NMAP: The Ultimate Network Scanning Tool

Introduction

You must have heard about NMAP when you were exploring cybersecurity, and that is not a coincidence that everyone who does explore this field sooner or later comes upon this name. It is a popular tool among the craftsmen of your kind.

NMAP is short for Network Mapper, which can give you detailed insights on your network security and structure. It is open source so you don't have to worry about paying anything to use it. It has many uses including network discovery, security auditing, and vulnerability assessment.

Now the system administrators among you might be thinking that this could be a useful tool in your arsenal as well, and you will not be wrong. It can help you quickly scan networks, detect live hosts, and determine which services are running on a given machine.

That is it for the introduction, let's move on to the more juicy part where we actually use it.

In this article I will discuss the following:

• How to install and use it

• NMAP basic syntax

• Types of scans you perform with NMAP

• NMAP Scripting Engine (NSE)

• Firewall evasion and bypassing techniques

• Automating and saving scanned results

• Some real world use-cases for you to ponder on

• Zenmap GUI

• Further learning resources

• And some fun stuff

With this in mind let's start digging in.

Installation

NMAP is available for Windows, Mac and Linux, so you don't have to worry about being able to use it. You can check out their official downloads page where you can also find it's source code apart from other distributions.

Windows

Run the installer (.exe file) from the downloads page and follow the on-screen instructions. It is pretty simple so I doubt you will get stuck. Just go with the defaults if you are unsure and you should be fine.

Linux (Ubuntu/Debian-based systems)

Open the terminal and run:

sudo apt update # never forget to run the update
sudo apt install nmap -y

MacOS

Install using Homebrew:

brew install nmap

To check if NMAP was successfully installed on your system, you can run the following to verify it:

nmap --version

It should print out the version of NMAP you are using.

Now that we have successfully installed NMAP on our systems, it is time for a little tour.

The NMAP Basics

The core of NMAP works in two steps:

1. Sending specially crafted packets to your target system and

2. Analyzing the responses

The basic structure of the NMAP command goes like this:

nmap <options> <target>

Where <options> are optional and <target> refers to the target system's IP address. You do not need to specify the ports, that is NMAP's job to figure out.

For example, to scan your local network, you can use the following:

> nmap 192.168.1.1

Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-23 19:25 Eastern Standard Time
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 981 closed tcp ports (reset)
PORT     STATE    SERVICE
25/tcp   filtered smtp
110/tcp  filtered pop3
119/tcp  filtered nntp
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
143/tcp  filtered imap
445/tcp  open     microsoft-ds
465/tcp  filtered smtps
548/tcp  filtered afp
563/tcp  filtered snews
587/tcp  filtered submission
800/tcp  filtered mdbs_daemon
993/tcp  filtered imaps
995/tcp  filtered pop3s
1433/tcp filtered ms-sql-s
1947/tcp open     sentinelsrm
2179/tcp open     vmrdp
5357/tcp open     wsdapi
5432/tcp open     postgresql

Nmap done: 1 IP address (1 host up) scanned in 1.99 seconds

Or better yet, you can scan the whole subnet you are in.

nmap 192.168.1.0/24

Pretty neat huh?

Types Of Scans In NMAP

Now that we know how this works and got our feet wet enough to be comfortable with it, we can start looking at the variety of scans NMAP provides us. Remember that one type of scan is not superior to another. It just boils down to your usecase and what you are looking for.

I cannot cover all of the options for all the scan types here so I will just mention the significant ones you will most likely use.

Ping Scan (-sn)

This scan is for checking if a host is alive or not. Just like asking "you dead?". The -sn option enables this.

nmap -sn 192.168.1.1

If you are curious the --help directive says this: -sn: Ping Scan - disable port scan. This means it will not scan for ports but just check if a host is alive or not. This is a friendly scan and not many hosts would mind you scanning them like this.

Port Scanning (-p)

As it sounds like, this -p option allows you to scan available ports on a host. You can use this in two ways.

One is by explicitly mentioning which ports you want to check for like this:

nmap -p 22,80,443 192.168.1.1

Or you can scan all 65,535 ports:

nmap -p- 192.168.1.1

But let's say that you wanted to scan only a selected range of ports, you would do it like this:

nmap -p 20-445 192.168.1.1

Other than this you can also mention if you want to exclude some ports using the --exclude-ports option which can be used like this:

nmap -p- --exclude-ports 443,5432 192.168.1.1

There are some more combos you can try but let's just keep things simple for now.

