Nmap Tutorial: Network Scanning From Zero to Discovery

TL;DR

Nmap is the most widely used network scanning tool in cybersecurity, relied on by over 80% of penetration testers for reconnaissance. This tutorial walks beginners through every essential Nmap technique: host discovery with ping sweeps, TCP connect and SYN stealth scans, UDP scanning, service version detection, OS fingerprinting, and Nmap Scripting Engine (NSE) automation. Each concept includes real terminal commands you can run in your own lab.

The engagement was supposed to be routine. Elena, a junior penetration tester on her first professional assessment, sat in a conference room with her laptop connected to the client's guest network. Her team lead had briefed her on the scope: one /24 subnet, 254 possible hosts, full port enumeration. She had studied the methodology in training, read the documentation, and passed her certification exam. Now she needed to actually find live machines, figure out what they were running, and document every exposed service before the offensive team could begin exploitation.

She opened a terminal and typed her first Nmap command. Within seconds, results started scrolling. Host 10.0.1.12: ports 22, 80, 443 open. Host 10.0.1.35: ports 21, 139, 445 open. An SMB file share on an unpatched server. A web application running an outdated version of Apache. A database port exposed to the entire subnet. In 20 minutes, Elena had mapped the attack surface that would guide the entire engagement. The network told her everything she needed to know. She just had to ask the right questions.

That is what Nmap does. It translates the abstract concept of network security into concrete, actionable data. Every open port is a door. Every running service is a conversation waiting to happen. Nmap helps you find them all.

What Nmap Actually Does

Nmap, short for Network Mapper, is an open source tool created by Gordon Lyon in 1997. It sends specially crafted packets to target hosts and analyzes the responses to determine which hosts are alive, which ports are open, what services are running, and often what operating system the target uses.

Unlike passive monitoring tools such as Wireshark, Nmap is an active scanner. It generates traffic and observes how the target reacts. This makes it indispensable for penetration testing, network auditing, and security assessments, but it also means you must have authorization before scanning any network you do not own.

Install Nmap from nmap.org or through your system's package manager. On Kali Linux, it comes pre-installed. On Ubuntu or Debian, run:

sudo apt install nmap

On macOS with Homebrew:

brew install nmap

Verify the installation:

nmap --version

You should see version 7.90 or later. With Nmap installed, you are ready to start scanning.

Host Discovery: Finding Live Targets

Before scanning ports, you need to know which hosts on the network are actually alive. Scanning all 65,535 ports on 254 addresses when only 12 machines exist wastes time and generates unnecessary noise. Host discovery narrows the field.

The simplest discovery technique is a ping sweep, which sends ICMP echo requests to every address in a range and notes which ones respond:

nmap -sn 192.168.1.0/24

The -sn flag tells Nmap to skip port scanning and only check whether hosts are up. Output shows each responding host with its IP address and, when available, its hostname and MAC address. On a typical home network, this finishes in under 5 seconds.

Some hosts block ICMP. When ping fails, Nmap uses additional techniques. The following command combines ARP discovery (effective on local networks), TCP SYN probes to port 443, TCP ACK probes to port 80, and ICMP timestamp requests:

sudo nmap -sn -PE -PS443 -PA80 -PP 192.168.1.0/24

The sudo prefix is important here. Several discovery methods require raw socket access, which only root or administrator accounts can use.

TCP Scanning: Connect Scans and SYN Stealth Scans

Once you know which hosts are alive, port scanning reveals which services are listening for connections. TCP scanning is the most common approach because TCP powers the majority of networked services: web servers, SSH, databases, email, and more.

TCP Connect Scan

The TCP connect scan is the most straightforward method. Nmap completes a full three way handshake (SYN, SYN-ACK, ACK) with each port. If the connection succeeds, the port is open. If the target returns a RST packet, the port is closed.

nmap -sT 192.168.1.10

This scan requires no special privileges because it uses the operating system's normal connection mechanism. The trade-off is visibility: a complete TCP connection appears in server logs, firewall records, and IDS/IPS alerts. If stealth matters, use a SYN scan instead.

SYN Stealth Scan

The SYN scan, also called a half-open scan, is Nmap's default when you run it with root privileges. It sends a SYN packet and waits for a response without completing the handshake:

sudo nmap -sS 192.168.1.10

If the target responds with SYN-ACK, the port is open. Nmap immediately sends a RST to tear down the connection before it is fully established. If the target responds with RST, the port is closed. If there is no response after several retransmissions, the port is marked as filtered, meaning a firewall or packet filter is likely blocking traffic.

