Nmap usage

-WORK-IN-PROGRESS-

Intro

Nmap is probably one of the most useful tools I’ve used ever. Yeah - I’m going all fanboy on it but it is really hard to describe it with any less enthusiasm. Basically Nmap is a network scanning tool. It scan hosts and ports - that’s it. But the sheer amount of data it can gather and the flexibility of the tool itself makes it really stand out.

So who would benefit from knowing Nmap? Well, sysadmins, for one. You’ve just set up a new server. The service seems fine, but somehow you can’t connect to it? A quick Nmap against the service port can show you how other computers see it from the outside.

Pretty much anyone in IT can benefit from knowing basic Nmap: determining if a host is live, if a port is open, or if a service is running on the port. But the main audience? Cybersecurity professionals. You can do a pretty big portion of any enumeration with just Nmap, including vulnerability scanning.

The approach of this article is simple

• Intro
• Installation and basic usage
• Intro to networking
• Scan types
• Scripting Engine
• Output and reporting
• Advanced concepts
• Detection and evasion
• Polite scans and minimal disruption
• Scan performance factors
• Practical usage
• Conclusion
• Resources

Installation and usage

Let’s face it: if you can’t even install a program in Linux, this might not be the article for you. But hey, let’s give you the benefit of the doubt.

• Linux:
  Terminal

  parkado@homelab.hl$ sudo apt install nmap

  or
  Terminal

  parkado@homelab.hl$ dnf install nmap

  or any other distro specific command
• Windows: Download it from nmap.org and run the installer
• macOS:Use Homebrew:
  Terminal

  parkado@homelab.hl$ brew install nmap

  or the installer at nmap.org

Once installed, run nmap in your terminal or command prompt. If it doesn’t scream at you, congratulations—you’ve passed the first test.

Intro to networking

Before diving into scans, let’s cover some basics:

• Ports: 65,535 of them, to be exact. They are the pathways from the network to your programs that listen to them. Each software can listen to multiple ports but one port only services one program.
• Protocols: Ports can run different protocols—like TCP, UDP, or even ICMP. Some ports can handle multiple protocols at the same time, but it’s not common.
• Services:Services are what actually listen on ports. Service could be a webpage like this that is listening on port 443 exclusively (altho I could be listening on other ports also). Only one service per port at a time, though.
• States: A port can be:
  • Open: Redy to accept incoming connections.
  • Closed: Nothing is behind a port so no connection can be accepted there.
  • Filtered: Something (like a firewall) is blocking or filtering it.

Scan types

As Nmap offers a wealth of different scan types let's start off with the most basic host scan. A host scan is a scan where we aim to discover as many hosts (machines) on the network as possible.

A basic Nmap host scan would look something like this:

parkado@homelab.hl$ nmap 192.168.0.1/24
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-04 21:13 CET
Nmap scan report for 192.168.0.1
Host is up (0.014s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
443/tcp  open  https
1900/tcp open  upnp
MAC Address: 34:60:F9:D4:05:8C (TP-Link Limited)

Nmap scan report for 192.168.0.16
Host is up (0.016s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
3128/tcp open  squid-http
MAC Address: B8:85:84:A7:4E:DC (Dell)

Nmap scan report for 192.168.0.27
Host is up (0.0058s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https
MAC Address: BC:24:11:7E:86:B3 (Proxmox Server Solutions GmbH)

Nmap scan report for pi.hole (192.168.0.54)
Host is up (0.016s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
53/tcp open  domain
80/tcp open  http
MAC Address: E4:5F:01:68:1A:B9 (Raspberry Pi Trading)

Nmap done: 256 IP addresses (4 hosts up) scanned in 35.37 seconds

Here we can see that Nmap found 4 machines on the network and scanned each hosts 1000 most popular ports. For each host we have a output that shows what ports were discovered, in what state they are and what service is running on them.

You can also run a scan against a single target using either IP address or their hostname or URL like this:

parkado@homelab.hl$ nmap parkado.it
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-05 14:37 CET
Nmap scan report for parkado.it (188.245.159.79)
Host is up (0.044s latency).
rDNS record for 188.245.159.79: static.79.159.245.188.clients.your-server.de
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 43.36 seconds

If you run a basic Nmap scan like this then the default -sS flag is used, when using sudo nmap target then it will use -sT as default. In both cases it will scan TCP ports by default.

Here is a list of other scan types that we can use. Do check out Nmap docs on the Resources section to find out even more.

• -p (port selection): By default Nmap scans 1000 well-known ports but you can declare a specific port to scan with -p 80 or multiple ports with -p 80,443 or even a port range with -p 500-788. To scan all 65535 ports use -p-
• -sS (SYN Scan): Quick and stealthy. It sends a SYN packet but doesn’t complete the handshake. Perfect for reconnaissance but some older software might not be too happy about it.
• -sT (TCP Connect): The handshake version. The slower version that is also considered "polite" since it starts and finishes the connection.
• -sU (UDP Scan): The “patience test.” UDP scans are slow, but can reveal services that work only on UDP. Check out my post on common ports and services to see what services only use UDP.
• -sV (Version Detection): Great for finding out what’s actually running on a port. Tries to guess the service and it's version.
• -O (OS Detection): Sniffs out the operating system to certain degree of confidence.
• -A (Aggressive): Activates a suite of flags like -sV -sC -O --traceroute last two needing system privileges.

Nmap scripting engine (NSE)

Nmap’s scripting engine is one the reasons why I think it is the most versatile tool you can learn. With the scripting engine you can use default script or create your own and share them. The scripting part is done in Lua but it really isn't that hard.

• Defaults: Use -sC to run the default set of scripts.
• Vulnerability Scanning: --script vuln to look for vulnerabilities.
• Categories: There are tons, from auth to malware to dos.

Output and reporting

Nmap’s reporting options are ridiculously flexible:

• -oN: Normal output (like what you see in the terminal).
• -oX: XML output, for those who love structured data.
• -oG: Greppable output. Useful for chaining with other tools.
• -oA: Save in all formats at once.

Advanced concepts

Detection and Evasion

• -D: Decoy scans to confuse intrusion detection systems (IDS).
• Timing Options: Use -T2 or -T3 to go slow and avoid triggering alarms.

Polite scan and minimal disruption

Some systems can’t handle aggressive scans. Use -T2 or -T3 to stay on the safe side.

Scan performance factors

• The fewer threads you use, the slower it gets—but it’s also less likely to crash your target.
• UDP scans are notoriously slow—brace yourself.
• Want to cause chaos? Combine -T5 with -A for a full-throttle scan.

Practical usage

Here’s a real-world example:

parkado@homelab.hl$ sudo nmap -sS -sU -sC -p- -oA scan_results 192.168.1.1

This command does:

• SYN and UDP scans
• Default scripts
• Scans all 65,535 ports
• Saves the results in all formats

Conclusion

Nmap is a beast of a tool. Whether you’re troubleshooting a network issue, mapping out your infrastructure, or scanning for vulnerabilities, it’s got your back.

Resources

• Nmap Official Docs