Nmap from Scratch — Complete Guide to Network Scanning
Nmap (Network Mapper) is one of the oldest and most powerful tools in the arsenal of every security professional and network administrator. It allows for host discovery, port scanning, service detection, OS identification and running advanced scripts that automate auditing.
In this article you’ll find dozens of specific examples with descriptions — from absolute basics to advanced techniques used in professional penetration tests.
⚠️ Important: Scanning a network without the owner’s consent is illegal. Perform all examples only on your own infrastructure or as part of an authorised pentest.
Installation
Ubuntu / Debian
sudo apt update && sudo apt install -y nmap
RHEL / CentOS / Rocky Linux
sudo dnf install -y nmap
Version check
nmap --version
# Nmap version 7.94 ( https://nmap.org )
1. Host Discovery
Ping scan — quick detection of active hosts in a network
nmap -sn 192.168.1.0/24
Nmap sends ICMP Echo Request packets to all addresses in the subnet. It doesn’t scan ports — only checks which hosts respond. Useful for quick local network inventory.
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0034s latency).
Nmap scan report for 192.168.1.105
Host is up (0.0021s latency).
Host discovery without ping (bypassing firewall)
nmap -sn -PS80,443,22 192.168.1.0/24
Sends TCP SYN to ports 80, 443 and 22 instead of ICMP. Useful when a firewall blocks ping but allows HTTP/SSH traffic.
Scanning from a target list file
nmap -sn -iL targets.txt
The targets.txt file can contain IP addresses, CIDR ranges or hostnames — one per line.
Disable DNS lookup (faster scanning)
nmap -sn -n 10.0.0.0/8
The -n flag skips DNS name resolution, which significantly speeds up scanning of large ranges.
2. Port Scanning
Scanning the default 1000 ports
nmap 192.168.1.10
By default Nmap scans the 1000 most common TCP ports. A good starting point for quick reconnaissance.
Scanning all 65535 ports
nmap -p- 192.168.1.10
Complete scan — takes longer, but guarantees you won’t miss any service running on a non-standard port.
Scanning specific ports
nmap -p 22,80,443,3306,5432 192.168.1.10
Scan only the specified ports. Great when you know what you’re looking for — e.g. databases (3306 MySQL, 5432 PostgreSQL).
Scanning a port range
nmap -p 1-1024 192.168.1.10
Scans ports from 1 to 1024 — the so-called “well-known ports” where standard system services run.
UDP port scanning
sudo nmap -sU -p 53,67,68,123,161,500 192.168.1.1
UDP is often overlooked, yet services like DNS (53), DHCP (67/68), NTP (123), SNMP (161) and VPN (500) hide there. Requires root privileges.
Scanning TCP and UDP simultaneously
sudo nmap -sS -sU -p T:80,443,U:53,161 192.168.1.1
The T: prefix means TCP, U: — UDP. Allows both protocols to be scanned in a single pass.
3. Scan Types
SYN Scan (default, “half-open”)
sudo nmap -sS 192.168.1.10
The most popular and fastest technique. Nmap sends SYN, waits for SYN-ACK and immediately responds with RST — no full connection is established. Harder to detect in application logs. Requires root.
TCP Connect Scan (without root)
nmap -sT 192.168.1.10
Uses the system connect(). Slower and more visible in logs, but doesn’t require root. Good for regular users.
ACK Scan — mapping firewall rules
sudo nmap -sA 192.168.1.10
Used not to detect open ports, but to determine whether ports are filtered by a firewall. “Unfiltered” means the firewall passes the packet.
FIN / NULL / Xmas Scan — bypassing IDS
sudo nmap -sF 192.168.1.10 # FIN scan
sudo nmap -sN 192.168.1.10 # NULL scan (no flags)
sudo nmap -sX 192.168.1.10 # Xmas scan (FIN+PSH+URG)
Techniques based on sending packets with non-standard TCP flags. Some older systems and firewalls don’t filter them correctly. Usually ineffective on Windows systems.
Idle Scan — scanning through a “zombie”
sudo nmap -sI 192.168.1.50 192.168.1.10
Advanced stealth technique — Nmap scans the target (.10) using the IP address of a zombie host (.50). Your IP address doesn’t appear in the target’s logs. Requires a host with a predictable IPID.