A default SYN scan checks 1,000 of the most commonly used TCP ports. To scan all 65,535 ports:

sudo nmap -sS -p- 192.168.1.10

The -p- flag means "all ports." You can also specify custom ranges. Scan only the top web and database ports:

sudo nmap -sS -p 21,22,80,443,3306,5432,8080,8443 192.168.1.10

UDP Scanning: The Forgotten Protocol

Many security assessments focus exclusively on TCP and miss critical services running on UDP. DNS (port 53), SNMP (port 161), DHCP (port 67/68), and NTP (port 123) all rely on UDP. A vulnerable SNMP service with default community strings can expose the entire network configuration to an attacker.

UDP scanning is fundamentally slower than TCP because there is no handshake. Nmap sends a UDP packet to the target port. If the port is closed, the target returns an ICMP "port unreachable" message. If the port is open, it may respond with data, or it may send nothing at all. That silence makes UDP scanning a game of waiting for timeouts.

sudo nmap -sU --top-ports 100 192.168.1.10

The --top-ports 100 flag limits the scan to the 100 most commonly used UDP ports, which dramatically reduces scan time. A full UDP scan of 65,535 ports can take over an hour on a single host. For thorough assessments, combine TCP and UDP:

sudo nmap -sS -sU -p T:1-1000,U:53,67,68,123,161,162,500 192.168.1.10

This scans the top 1,000 TCP ports and specific high-value UDP ports in a single pass.

Service Version Detection

Knowing that port 8080 is open tells you very little. Knowing that it runs Apache Tomcat 9.0.43 tells you exactly which CVEs to check. Version detection transforms a list of open ports into an inventory of software you can research, test, and report.

sudo nmap -sV 192.168.1.10

The -sV flag triggers Nmap's service probes. For each open port, Nmap sends a series of protocol-specific requests and compares responses against a database of over 11,000 service signatures. Output includes the service name, version number, and sometimes additional details like the OS distribution or configured hostname.

You can control detection intensity. The default level (7 out of 9) balances accuracy with speed. For maximum accuracy on critical targets:

sudo nmap -sV --version-intensity 9 192.168.1.10

For faster scans during initial reconnaissance, lower the intensity:

sudo nmap -sV --version-light 192.168.1.10

Version detection is where Nmap transitions from reconnaissance to actionable intelligence. A vulnerability scanner cross references the exact version string against databases like the National Vulnerability Database (NVD). Finding OpenSSH 7.4 on a server in 2026 immediately tells you that system is years behind on security patches.

OS Detection and Fingerprinting

Nmap identifies operating systems by analyzing subtle differences in how TCP/IP stacks are implemented. Windows, Linux, macOS, and network appliances all respond to specially crafted packets in slightly different ways. These differences form a fingerprint that Nmap matches against its database.

sudo nmap -O 192.168.1.10

OS detection works best when at least one open and one closed port exist on the target. Without both, Nmap cannot send the full range of probe packets needed for accurate fingerprinting. The output includes the OS family, version estimate, and a confidence percentage.

For a comprehensive initial scan that combines SYN scanning, version detection, and OS detection:

sudo nmap -sS -sV -O 192.168.1.10

Or use the -A flag, which enables OS detection, version detection, script scanning, and traceroute in one command:

sudo nmap -A 192.168.1.10

The -A flag is called "aggressive" mode. It generates significant network traffic and takes longer to complete, so use it on focused targets rather than entire subnets.

The Nmap Scripting Engine

The Nmap Scripting Engine (NSE) extends Nmap from a port scanner into a full reconnaissance platform. Written in Lua, NSE includes over 600 scripts organized into categories: auth for authentication testing, vuln for vulnerability detection, discovery for network enumeration, brute for credential testing, and more.

Run the default set of scripts against a target:

sudo nmap -sC 192.168.1.10

The -sC flag is equivalent to --script=default and runs scripts considered safe and useful for most assessments. Default scripts include SSH key fingerprinting, HTTP title extraction, SSL certificate analysis, and SMB share enumeration.

Target specific vulnerability categories:

sudo nmap --script vuln 192.168.1.10

This runs every script in the vuln category, checking for known vulnerabilities in detected services. Be aware that some vulnerability scripts actively exploit weaknesses (like testing for default credentials), so review script documentation before running them against production systems.