Service & Version Detection (-sV)

We were already seeing which service runs on which port from the responses of previous commands. But this one make sure to return the version of those services as well. In case you are wondering, you can use these versions with Metasploit to find out about specific vulnerabilities of different versions of a software.

nmap -sV 192.168.1.1

OS Detection (-O)

This will let you know what operating system the host is running on. Pretty handy if you are looking for OS related hacks.

nmap -O 192.168.1.1

Aggressive Scan (-A)

This, as it sounds like, is not appreciated by many hosts. But it is nothing that complicated. It is actually a combination of several types of scans bundled into one. It combines the following types of scans:

• Open ports and running services

• Service versions

• Possible OS details

• Traceroute information

nmap -A 192.168.1.1

Mind you that this scan is noisy and would get you unwanted attention. So instead, using separate scans are sometimes a better option. It is better to use only when you have limited time or need a quick reconnaissance without worrying about your visibility.

Stealth Scan (-Ss)

As the name suggests, it does not trigger any unwanted alerts and logs about your scan on the firewall. It is also known as SYN scan and you will know soon enough why.

Stealth scan unlike normal scans does not complete a 3-way handshake with the host, making it difficult for the host to assume that you have connected to it.

In case you don't know, here are the steps of a full handshake which the normal scans do:

• SYN → Scanner sends a connection request to the target.

• SYN-ACK → Target responds, saying it's ready.

• ACK → Scanner acknowledges and completes the connection.

This is logged by firewalls & Intrusion Detection Systems (IDS) because a full connection was made.

But stealth scan skips the last step which is acknowledging the connection. Here is how it goes:

• SYN → Scanner sends a connection request.

• SYN-ACK (Open Port) or RST (Closed Port) → Target responds.

• Scanner never sends an ACK, so the connection is never fully established.

nmap -Ss -p 22,80,443 192.168.1.1

And before you ask, no you cannot combine it with aggressive scan -A. But other than that, you should be able to use -Ss with any other option.

UDP Scan (-sU)

All of the normal scans use TCP protocol to scan. But if you want to use UDP protocol, then you will need use the -sU option.

nmap -sU -p 22,80,443 192.168.1.1

This is useful since many essential network services rely on UDP rather than TCP, and and attackers often target unmonitored or overlooked UDP ports. Here are some example of services which run on UDP:

• DNS (53) – Domain Name System

• DHCP (67/68) – Dynamic Host Configuration Protocol

• SNMP (161/162) – Simple Network Management Protocol (used for monitoring)

• TFTP (69) – Trivial File Transfer Protocol

• NTP (123) – Network Time Protocol

• RADIUS (1812/1813) – Authentication for network access

With that said keep in mind that firewalls block most UDP traffic, so admins assume it’s "safe". And many intrusion detection systems (IDS) don’t log UDP scans. Therefore it is always a good idea to include UDP scans in your security audit.

NMAP Scripting Engine (NSE)

This is one of the most powerful features NMAP has to offer. These scripts allow you to automate a variety of networking tasks. The scripts themselves are written in Lua Programming Language so you will have to get to know the language first. But, to make lives easier, NMAP includes over 600 ready-to-use scripts which are available to you on a fresh installation. So you can just try one out yourself right now.

nmap --script vuln 192.168.1.1

The above vuln script runs a vulnerability check on the target host.

If you wish to use multiple scripts at once, then you can do so by this convention:

nmap --script=default,vuln 192.168.1.1

To get a description of all the scripts available to you, you can just run the following command:

nmap --script-help=default

nmap --script-help=vuln

Writing Your Own Scripts

The fun part is that you can write your own scripts as well and run them just like the pre-made ones. There are several components in a script and we are going to look at each of them. Each component is defined and stored in a variable inside the script. Following is a sample of such a script:

description = [[
This script checks if port 8080 is open.
]]

author = "Your Name"
license = "Same as Nmap"
categories = {"safe","vuln"}

portrule = function(host, port)
    return port.number == 8080
end

action = function(host, port)
    return "Port 8080 is open!"
end

description is the help text you see when you run nmap --script-help=<script-name>.

author is well the person who writes the script. You've got to work on your fame once you write a killer script right?

license is just that.

categories defines how NMAP should categorize your script as. Remember we used vuln in the example command above? well that was a category and that command would run all of the scripts marked as vuln. Other common options for this being:

• safe – Won’t harm the target (e.g., information gathering).

• intrusive – Might be detected or cause issues (e.g., brute-force scripts).

• vuln – Used to check for vulnerabilities.