4. Service and Version Detection
Detection of running service versions
nmap -sV 192.168.1.10
Nmap tries to determine the exact version of each service running on an open port. Critical during an audit — knowing the version lets you check for known CVEs.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6
80/tcp open http nginx 1.24.0
443/tcp open ssl/https nginx 1.24.0
3306/tcp open mysql MySQL 8.0.36
Version detection intensity
nmap -sV --version-intensity 9 192.168.1.10
Scale 0–9. Higher level = more attempts = slower, but more accurate. Default value is 7.
Operating system detection
sudo nmap -O 192.168.1.10
Nmap analyses TCP/IP responses and tries to match a “fingerprint” against a database of known systems.
OS details: Linux 5.15 - 6.1
Network Distance: 1 hop
Aggressive scan (version + OS + traceroute + scripts)
sudo nmap -A 192.168.1.10
Equivalent of -sV -O --traceroute -sC. Complete host information in one command. Noisy and slow — don’t use in production without consent.
5. Scan Performance and Speed
Speed profiles (-T0 to -T5)
nmap -T0 192.168.1.10 # Paranoid — very slow, evades IDS
nmap -T1 192.168.1.10 # Sneaky
nmap -T2 192.168.1.10 # Polite — conserves bandwidth
nmap -T3 192.168.1.10 # Normal (default)
nmap -T4 192.168.1.10 # Aggressive — faster, requires good connection
nmap -T5 192.168.1.10 # Insane — may miss results
On your own local network, -T4 is a good balance between speed and accuracy.
Manual speed control
nmap --min-rate 1000 --max-retries 2 192.168.1.0/24
Forces a minimum of 1000 packets/second. Useful when scanning large networks.
Parallel multi-host scanning
nmap --min-hostgroup 64 192.168.1.0/24
Scans 64 hosts simultaneously instead of sequentially.
6. NSE Scripts (Nmap Scripting Engine)
NSE is one of the most powerful aspects of Nmap. Scripts are written in Lua and allow automating dozens of audit tasks.
Run default scripts
nmap -sC 192.168.1.10
Runs scripts from the default category — safe, fast, useful.
Vulnerability detection
nmap --script vuln 192.168.1.10
Checks for known vulnerabilities: Heartbleed, MS17-010 (EternalBlue), ShellShock and others.
Check for EternalBlue vulnerability (MS17-010)
nmap --script smb-vuln-ms17-010 -p 445 192.168.1.0/24
Scans the entire network for Windows machines vulnerable to the exploit used by WannaCry.
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1
| State: VULNERABLE
| IDs: CVE:CVE-2017-0144
SSH brute-force
nmap --script ssh-brute -p 22 192.168.1.10
Attempts to log into SSH using a built-in list of logins and passwords. Only on your own servers!
SMB user enumeration
nmap --script smb-enum-users -p 445 192.168.1.10
Lists user accounts available via the SMB protocol (Windows / Samba).
SSL/TLS configuration check
nmap --script ssl-enum-ciphers -p 443 192.168.1.10
Lists supported cipher suites and rates their security (A/B/C/F).
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
Heartbleed detection (CVE-2014-0160)
nmap --script ssl-heartbleed -p 443 192.168.1.10
HTTP header and method detection
nmap --script http-methods,http-headers -p 80,443 192.168.1.10
Checks which HTTP methods the server accepts (GET, POST, PUT, DELETE, TRACE — TRACE is often should be disabled) and which headers it returns.
Scan for default credentials
nmap --script http-default-accounts -p 80,8080,8443 192.168.1.0/24
Checks popular admin panels (Tomcat, Jenkins, Router admin) for default passwords.
DNS zone transfer
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=4geeker.com -p 53 192.168.1.1
Attempts to fetch the full DNS zone. If successful — the DNS server is misconfigured and reveals the entire domain structure.
FTP anonymous login detection
nmap --script ftp-anon -p 21 192.168.1.0/24
Checks whether the FTP server allows login without a password (anonymous user).
MySQL database enumeration
nmap --script mysql-databases,mysql-users -p 3306 192.168.1.10
Without authentication or with provided credentials, detects MySQL databases and users.
7. Saving Results
Save to text file
nmap -sV 192.168.1.0/24 -oN results.txt
Save in XML format (for further analysis)
nmap -sV 192.168.1.0/24 -oX results.xml
XML can be imported into tools like Metasploit, Faraday, or custom Python scripts.
Save in greppable format
nmap -sV 192.168.1.0/24 -oG results.gnmap
Simple format for fast processing with grep, awk, cut.