Run individual scripts for focused checks. Test for the EternalBlue SMB vulnerability (MS17-010):

sudo nmap --script smb-vuln-ms17-010 -p 445 192.168.1.10

Check SSL/TLS configuration on web servers:

sudo nmap --script ssl-enum-ciphers -p 443 192.168.1.10

The SANS Institute recommends combining NSE with version detection for maximum coverage:

sudo nmap -sV -sC --script vuln 192.168.1.10

You can explore the full list of available scripts at nmap.org/nsedoc.

Output Formats: Saving Your Results

Professional assessments produce evidence. Raw terminal output is difficult to parse, search, and include in reports. Nmap supports multiple output formats for different purposes.

Normal output to a text file:

sudo nmap -sS -sV -oN scan_results.txt 192.168.1.10

XML output for integration with other tools (Metasploit, vulnerability scanners, custom parsers):

sudo nmap -sS -sV -oX scan_results.xml 192.168.1.10

Grepable output for quick command line analysis:

sudo nmap -sS -sV -oG scan_results.gnmap 192.168.1.10

Save in all three formats simultaneously:

sudo nmap -sS -sV -oA scan_results 192.168.1.10

The -oA flag creates three files with the base name you specify: .nmap (normal), .xml (XML), and .gnmap (grepable). Always use -oA on real engagements. You never know which format you will need later, and re-scanning the target to get a different output format wastes time and generates additional network noise.

Putting It All Together: A Practical Workflow

A structured Nmap workflow moves through four phases, each building on the previous results.

Phase 1: Host Discovery. Sweep the target range to find live hosts.

sudo nmap -sn 10.0.1.0/24 -oA discovery

Phase 2: Quick Port Scan. Scan discovered hosts for the most common ports.

sudo nmap -sS --top-ports 1000 -iL targets.txt -oA quick_scan

Phase 3: Deep Enumeration. Run full port scans with version and OS detection on interesting targets.

sudo nmap -sS -sV -O -p- -iL priority_targets.txt -oA deep_scan

Phase 4: Targeted NSE. Run vulnerability and enumeration scripts against specific services.

sudo nmap -sV --script vuln,auth -p 21,22,80,443,445 -iL priority_targets.txt -oA vuln_scan

This phased approach is efficient and methodical. You avoid spending hours on full port scans of irrelevant hosts, and you build a complete picture that documents every finding for your report.

Timing and Performance

Nmap provides timing templates from T0 (paranoid) to T5 (insane). The default is T3 (normal). On internal assessments where stealth is less critical, increase speed:

sudo nmap -T4 -sS -sV -p- 192.168.1.10

On external assessments where IDS evasion matters, slow the scan down:

sudo nmap -T2 -sS -sV 10.0.1.10

The T4 template is the most commonly used in professional assessments. It provides a meaningful speed increase without overwhelming target networks. Avoid T5 on production networks because the aggressive timing can cause packet loss and produce inaccurate results.

Common Mistakes to Avoid

Beginners often make the same errors when starting with Nmap. Running all port scans without starting with host discovery wastes time and bandwidth. Forgetting the sudo prefix means Nmap falls back to TCP connect scans instead of faster SYN scans. Scanning without saving output means losing results you cannot reproduce. Ignoring UDP leaves a blind spot that attackers will not ignore. Using aggressive timing (T5) on congested networks produces unreliable results because timeouts trigger false negatives.

The most significant mistake is treating Nmap as a point and click tool rather than understanding what each scan type does at the packet level. When you understand that a SYN scan works by manipulating the TCP handshake, you can make informed decisions about which scan type fits each situation. When you understand that UDP scanning relies on ICMP responses from closed ports, you understand why it takes so long and how to optimize it.

What to Practice Next

Nmap is a tool you learn by using. Set up a home lab with virtual machines running different operating systems and services. Scan them systematically. Compare SYN scan results to connect scan results and observe the differences in your Wireshark captures. Run version detection against known services and verify the accuracy. Explore NSE scripts by reading their documentation and testing them against intentionally vulnerable machines like Metasploitable 2 or DVWA.

Learn the Linux command line if you have not already, because Nmap's full power comes from chaining it with other command line tools. Pipe grepable output into awk to extract specific fields. Use diff to compare scan results over time and detect new services. Feed XML output into frameworks like Metasploit for exploitation workflows.

Elena finished her first engagement with a 47 page report documenting every host, every open port, every outdated service version, and every vulnerability the team exploited. Nmap provided the foundation for all of it. The tool did not require months of study or advanced programming skills. It required a terminal, a target she had permission to scan, and the willingness to type commands and read the output. The network tells you everything. You just need to know how to listen.