Nmap, which stands for Network Mapper, is a powerful and free open-source tool used for network exploration and security auditing. It operates by sending specially crafted IP packets to a network or a specific host and then meticulously analyzing the responses to gather crucial information. At its core, Nmap is a utility designed to discover active hosts and the services running on them, identifying what operating systems they are using and much more. This capability makes it a fundamental tool for security professionals who use it to identify potential vulnerabilities, perform penetration testing to understand the “attack surface” of a network, and for network administrators who need to create an accurate inventory of their devices.
This process allows Nmap to:
Discover hosts and services on a network.
Identify open ports and the services running on them.
Detect potential vulnerabilities and security weaknesses.
Determine operating systems and device types.
Network administrators and security professionals commonly use Nmap to take inventory of their networks, perform security audits, and manage network services.
Random NMAP Commands and Meanings
Find all devices on network
namp -sP 192.168.0.0/24
Find all computers hosting websites
sudo nmap -sT -p 80,443 192.168.0.0/24
Find all computers stealthy
sudo nmap -sS -p 80,443 192.168.0.0/24
Find Target Operating System
sudo nmap -O 192.168.0.5
Find Target OS, Version, Script Scanning and Traceroute
sudo nmap -A 192.168.0.5
Add decoys to the network scan (first IP is decoy)
sudo nmap -sS -D 192.168.0.100 192.168.95.5
Run Scripts
sudo nmap --script vuln 192.168.0.5
Host Discovery
-sn β Ping scan (no port scan; replaces -sP)
-Pn β Treat all hosts as online; skip host discovery
-n β Never perform DNS resolution
Port Scanning
-p β Specify port range (e.g., -p 1-1000, -p 80,443)
-F β Fast scan (scans fewer ports)
-r β Donβt randomize scan order
Service and OS Detection
-sV β Version detection (detect service versions)
-O β OS detection
--osscan-guess β Make a guess at OS when uncertain
--version-all β Try every single probe
Script Scanning (NSE)
-sC β Run default scripts
--script= β Run specific NSE script(s)
--script-help β Get help for a script
Output Options
-oA β Output in all formats (normal, XML, grepable)
-oG β Grepable output
-oJ β JSON output
-v β Increase verbosity
-d β Increase debugging level
Scan Timing Templates
-T0 to -T5 β Set timing (from paranoid to insane)
-T4 is commonly used for speed
-T5 is the fastest but very noisy
Firewall Evasion and Spoofing
--source-port β Use specific source port
-f β Fragment packets
--data-length β Append random data
--spoof-mac β Spoof MAC address
Misc NMAP Commands
-sA ACK scan -PI ICMP ping
-sF FIN scan -Po No ping
-sI IDLE scan -PS SYN ping
-sL DNS scan (list scan) -PT TCP ping
-sN NULL scan -oN Normal output
-sO Protocol scan -oX XML output
-sP Ping scan (legacy, now -sn) -T0 Serial, slowest
-sR RPC scan -T1 Serial, slow
-sS SYN scan (stealth scan) -T2 Serial, normal
-sT TCP connect scan -T3 Parallel, normal
-sW Window scan -T4 Parallel, fast
-sX XMAS scan
The power of Nmap comes from its diverse array of scanning techniques. The most popular is the TCP SYN scan, often called a “stealth scan,” which sends a SYN packet to a port. An open port responds with a SYN/ACK, but Nmap immediately sends a RST packet to prevent a full connection, making it less likely to be logged by the target system. In contrast, the TCP Connect scan performs a full TCP handshake, which is more reliable but also more visible to network logs. For services that use the User Datagram Protocol, Nmap employs a UDP scan, sending a UDP packet and waiting for a service-pecific response or an “ICMP Port Unreachable” error.
Beyond these basic scans, Nmap’s capabilities are extensive. It can perform host discovery to find active devices on a network and detailed port scanning to determine if a port is open, closed, or filtered by a firewall. One of its most valuable features is service and version detection, where it can identify not only that a web server is running but also its specific version, like Apache 2.4.37, which is critical for security auditing. Nmap can also perform accurate operating system fingerprinting by analyzing how a host responds to certain packets. The Nmap Scripting Engine (NSE) is a major feature that allows users to automate a vast number of tasks, from detecting vulnerabilities and exploiting them to brute-forcing passwords and performing advanced discovery. All these features combined make Nmap far more than a simple port scanner; it is an indispensable tool for network administrators and security professionals worldwide.