Cybersecurity for Everyone! Powered by NextGen AI!

NMAP Tutorial


NMAP (Network Mapper) is a powerful open-source tool used for network exploration and security auditing. It was designed to rapidly scan large networks, but it also works fine against single hosts. NMAP uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.


NMAP can be installed on various operating systems, including Windows, Linux, and macOS. You can download it from the official NMAP website (

For Linux, you can also use the package manager to install NMAP. For example, on Ubuntu or Debian, you can use the following command:

sudo apt-get install nmap

On CentOS or RHEL, you can use:

sudo yum install nmap

Understanding NMAP Commands

NMAP commands are structured as follows:

nmap [Scan Type] [Options] {target specification}
  • Scan Type: This determines the type of scan NMAP will perform. For example, -sS for SYN scan, -sU for UDP scan, etc.
  • Options: These are additional parameters that modify the behavior of NMAP. For example, -p- to scan all ports, -v for verbose output, etc.
  • Target Specification: This is where you specify the IP addresses or hostnames of the targets you want to scan.

Basic Scanning Techniques

Ping Scan

A ping scan is used to check if a host is online. It does not scan ports and is therefore quick and non-intrusive.

nmap -sn

Port Scan

A port scan checks for open ports on a host. The most common type of port scan is the SYN scan (-sS), which is fast and unobtrusive.

nmap -sS

Version Scan

A version scan (-sV) is used to determine the version of the services running on open ports.

nmap -sV

OS Scan

An OS scan (-O) attempts to determine the operating system of the host.

nmap -O

More Scanning Techniques

Stealth Scan

A stealth scan (-sS) is a type of port scan that is less likely to be detected by intrusion detection systems.

nmap -sS

UDP Scan

A UDP scan (-sU) is used to check for open UDP ports. This scan is slower and more likely to be detected than a SYN scan.

nmap -sU

Comprehensive Scan

A comprehensive scan combines several scanning techniques to gather as much information as possible about a host.

nmap -sS -sU -T4 -A -v

NMAP Scripting Engine

NMAP’s Scripting Engine (NSE) allows users to write scripts to automate a wide variety of networking tasks. Thesescripts are written in the Lua programming language and can be used for tasks such as network discovery, vulnerability detection, exploitation, and more.

To use a script, you can use the --script option followed by the name of the script. For example, the ssl-enum-ciphers script can be used to enumerate a server’s SSL cipher suite:

nmap --script ssl-enum-ciphers -p 443

NMAP comes with a large number of scripts included, but you can also write your own. The scripts are located in the /usr/share/nmap/scripts/ directory on Linux systems.

Firewall Evasion

NMAP includes several techniques for evading firewalls and intrusion detection systems. These techniques can be used to perform scans on networks where standard scans are detected and blocked.

  • Fragmentation (-f): This option causes NMAP to send packets that are smaller than the usual size, which can help evade certain types of detection.
nmap -f
  • Decoy Scan (-D): This option allows NMAP to spoof the source IP address of the scan, making it appear as if the scan is coming from other hosts.
nmap -D RND:10
  • Idle Scan (-sI): This is a type of scan where NMAP uses a “zombie” host to perform the scan, making it difficult to detect where the scan is actually coming from.
nmap -sI [Zombie IP]

Aggressive Scan

An aggressive scan (-A) combines several options to perform a more detailed scan. It includes OS detection, version detection, script scanning, and traceroute.

nmap -A

Timing Templates

NMAP offers timing templates (-T) that can be used to speed up or slow down the scan. The options range from 0 (paranoid) to 5 (insane).

nmap -T4

Specific Port Scan

To scan a specific port or range of ports, you can use the -p option. For example, to scan port 80:

nmap -p 80

Or to scan a range of ports:

nmap -p 1-100

Fast Scan

The fast scan (-F) option scans fewer ports than the default scan, making it quicker.

nmap -F

Scan All Ports

To scan all 65535 ports, you can use the -p- option.

nmap -p-

TCP SYN/Connect/ACK/Window/Maimon Scans

These are different types of TCP scans that can be performed with NMAP.

nmap -sS  # SYN scan
nmap -sT  # Connect scan
nmap -sA  # ACK scan
nmap -sW  # Window scan
nmap -sM  # Maimon scan

IP Protocol Scan

The IP protocol scan (-sO) checks to see which IP protocols (TCP, ICMP, IGMP, etc.) are supported by the target.

nmap -sO

FTP Bounce Attack Scan

The FTP bounce attack scan (-b) involves using a vulnerable FTP server to port-scan other hosts.

nmap -b [FTP Server IP]

Detecting Firewall Settings

The FIN scan (-sF), NULL scan (-sN), and Xmas scan (-sX) can be used to detect firewall settings.

nmap -sF  # FIN scan
nmap -sN  # NULL scan
nmap -sX  # Xmas scan

Saving Scan Results

You can save scan results to a file using the -oN (normal), -oX (XML), -oG (grepable), or -oA (all) options.

nmap -oN output.txt  # Save as normal
nmap -oX output.xml  # Save as XML
nmap -oG output.txt # Save as grepable
nmap -oA output  # Save in all formats

Scanning Multiple Targets

You can scan multiple targets by separating them with a space.


Scanning a List of Targets

You can also scan a list of targets from a file using the -iL option.

nmap -iL targets.txt

Excluding Targets

To exclude certain targets from a scan, you can use the --exclude option.

nmap --exclude

Or to exclude targets listed in a file, you can use the --excludefile option.

nmap --excludefile excluded.txt

Service Version Detection

To detect service versions, you can use the -sV option.

nmap -sV

Verbose Output

For more detailed output, you can use the -v option.

nmap -v


For even more detailed output, you can use the -d option.

nmap -d

Packet Tracing

To trace packets, you can use the --packet-trace option.

nmap --packet-trace

NMAP is a powerful tool for network discovery and security auditing. It provides a wide range of features that can be used to explore and analyze networks, identify vulnerabilities, and much more. However, it’s important to remember that while NMAP is a powerful tool, it should only be used responsibly and ethically. Always get proper authorization before scanning a network.

This tutorial has covered the basics of using NMAP, but there is much more to learn. The official NMAP documentation ( is a great resource for further study.

    Leave a Reply

    Harnessing Auto-GPT for Penetration Testing with OSINT Understanding Docker Through the LEGO Analogy: A Comprehensive Guide Embracing Zero Trust Architecture: The Future of Enterprise Security A Guide to Secure Online Banking and Financial Transactions 5 Best Practices for Secure Password Management