Nmap (The Network Mapper) is the most powerful, flexible, and widely used open-source port scanner and network reconnaissance tool in the world. Written by Gordon Lyon (Fyodor), it has been the de-facto standard for security professionals, pentesters, sysadmins, and attackers for over 25 years.
Why Nmap Is Still King
- Discovers live hosts
- Finds open ports & running services
- Detects service versions & operating systems
- Executes scripted vulnerability checks (NSE)
- Bypasses many firewalls and IDS/IPS with clever techniques
- Works on Windows, Linux, macOS, BSD
Many of its best techniques (especially SYN scans) use raw sockets to craft special packets. Normal users can’t do that, so Nmap needs elevated privileges. Without root, it automatically falls back to slower, full-connect scans.
Golden Rule Before Every Scan
Start small → go deep only on interesting targets.
- Default scan (
-sSor no flags): checks the 1000 most common ports → small traffic - Full port scan (
-p-): all 65,535 ports → can easily generate megabytes per host
# 1. Quick sweep (1000 most common ports)
sudo nmap -sS 10.10.10.10
# 2. If something looks juicy → go full
sudo nmap -p- -sCV -A 10.10.10.10Port States
When performing port scans with Nmap, each probed port is classified into one of several states based on the responses received (or lack thereof). Understanding these states is essential for accurately interpreting scan results and identifying potential services, misconfigurations, or firewall rules.
| State | Description | Typical Scan Type(s) |
|---|---|---|
| open | Application is actively accepting connections (TCP handshake completed or UDP response received) | All scans |
| closed | No application listening, but host is alive → returns RST (TCP) or ICMP Port Unreachable (UDP) | TCP SYN/Connect, UDP |
| filtered | Nmap cannot determine state → packet dropped or explicit ICMP “port unreachable” / admin prohibited | All scans |
| unfiltered | Port is reachable, but Nmap cannot tell if it’s open or closed (only appears in ACK/Window scans) | -sA (ACK scan) |
| **open | filtered** | No response → Nmap assumes it’s either open or silently filtered (common with UDP and certain firewalls) |
| **closed | filtered** | Rare state → host sends ICMP “port unreachable” but Nmap is unsure (almost never seen in practice) |
Main Scan Types
TCP SYN Scan (-sS) – The King of Scans
This is the scan you’ll use 90% of the time. When you run Nmap with sudo, it automatically picks SYN scan.
It works like a polite knock on the door without ever walking in: Nmap sends a SYN packet (the first part of a normal TCP connection). If the port is open, the target answers with SYN-ACK. If it’s closed, it sends RST. Either way, Nmap immediately sends a RST back and walks away — the connection never completes. That’s why it’s called “half-open” or “stealth” scan.
Result: blazing fast, reasonably quiet, and accurate. It used to be truly invisible, but modern firewalls and IDS systems still log it — just much less noisily than a full connection.
sudo nmap -sS 192.168.50.10TCP Connect Scan (-sT) – The Loud but Honest One
If you don’t have root privileges (or you force the option), Nmap falls back to Connect scan.
This time Nmap behaves exactly like a web browser or any normal program: it performs the full three-way handshake (SYN → SYN-ACK → ACK). The connection is fully established, just like real traffic.
Because of that, it’s extremely accurate and never causes weird service behaviour, but the target logs every single connection, and any decent firewall lights up like a Christmas tree.
Use it when you can’t use raw packets or when you need maximum compatibility.
nmap -sT 192.168.50.10UDP Scan (-sU) – Slow, Frustrating, but Absolutely Necessary
UDP is completely different — there’s no handshake. Nmap sends a UDP packet to the port and waits.
If the port is closed, you usually get an ICMP Port Unreachable response. If it’s open, most services stay silent (or sometimes send data back). No response can also mean a firewall is dropping the packet. So Nmap often reports ports as open|filtered.
It’s slow because Nmap has to wait for timeouts, and firewalls love dropping UDP. Still, it’s the only way to find DNS, SNMP, DHCP, NTP, VoIP, and many game servers.
sudo nmap -sU 192.168.50.10Host Discovery
Before deep-scanning everything, discover what’s actually alive.
