_nmap_xml(sys.argv[1])
    for service, hosts in sorted(analysis.items(), key=lambda x: len(x[1]), reverse=True):
        print(f"\n--- {service} ({len(hosts)} hosts) ---")
        for host in hosts:
            print(f"  - {host}")

Common Pitfalls and How to Avoid Them#

  • Mistake 1: Scanning Without Permission. Always have written authorization. Unauthorized scanning is illegal.
  • Mistake 2: Being Too Aggressive. nmap -T5 can crash fragile services. Start with -T2 or -T3 and escalate carefully.
  • Mistake 3: Ignoring UDP Services. Critical services like DNS and SNMP run on UDP. Always run a targeted UDP scan.
  • Mistake 4: Not Saving Output. A scan without saved results is a wasted effort. Always use -oA.
  • Mistake 5: Trusting a Single Scan. Firewalls and network conditions can cause inconsistent results. Run scans from different angles (e.g., -sS, -sT, -sA) to verify findings.

Advanced Integration and Automation#

Integration with Other Tools#

# Export to Metasploit for exploitation
nmap -sV -oX scan.xml 10.129.2.0/24
# In msfconsole: > db_import scan.xml; hosts

# Feed Nmap XML directly to Searchsploit to find public exploits
nmap -sV -oX - 10.129.2.28 | searchsploit --nmap -

Continuous Network Monitoring with ndiff#

#!/bin/bash
# continuous_monitor.sh - Detect network changes using ndiff
NETWORK="192.168.1.0/24"
BASELINE="baseline.xml"

# Create a baseline scan if it doesn't exist
if [ ! -f $BASELINE ]; then
    echo "Creating baseline..."
    nmap -sS -p- -oX $BASELINE $NETWORK
    exit 0
fi

# Run a new scan
nmap -sS -p- -oX current.xml $NETWORK

# Compare the new scan to the baseline
ndiff $BASELINE current.xml > changes.txt

# Alert if there are changes
if [ -s changes.txt ]; then
    echo "Network changes detected!"
    cat changes.txt
    # Update the baseline for the next run
    mv current.xml $BASELINE
fi

Mastery Checklist & Conclusion#

Before considering yourself proficient, ensure you can:

  • Perform all basic scan types and interpret all port states.
  • Write and modify basic NSE scripts.
  • Perform IDS evasion with multiple techniques.
  • Chain Nmap with other tools like Metasploit and Searchsploit.
  • Integrate Nmap into automated security workflows.
  • Create reproducible scanning methodologies and generate executive-ready reports.

Mastering Nmap is a journey, not a destination. Networks evolve, so should your skills. This guide provides the map, but true proficiency comes only through ethical, authorized practice.

Happy Scanning! 🎯

Additional Resources#