How to Perform Basic Nmap Scans


In the constantly changing world of network security, it's crucial to have strong defenses against possible threats. Nmap, or Network Mapper, is a powerful tool for this. It's free and open-source, used by security experts to explore networks and check for security issues. Network administrators, testers, and cybersecurity enthusiasts use Nmap to understand network setups, plan when to update services, track how long systems are running, and find potential security problems.

Network Mapper

What is Nmap?

Nmap, also known as Network Mapper, is a free tool used to explore networks and check their security. It was created by Gordon Lyon, who uses the pseudonym Fyodor Vaskovich. Nmap first emerged in 1997 and has since been widely used by network administrators and cybersecurity experts. Its main job is to find out which devices and services are active on a computer network, effectively creating a network map.

Nmap works by sending special packets to the devices being checked and then analyzing the responses it gets back. This lets it gather details about the network's setup, like what devices are on it, which ports are open, what services are running, what operating systems are being used, and even if there might be any security weaknesses. Nmap is good at checking big networks quickly. It's used for legitimate security checks, but attackers can also use it to find potential targets.

Common Use Cases for Nmap

  1. Network Inventory: Network administrators use Nmap to create lists of devices connected to their networks. They find IP addresses, device types, and the services they use. This helps manage and protect network resources.
  2. Security Auditing: Nmap finds open ports and services that could let attackers in. Regular scans help spot unauthorized devices or services. Admins then check how secure they are and fix any problems.
  3. Vulnerability Detection: Nmap spots weak spots in network services. It finds old software versions and bad setups. The Nmap Scripting Engine (NSE), checks services closely for problems.
  4. Network Monitoring: Nmap watches how often networks are working. Scheduled scans show if important services are down or if anything strange is happening.
  5. Penetration Testing: Ethical hackers and testers use Nmap to try breaking into networks. They find open ports and services to see where attacks could happen. This helps organizations improve their defenses.
  6. Firewall Testing: Nmap tests how well firewalls and intrusion detection systems (IDS) work. It tries to get past them with different scanning tricks. This makes sure security tools are set up right and working.
  7. Host Discovery: Nmap finds active devices on a network, even ones that don't reply to normal pings. This maps out network setups and shows how devices are connected.

NMap Commands

Overview of NMap Commands

Nmap commands are composed of several components that determine what the scan will do. The basic structure of a Nmap command is.

nmap [Scan Type(s)] [Options] {Target Specification}
  • Scan Type(s): Determines the method Nmap uses to scan the targets. Examples include TCP connect scan (-sT), SYN scan (-sS), and UDP scan (-sU).
  • Options: Additional parameters that modify the behavior of the scan. Options can include timing controls, output formats, or script usage.
  • Target Specification: Defines the IP addresses, hostnames, or networks to be scanned. Targets can be specified individually, as a range, or using CIDR notation.

Example Command

nmap -sS -p 80,443 -oN scan_results.txt

This command performs a SYN scan (-sS) on ports 80 and 443 (-p 80,443), saves the output to a file (-oN scan_results.txt), and targets all devices in the network.

Explanation of Common Nmap Options and Flags

Scan Types

  1. Ping Scan ('-sn')
    • Discovers live hosts on a network without performing a port scan.
    • Example: 'nmap -sn'
  2. TCP Connect Scan ('-sT')
    • Establishes a full TCP connection to the target port. Often used when SYN scans are not permitted.
    • Example: 'nmap -sT'
  3. SYN Scan ('-sS')
    • Sends SYN packets and waits for responses to determine the port status without completing the handshake. It's stealthier than a TCP connect scan.
    • Example: 'nmap -sS'
  4. UDP Scan ('-sU')
    • Scans UDP ports to discover open UDP services.
    • Example: 'nmap -sU'
  5. Version Detection ('-sV')
    • Detects the versions of the services running on open ports.
    • Example: 'nmap -sV'

Target Specification

  • Single IP Address: 'nmap'
  • Hostname: 'nmap'
  • Range of IPs: 'nmap'
  • CIDR Notation: 'nmap'
  • List of Targets: Use a file containing a list of targets, one per line. Example: 'nmap -iL targets.txt'

Common Options and Flags

  1. Port Specification ('-p')
    • Specifies the ports to be scanned. Can be a single port, a list of ports, or a range.
    • Example: 'nmap -p 22,80,443'
  2. Operating System Detection ('-O')
    • Attempts to determine the operating system of the target host.
    • Example: 'nmap -O'
  3. Aggressive Scan ('-A')
    • Enables OS detection, version detection, script scanning, and traceroute.
    • Example: 'nmap -A'
  4. Timing Options ('-T<0-5>')
    • Adjusts the speed of the scan. '-T0' is the slowest, and '-T5' is the fastest.
    • Example: 'nmap -T4'
  5. Output Options
    • Normal output ('-oN') - Saves output in a human-readable format. Example - 'nmap -oN output.txt'
    • XML output ('-oX') - Saves output in XML format. Example - 'nmap -oX output.xml'
    • Grepable output ('-oG') - Saves output in a format suitable for grep processing. Example - 'nmap -oG output.gnmap'
  6. Script Scanning ('-sC' or '--script')
    • Uses the Nmap Scripting Engine (NSE) to run scripts against the target. '-sC' runs a default set of scripts. Example - 'nmap -sC'
    • To run specific scripts, use '--script' followed by the script name(s). Example - 'nmap --script=http-enum'
  7. Exclude Hosts ('--exclude')
    • Excludes specified hosts or networks from the scan. Example - 'nmap --exclude,'

Interpreting Nmap Scan Results

Understanding Nmap scan results is important for managing and securing your network. This section will help you read and understand the output and show you how to identify open ports, services, and potential security risks.