-sn(ping sweep): no port scan, just host discovery (ARP + TCP SYN/ACK to 80/443 + ICMP)
# Fastest on local networks (ARP)
sudo nmap -sn 192.168.1.0/24
# When ARP is blocked (across routers)
nmap -sn -PE -PP -PS80,443 -PA3389 10.10.10.0/24OS Detection
Nmap guesses the operating system by looking at tiny differences in TCP/IP stacks (TTL, window size, etc.). Works best when at least one open and one closed port are found. Warning: not always 100 % accurate (firewalls/proxies can mess it up).
sudo nmap -O --osscan-guess 10.10.10.10Service & Version Detection
-sV→ detects exact service version (e.g., Apache 2.4.41, OpenSSH 8.2p1)-A→ aggressive mode: OS detection + version scan + traceroute + tons of NSE scripts
# Light version scan
nmap -sV --version-intensity 7 10.10.10.10
# Aggressive (OS + version + traceroute + default scripts)
sudo nmap -A 10.10.10.10Firewall / IDS/IPS Evasion Cheat Sheet
Many networks employ firewalls or intrusion detection/prevention systems that can block or log obvious port scans. The following Nmap options help evade these defenses by fragmenting packets, obfuscating the true source, manipulating trusted protocols, or offloading the scan to another host. These methods range from simple (fragmentation, decoys) to advanced (idle/zombie scanning) and should only be used during authorized penetration testing or security assessments.
| Technique | Nmap Option | Effect / Use Case |
|---|---|---|
| Fragment packets | -f (or -ff for 16-byte fragments) | Bypasses old/simple firewalls and some IDS rules |
| Decoys | -D RND:10or -D 1.2.3.4,5.6.7.8,ME | Hides your real IP among fake sources (great for logs) |
| Spoof source IP | -S 1.2.3.4 -e eth0 | Makes target think scan comes from another IP (needs routing control) |
| Source port 53 (DNS) | --source-port 53 or -g 53 | Often allowed outbound/inbound because DNS is trusted |
| Idle / Zombie scan | -sI zombie_host[:probeport] | Almost completely stealth – uses a “zombie” host to scan |
| Disable ping (no host discovery) | -Pn | Skips ICMP/ARP ping – useful when ICMP is fully blocked |
Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) extends Nmap with hundreds of powerful Lua scripts located in /usr/share/nmap/scripts/. These scripts automate service enumeration, vulnerability detection, brute-force attacks, and more.
Quick Usage
# Single script
nmap --script http-headers 192.168.50.10
# All scripts matching a pattern
nmap --script "http-*" 192.168.50.0/24
# Get script help
nmap --script-help http-headersMain Script Categories
| Category | Purpose |
|---|---|
| auth | Credential testing & bypass |
| brute | Brute-force login attacks |
| default | Safe scripts run with -sC |
| discovery | Service & network information gathering |
| dos | Denial-of-service checks |
| exploit | Active exploitation of known vulnerabilities |
| external | Sends data to third-party services |
| fuzzer | Fuzzing for unexpected behavior |
| intrusive | Potentially disruptive scripts |
| malware | Detects backdoors & infections |
| safe | Non-intrusive scripts |
| version | Enhanced service/version detection |
| vuln | Vulnerability identification & verification |
Common Ways to Run Scripts
-sC→ Default safe scripts--script "vuln"→ All scripts in vuln category--script banner,smtp-commands→ Specific scripts-A→ Enables -sC + -sV + -O + traceroute
Example
sudo nmap 10.129.2.28 -p 80 --script vuln→ Automatically enumerates directories, detects WordPress versions, and checks for known vulnerabilities.
Recommended Real-World Scan Workflow
- Quick sweep
sudo nmap -sn --top-ports 1000 10.10.10.0/24 -oG sweep.gnmap- Extract live hosts
grep Up sweep.gnmap | cut -d" " -f2 > live.txt- Full scan on survivors
sudo nmap -sSV -O -p- --open -iL live.txt -oA full_scanBonus
One-Liner for 90% of Pentests
sudo nmap -sCV -O --version-all --open --top-ports 3000 -T4 -n -Pn -oA quick 10.10.10.0/24DNS Proxying & Source Port 53 Evasion
Nmap automatically performs reverse DNS resolution on discovered IPs to gather hostnames — a behavior that usually goes unnoticed because legitimate web traffic also triggers DNS queries. These queries normally use UDP port 53, but TCP port 53 is increasingly common due to DNSSEC and IPv6.
This gives us two powerful evasion opportunities:
- Custom DNS Servers
Using--dns-server <ip>(or-nto disable resolution entirely), you can force Nmap to query internal or trusted corporate DNS servers instead of public ones. In a DMZ or internal assessment, this often reveals hidden hostnames that public resolvers would never return. - Source Port 53 Evasion
Many firewalls and IDS/IPS rules explicitly allow traffic from source port 53 (DNS) because blocking it would break normal DNS functionality. By adding--source-port 53(or-g 53), your scan packets appear to originate from a DNS server — often bypassing strict filtering rules.
Real-world example (filtered port 50000)
- Normal SYN scan → port shows filtered (packets dropped)
nmap -sS -p50000 10.129.2.28- Same scan from source port 53 → port shows open (firewall lets it through)
nmap -sS -p50000 --source-port 53 10.129.2.28Module Progress: 1. Information Gathering
- Reading Now