• discovery – Helps discover hosts, services, or info about the target.

portrule defines when the script should run. This is a funciton which should return a Boolean value. The above example shows that the script will only run on port 8080.

action is the main logic of the script. This function will run when you execute a script. It should return some result which will be shown as output on the terminal. But if the above example is too simple for you, then here is a more advanced action for you to ponder on:

action = function(host, port)
    local socket = nmap.new_socket()
    socket:connect(host.ip, port.number)
    socket:send("HEAD / HTTP/1.1\r\nHost: " .. host.ip .. "\r\n\r\n")
    local response = socket:receive()
    socket:close()
    return response or "No response received"
end

This script connects to port 80 and retrieves the HTTP banner.

Don't Forget To Save It Properly

Once you have written your script, you can save it using the .nse extension. Then run it using:

nmap --script ./my-script.nse 192.168.1.1

Where To Find Your Script?

📂 Linux/macOS:

/usr/share/nmap/scripts/

📂 Windows:

C:\Program Files (x86)\Nmap\scripts\

if you wish to put your custom script in the native NMAP directory, then make sure to run the following:

nmap --script-updatedb

This will register your script in the scripts.db file which is basically a text file. You can open it via text editor to see its contents.

Automating And Saving Scanned Results

Let's talk about the first part i.e. saving the results. I will demonstrate how to save the same results in three different formats:

• Normal text output:

nmap -oN output.txt 192.168.1.1

• XML format (useful for parsing in other tools):

nmap -oX output.xml 192.168.1.1

• Grepable output (for further processing):

nmap -oG output.gnmap 192.168.1.1

Now let's talk about the automating part. Just like any system process you can use the crontab to automate it. To schedule automated scans using cron use the following:

crontab -e

then add the following line to run the scan everyday at midnight:

0 0 * * * nmap -A 192.168.1.1 > /path/to/output.txt

Notice that we are running the aggressive scan here. You can use whatever you like instead. It would be a piece of cake for you if you are a linux user.

Real World Usecases

• Network Security Auditing - Organizations use NMAP to scan their networks and identify open ports, services, and misconfigurations that attackers could exploit. Helps with compliance audits (e.g., PCI-DSS, GDPR, HIPAA).

• Penetration Testing - For obvious reasons, pentesters use NMAP to find vulnerabilities in a network before hackers do. They can identify outdated services, weak authentication, and open backdoors.

• System Monitoring - It is not just a tool for pentesters. System administrators also use NMAP to track changes in network infrastructure—detecting new devices, unauthorized servers, or unexpected open ports.

• Identifying Malware & Backdoors - NMAP can detect malware-infected machines by identifying unexpected open ports or suspicious services. Some malware creates hidden backdoors, allowing attackers to access the system remotely. Helps in incident response after a cyberattack ans detects hidden malware persistence mechanisms.

Zenmap GUI

If you are not a fan of terminals (which you shouldn't be) then NMAP also has a GUI version of their tool called Zenmap GUI. Luckily enough, you don't have to download it separately as it is included in your default installation of NMAP. Find the zenmap executable file inside the installation folder and run it. It is available for All platforms including Linux, Windows and MacOS.

If you know what a "man page" is, then they also have a dedicated manpage for zenmap, which can be pretty useful for obvious reasons (Chapter 12 - Zenmap GUI User's Guide).

Where To Learn more About It?

It goes without saying that documentation is always the best source if you want to learn about a tool. But as it stands, NMAP defies the convention of maintaining their own documentation:

Luckily enough they do have thrid-parties covering for them. You can find all the third-party books and resources in their docs page as well.

They also have hosted an HTML version of the book "NMAP Network Scanning" written by Gordon Fyodor Lyn.

As for NSE, you can find more information about it in the NSE Guide or read about all 612 NSE pre-made scripts or explore 139 NSE libraries.

All The Fun Stuff

If you haven't already, there is an obscure tab on the NMAP site called "In The Movies". What you will find here is NMAP as a celebrity being starred in several popular movies being used by hackers to hack into the government and wreck havoc. Maybe this is where we all get the inspiration for pulling off something like that someday.

Honestly it is a real treat, go and visit that page.

Conclusion

NMAP is a an essential tool for network administrators and cyber security practitioners alike. This tool opens a door for you which enable you to look into your or your target's network and . Whether you are mapping a network, finding vulnerabilities, or performing penetration tests, mastering Nmap will enhance your cybersecurity skills. Plus it looks good on your resume as well.

You can leverage it to identify vulnerabilities, detect unauthorized devices, and strengthen network defenses before attackers exploit them. Understanding how Nmap works is crucial for both penetration testers and security teams to maintain a robust security posture.

By using Nmap wisely, organizations can stay ahead of potential threats, uncover hidden risks, and ensure their networks remain secure and well-protected.

---

If you liked what you read and want us to publish more content like this, then please give it a ♥️ and comment if you have any questions or wisdom to share. Follow us to keep yourself updated with more content. We like to make our readers happy. Happy Hacking!