blogs
Nmap Mastery: The Reconnaissance Tool Every Security Person Must Know
A deep look at Nmap, the reconnaissance tool behind nearly every network engineer's and penetration tester's toolkit.
Nmap Mastery: The Reconnaissance Tool Every Security Person Must Know
Nmap (Network Mapper) is the most widely used network reconnaissance tool in existence. It's been in continuous development since 1997, ships with virtually every security-focused Linux distribution, and appears in the toolkit of everyone from network engineers to penetration testers to incident responders. If you work in security, you need to know Nmap deeply.
What Nmap Does
At its core, Nmap discovers hosts on a network and determines what services they're running. But "service discovery" undersells it considerably — Nmap also identifies operating systems, software versions, firewall configurations, and can run custom scripts against discovered services.
Basic Scanning
# Scan a single host — default scan (1000 most common ports)
nmap 192.168.1.100
# Scan a subnet
nmap 192.168.1.0/24
# Scan a range
nmap 192.168.1.1-50
Default Nmap sends SYN packets to the 1000 most commonly used ports. A SYN-ACK response means the port is open; RST means closed; no response (or ICMP unreachable) means filtered by a firewall.
Scan Types
# SYN scan (half-open) — fast, less likely to appear in logs
# Requires root/sudo
sudo nmap -sS 192.168.1.100
# Full TCP connect scan — completes three-way handshake
# Works without root, more likely to appear in application logs
nmap -sT 192.168.1.100
# UDP scan — critical for finding DNS, SNMP, DHCP services
sudo nmap -sU 192.168.1.100
# Combined TCP and UDP
sudo nmap -sS -sU 192.168.1.100
UDP scanning is slower and less reliable than TCP — UDP ports don't respond if open (only if closed or filtered). Important to include, though: many valuable services (DNS on 53, SNMP on 161, TFTP on 69) run on UDP.
Service and Version Detection
# Service and version detection — identifies what's running on open ports
nmap -sV 192.168.1.100
# Aggressive version detection
nmap -sV --version-intensity 9 192.168.1.100
Version detection sends probes to open ports and matches responses against Nmap's service database. Instead of just "port 22 open," you get "OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)." Version information directly enables CVE lookups.
OS Detection
sudo nmap -O 192.168.1.100
OS fingerprinting analyzes how the target responds to a series of probes and compares the pattern against a database of known OS fingerprints. Results are shown with confidence percentages.
All-In-One: Aggressive Scan
# -A enables: OS detection, version detection, script scanning, traceroute
sudo nmap -A 192.168.1.100
-A is convenient but noisy — it generates significantly more traffic than a basic scan. Useful for lab environments and authorized assessments; not appropriate for stealthy reconnaissance.
Nmap Scripting Engine (NSE)
NSE is where Nmap becomes truly powerful. Over 600 scripts extend Nmap to perform specific checks:
# Run default scripts (safe, commonly useful)
nmap -sC 192.168.1.100
# Check for specific vulnerability
nmap --script vuln 192.168.1.100
# SMB enumeration
nmap --script smb-enum-shares,smb-enum-users 192.168.1.100
# HTTP enumeration
nmap --script http-headers,http-methods,http-title 192.168.1.100
# Check for anonymous FTP access
nmap --script ftp-anon 192.168.1.100
# SNMP enumeration (community strings, system info)
nmap --script snmp-info --script-args snmpcommunity=public -sU -p 161 192.168.1.100
# Check for EternalBlue (MS17-010 / WannaCry vulnerability)
nmap --script smb-vuln-ms17-010 192.168.1.100
Speed and Timing
Nmap's timing templates (-T0 through -T5) control scan aggression:
# T0 (Paranoid) — very slow, evades IDS
nmap -T0 192.168.1.100
# T3 (Normal) — default
nmap -T3 192.168.1.100
# T4 (Aggressive) — fast, assumes good network, may miss UDP
nmap -T4 192.168.1.100
# T5 (Insane) — very fast, may miss ports, not for noisy networks
nmap -T5 192.168.1.100
For stealthy reconnaissance, use -T1 or -T2 with randomized scan order:
nmap -T1 --randomize-hosts -p 80,443,22,21 192.168.1.0/24
Full Port Scans
The default 1000-port scan misses many services running on non-standard ports. A full scan is slower but more thorough:
# Scan all 65535 ports — use with version detection for a comprehensive picture
sudo nmap -p- --min-rate 5000 -sV 192.168.1.100
# Script kiddie-proof: all ports, version, default scripts, OS detection
sudo nmap -p- -sV -sC -O --min-rate 5000 -oA full_scan 192.168.1.100
--min-rate 5000 sends at least 5000 packets per second — dramatically speeds up full-port scans on fast networks.
Output Formats
Always save your scan output:
# -oA saves all formats: .nmap (readable), .xml (parseable), .gnmap (greppable)
nmap -sV -oA scan_results 192.168.1.100
# Grep for open ports across multiple scan files
grep "open" *.gnmap | awk '{print $2, $3}' | sort -u
XML output can be imported into tools like Metasploit, Nessus, or custom scripts for further processing.
What I Use Nmap For
In my CTF workflow: First thing after getting a target IP — sudo nmap -p- --min-rate 5000 -sV -sC -oA nmap_initial TARGET_IP. This gives me a complete picture to work from.
In my digital twin lab: After running Nmap against my simulated network, I analyze the scan traffic in Wireshark to understand exactly what footprint a scan leaves — what it looks like from the defender's perspective.
For network inventory: Regular scans of my home lab to verify that only expected services are running on expected ports. Unexpected open ports are an immediate investigation priority.
Nmap is one of those tools where investing time to learn it deeply — not just the basic syntax — pays dividends for your entire career in security.