How to Read and Understand the Output of Nmap Scans

Nmap scan results are presented in a structured format that provides valuable insights into the status and characteristics of scanned hosts and services. Here's a breakdown of key elements typically found in Nmap scan output.

  1. Header Information: Displays the Nmap version used and the start time of the scan.
    Header Information
  2. Host Discovery and Status: Provides information about each scanned host, including whether it is up or down.
    Host Discovery
  3. Port Information: Lists open closed, and filtered ports on each scanned host.
    Port Information
    • PORT: Port number and protocol.
    • STATE: Current state of the port ('open', 'closed', 'filtered', etc.).
    • SERVICE: Service running on the port (e.g., 'ssh', 'http', 'https').
  4. Additional Details: This may include information like the MAC address of the host's network interface and potential OS detection.
    • Example: MAC Address: 00:0C:29:7B:8E:FA (VMware, Inc.)
  5. Footer Information: Provides a summary of the scan, including the number of hosts scanned and the total scan time.

Identifying Open Ports, Services, and Potential Vulnerabilities

  1. Open Ports: Ports listed as 'open' are actively accepting connections and represent potential entry points into the system.
    Open ports
  2. Identifying Services: Nmap attempts to identify the services running on open ports based on response patterns.
    Identifying Services
  3. Potential Vulnerabilities
    • Services running on open ports may have vulnerabilities that could be exploited by attackers.
    • Use Nmap's version detection (`-sV`) and NSE scripts (`--script`) to gather detailed information about services and potential vulnerabilities.
nmap -sV --script vuln

Analyzing Results

  • Review the list of open ports and identified services to determine if any unauthorized or vulnerable services are present.
  • Compare detected service versions against known vulnerabilities and apply patches or configuration changes as needed.
  • Use the information gathered to strengthen network defenses and improve overall security posture.

Best Practices for Using Nmap

Nmap is a powerful tool for network exploration and security auditing. To ensure you use it effectively and responsibly, consider the following best practices.

Tips for Efficient and Effective Scanning

  1. Understand Your Objectives: Define clear objectives before scanning. Determine what information you need to gather and which hosts or networks you intend to scan.
  2. Start with Simple Scans: Begin with basic scans ('-sS' for TCP SYN scan) to gather initial information about hosts and open ports.
  3. Customize Scan Parameters: Tailor scans using appropriate options ('-p' for specific ports, '-sV' for version detection) to focus on specific aspects of network reconnaissance.
  4. Use Timing Options Wisely: Adjust timing options ('-T<0-5>') based on network conditions and scanning goals. Lower timing values are slower and less intrusive, suitable for stealthy scans.
  5. Save Scan Results: Save scan results ('-oN <filename>') for future reference and analysis. This helps track changes in network configuration over time.
  6. Utilize NSE Scripts: Explore Nmap Scripting Engine (NSE) scripts ('--script') to automate tasks, detect vulnerabilities, or gather more detailed information about hosts and services.
  7. Monitor Network Impact: Be mindful of network bandwidth and resource utilization during scans, especially in large or congested networks.
  8. Document and Analyze Findings: Document scan findings systematically and analyze them to identify security risks, misconfigurations, or areas for improvement.

Legal and Ethical Considerations When Using Nmap

  • Permission and Authorization: Obtain proper authorization before scanning networks or systems. Unauthorized scanning can violate laws and regulations and lead to legal consequences.
  • Respect Privacy and Confidentiality: Avoid scanning systems or networks that you do not own or have explicit permission to scan. Respect privacy rights and confidentiality agreements.
  • Avoid Disruptive Scanning: Use scanning techniques that minimize disruption to network operations and services ('-Pn' for disabling host discovery probes, and timing options).
  • Disclosure of Findings: Handle sensitive information discovered during scans responsibly. Report vulnerabilities or security issues to appropriate stakeholders promptly and securely.
  • Stay Informed: Keep abreast of legal and ethical guidelines related to network scanning and security testing in your jurisdiction or organization.
  • Continuous Learning and Improvement: Stay updated with Nmap's capabilities, best practices, and security trends. Regularly review and refine your scanning techniques to enhance effectiveness and compliance with ethical standards.


Nmap is a vital tool for network security, helping to map networks, find vulnerabilities, and monitor health. By understanding scan results and following best practices, you can enhance your network's security. Always use Nmap responsibly and with proper authorization to ensure legality and privacy.

Similar Articles