Save in all formats simultaneously
nmap -sV 192.168.1.0/24 -oA full_results
Creates three files: full_results.nmap, full_results.xml, full_results.gnmap.
8. Real Pentest Examples
Reconnaissance phase — full network scan
# Step 1: Quick host discovery
sudo nmap -sn -n --min-rate 2000 10.10.10.0/24 -oG hosts_live.gnmap
# Step 2: Extract live hosts to file
grep "Up" hosts_live.gnmap | awk '{print $2}' > hosts.txt
# Step 3: Full port scan on live hosts
sudo nmap -sS -p- -n --min-rate 3000 -iL hosts.txt -oA full_ports
# Step 4: Version detection and scripts on found ports
sudo nmap -sV -sC -p 22,80,443,8080,8443,3306 -iL hosts.txt -oA services
Quick web server security audit
sudo nmap -sS -sV -p 80,443,8080,8443 \
--script "http-methods,http-headers,ssl-enum-ciphers,ssl-heartbleed,http-default-accounts" \
192.168.1.10 -oA web_audit
Active Directory / Windows audit
sudo nmap -sS -p 88,135,139,389,445,464,636,3268,3269 \
--script "smb-vuln-ms17-010,smb-enum-users,ldap-rootdse" \
10.10.10.0/24 -oA ad_audit
Scan with spoofed source address (decoy)
sudo nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.10
Nmap sends packets from several fake IP addresses (decoy) together with the real one (ME). Makes it harder to identify the true source of the scan in firewall logs.
Scanning through proxy / Tor
nmap --proxies socks4://127.0.0.1:9050 192.168.1.10
Routes traffic through a SOCKS proxy (e.g. Tor). Note: only works with TCP Connect Scan (-sT).
9. Useful Flag Combinations
| Goal | Command |
|---|---|
| Quick local network recon | nmap -sn 192.168.1.0/24 |
| Full scan without root | nmap -sT -sV -p- target |
| Quiet IDS-evading scan | sudo nmap -sS -T2 -f target |
| Complete host audit | sudo nmap -A -p- target |
| Only open ports in output | nmap --open 192.168.1.0/24 |
| Scan skipping ping | nmap -Pn target |
| Fragmented packets (IDS evasion) | sudo nmap -f target |
| Custom MTU | sudo nmap --mtu 24 target |
10. Automation with Bash
Script for regular network auditing
#!/bin/bash
# audit-network.sh – run e.g. via cron weekly
TARGET="192.168.1.0/24"
DATE=$(date +%Y%m%d_%H%M)
OUTDIR="/opt/nmap-audits/$DATE"
mkdir -p "$OUTDIR"
echo "[*] Discovering hosts..."
sudo nmap -sn -n "$TARGET" -oG "$OUTDIR/hosts.gnmap"
LIVE=$(grep "Up" "$OUTDIR/hosts.gnmap" | awk '{print $2}' | tr '\n' ' ')
echo "[*] Found hosts: $LIVE"
echo "[*] Scanning ports and services..."
sudo nmap -sS -sV -O --script default,vuln \
-p- --min-rate 2000 \
$LIVE \
-oA "$OUTDIR/full_scan"
echo "[+] Done. Results in: $OUTDIR"
Parsing XML results in Python
import xml.etree.ElementTree as ET
tree = ET.parse("results.xml")
root = tree.getroot()
for host in root.findall("host"):
addr = host.find("address").get("addr")
for port in host.findall("ports/port"):
portid = port.get("portid")
state = port.find("state").get("state")
service = port.find("service")
svc_name = service.get("name", "unknown") if service is not None else "unknown"
version = service.get("version", "") if service is not None else ""
if state == "open":
print(f"{addr}:{portid} [{svc_name} {version}]")
Summary
Nmap is a tool that grows with you — from a simple nmap 192.168.1.1 to complex reconnaissance pipelines with NSE. Key principles:
- Always have authorisation before scanning any network
- Start with light host discovery, then dive into the details
- Use
-oAto always save results — it’ll be useful for reporting - Combine Nmap with other tools: Metasploit, Burp Suite, Nuclei, OpenVAS
- Regular automated auditing of your own infrastructure is a good DevSecOps practice
Questions about a specific technique or want to see how to integrate Nmap into a CI/CD pipeline? Write to us: kontakt@4geeker.com