What Is Nmap

Nmap (Network Mapper) is a free, open-source tool used for network discovery and security auditing. It can rapidly scan large networks to determine which hosts are online, what services they are running, what operating systems they use, and what types of firewalls or packet filters are in place.

Originally created by Gordon Lyon (Fyodor) in 1997, Nmap has become one of the most essential tools in any network administrator's or security professional's toolkit. It runs on Linux, Windows, macOS, and BSD.

⚠️
Only scan networks you own or have explicit permission to scan.

Unauthorized port scanning is considered hostile activity by most organizations and internet service providers. It may violate laws such as the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), or equivalent legislation in your country. Scanning someone else's network without written authorization can result in legal consequences, account termination, or IP blocking. This tutorial is intended solely for scanning your own infrastructure.

Installing Nmap

# Ubuntu / Debian
sudo apt update
sudo apt install nmap

# Fedora / RHEL
sudo dnf install nmap

# macOS (using Homebrew)
brew install nmap

# Verify installation
nmap --version

On Windows, download the installer from https://nmap.org/download. The Windows package includes Zenmap, a graphical frontend for Nmap.

Host Discovery

Before scanning ports, you often need to find out which hosts are alive on a network. Nmap provides several host discovery techniques, commonly called ping scans.

Basic Ping Scan

The -sn flag tells Nmap to skip port scanning and only check whether hosts are online. This is the fastest way to discover devices on your network. 

# Discover all live hosts on your local subnet
nmap -sn 192.168.1.0/24

Example output:

Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for router.local (192.168.1.1)
Host is up (0.0025s latency).
Nmap scan report for desktop.local (192.168.1.100)
Host is up (0.0031s latency).
Nmap scan report for server.local (192.168.1.175)
Host is up (0.00010s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.43 seconds
💡
How ping scanning works

On a local network, Nmap uses ARP requests (which cannot be blocked by software firewalls) to detect hosts. On remote networks, it sends a combination of ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests. A response to any of these confirms the host is alive.

Target Specification

Nmap accepts targets in several formats:

192.168.1.1 Single IP address.
192.168.1.0/24 CIDR notation -- scans all 256 addresses in the subnet.
192.168.1.1-50 IP range -- scans addresses 1 through 50.
scanme.nmap.org Hostname -- Nmap resolves it and scans the resulting IP. Note: scanme.nmap.org is a server provided by the Nmap project specifically for testing.

Port Scanning Techniques

Port scanning is the core function of Nmap. Each port on a host can be in one of several states: open (accepting connections), closed (reachable but no service listening), or filtered (a firewall is blocking the probe).

TCP Connect Scan (-sT)

This is the default scan when you run Nmap without root/sudo privileges. It performs a full TCP three-way handshake (SYN, SYN-ACK, ACK) with each port. 

# Full TCP connect scan on common ports
nmap -sT 192.168.1.175

Advantages: reliable, works without root. Disadvantages: slower and more easily detected because it completes the full connection.

SYN Scan (-sS)

Also called a "stealth scan" or "half-open scan." It sends a SYN packet and waits for a response. If it receives SYN-ACK, the port is open. If RST, the port is closed. It never completes the handshake, making it faster and harder to log. 

# SYN scan (requires root/sudo)
sudo nmap -sS 192.168.1.175
💡
Why does SYN scan need root?

Crafting raw TCP packets (sending SYN without completing the handshake) requires raw socket access, which is a privileged operation on most operating systems. Regular users can only use the system's TCP stack, which always completes the handshake.

UDP Scan (-sU)

UDP services like DNS (53), SNMP (161), and DHCP (67/68) do not use TCP. A UDP scan sends UDP packets to target ports and interprets the responses. 

# Scan common UDP ports (requires root, can be slow)
sudo nmap -sU --top-ports 20 192.168.1.175

UDP scanning is inherently slower than TCP scanning because there is no handshake -- Nmap must wait for a response or timeout for each port. Using --top-ports limits the scan to the most commonly used UDP ports.

Specifying Ports

# Scan specific ports
nmap -p 22,80,443 192.168.1.175

# Scan a range of ports
nmap -p 1-1000 192.168.1.175

# Scan all 65535 ports
nmap -p- 192.168.1.175

# Scan the top 100 most common ports
nmap --top-ports 100 192.168.1.175

Service and OS Detection

Knowing a port is open is useful, but knowing what software is running on that port and what operating system the host uses provides far more actionable information.

Service Version Detection (-sV)

The -sV flag probes open ports to determine the service name and version number of the running software. 

nmap -sV 192.168.1.175

Example output:

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.6p1 Ubuntu 3ubuntu13
80/tcp   open  http     nginx 1.24.0
443/tcp  open  ssl/http nginx 1.24.0
3306/tcp open  mysql    MariaDB 10.11.6

This information is critical for security auditing -- if a service is running an outdated version with known vulnerabilities, you know it needs to be patched.

OS Detection (-O)

Nmap can fingerprint the remote operating system by analyzing subtle differences in how the TCP/IP stack responds to specially crafted probes. 

# OS detection (requires root)
sudo nmap -O 192.168.1.175

Example output:

OS details: Linux 5.15 - 6.8 (Ubuntu)
Network Distance: 0 hops
⚠️
OS detection is not always accurate.

Firewalls, load balancers, and custom TCP/IP stack configurations can cause Nmap to misidentify or fail to identify the OS. Treat the results as an educated guess rather than a definitive answer.

Combining Options

Nmap flags can be combined for a comprehensive scan. A common combination for auditing your own network: 

# Service versions + OS detection + default scripts + verbose
sudo nmap -sV -O -sC -v 192.168.1.175

The -sC flag runs Nmap's default set of scripts (NSE -- Nmap Scripting Engine), which perform additional checks like banner grabbing, certificate inspection, and basic vulnerability detection.

Reading and Saving Output

Understanding Nmap's output is essential for acting on scan results. Each line of the port table tells you the port number, protocol, state, and service.

Port States

open An application is actively accepting connections on this port. This is the state you usually care about most.
closed The port is reachable (not blocked by a firewall) but no application is listening. Nmap received a RST packet in response.
filtered A firewall or packet filter is blocking the probe. Nmap cannot determine whether the port is open or closed.
open|filtered Nmap cannot determine whether the port is open or filtered. Common with UDP scans where no response is received.

Output Formats

Nmap supports several output formats for saving results:

# Normal output (human-readable)
nmap -sV 192.168.1.175 -oN scan-results.txt

# XML output (for parsing with other tools)
nmap -sV 192.168.1.175 -oX scan-results.xml

# Grepable output (one host per line, easy to filter)
nmap -sV 192.168.1.175 -oG scan-results.gnmap

# All three formats at once
nmap -sV 192.168.1.175 -oA scan-results
💡
Always save scan results.

Using -oA to save in all formats is a good habit. It gives you a human-readable copy for review, an XML file for importing into security tools, and a grepable file for quick command-line analysis. You can compare results over time to detect changes in your network.

Scanning Your Own Network

Scanning your own network is one of the best ways to learn Nmap and improve your security posture. Here is a practical workflow for auditing a home or small office network.

1
Discover all hosts on your network: 
nmap -sn 192.168.1.0/24 -oN discovery.txt
Review the list. Do you recognize every device? Unrecognized hosts may be unauthorized.
2
Scan open ports on each host: 
sudo nmap -sS --top-ports 1000 192.168.1.0/24 -oA portscan
Look for ports that should not be open. A desktop PC running a web server or an open database port may indicate a misconfiguration or compromise.
3
Identify services on open ports: 
sudo nmap -sV -O 192.168.1.175 -oA service-audit
Check for outdated software versions that may have known vulnerabilities.
4
Document and remediate: Close unnecessary ports, update outdated services, and verify that firewalls are properly configured. Re-scan afterward to confirm the changes took effect.

Summary

In this tutorial, you learned the fundamentals of Nmap network scanning:

  • Host discovery -- using -sn to find live devices on your network
  • TCP scanning -- connect scan (-sT) for unprivileged users and SYN scan (-sS) for speed
  • UDP scanning -- detecting services that run on UDP with -sU
  • Service detection -- identifying software versions with -sV
  • OS fingerprinting -- determining operating systems with -O
  • Output formats -- saving results for later analysis with -oN, -oX, -oG, or -oA
  • Practical auditing -- a step-by-step workflow for scanning your own network
⚠️
Final reminder: authorization is everything.

Nmap is a powerful tool that can be used for good or harm. Only scan networks and systems that you own or have explicit, written permission to test. If you want to practice scanning, use scanme.nmap.org (Nmap's official test server) or set up your own lab environment with virtual machines.

🎉
Excellent work!

You now know how to discover hosts, scan ports, identify services, and audit your own network with Nmap. Regular scanning is a key part of maintaining a secure infrastructure.

Related Tutorials