How to use Nmap

A quick, practical guide to using Nmap—from basic scans to advanced features. Perfect for beginners in cybersecurity.

Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. It helps you scan networks to find live hosts, open ports, operative systems in use, and detect services running on them — perfect for network admins and cybersecurity pros to map and secure systems quickly.

---

What is it capable of?

At its core, Nmap uses raw IP packets in innovative ways to determine:

1. Host Discovery: Which hosts are alive and accessible on a network.

2. Port Scanning: Which ports are open on those hosts, indicating active services.

3. Service and Version Detection: What applications and their versions are running on those open ports (e.g., Apache web server 2.4.x, OpenSSH 8.x)

4. Operating System (OS) Detection: The operating system and even the specific version running on the target host (e.g., Linux 5.15, Windows Server 2019).

5. Firewall and Packet Filter Detection: What type of packet filters or firewalls are in use.

Nmap's capabilities are further extended by its Nmap Scripting Engine (NSE), which allows users to write or use pre-existing scripts to automate various network interaction tasks, including vulnerability detection, backdoor detection, and more.

---

Why is it so important?

Nmap's versatility makes it a critical tool for various professionals and enthusiasts:

• Cybersecurity Professionals (Penetration Testers, Security Analysts): Nmap is a foundational tool for reconnaissance. It helps identify potential attack surfaces, discover misconfigurations, and pinpoint vulnerable services before a malicious actor does.

• Network Administrators: For inventory management, network mapping, identifying unauthorized devices, auditing network security, and troubleshooting connectivity issues.

• System Administrators: To ensure that only intended services are running on their servers and to verify firewall rules.

• Homelabbers and Enthusiasts: To understand their home network, experiment with network security concepts, and secure their personal infrastructure.

---

Installation

Nmap is primarily a command-line tool, known for its extensive set of options. Don't be intimidated; mastering a few basic commands will unlock a significant amount of its power. It's available for all major operating systems (Linux, Windows, macOS, BSD). I highly recommend using it on a Linux Environment.

Linux

sudo apt update
sudo apt install nmap

MacOS

brew install nmap

Windows

Download the installer from the official Nmap website (https://nmap.org/download.html). It often includes Zenmap, a graphical user interface (GUI) for Nmap, which can be helpful for beginners

---

How to use Nmap

1

Single-Host scan

---

The simplest way to use Nmap is to scan a single IP address or hostname. By default, Nmap performs a TCP SYN scan (also known as a "stealth scan") on the 1000 most common ports. It sends TCP-SYN packets to hosts in the network. If the host is alive, they will respons with a SYN-ACK. Then, a TCP-RST will be sent to close the connection, not completing the three-way handshake.

nmap 192.168.1.3 # <- The IP address of the machine we want to scan
nmap lucafacchini.com # <- We can also use a hostname

Example Output

Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 14:45 W. Europe Summer Time
Nmap scan report for 192.168.1.3
Host is up (0.00082s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https
MAC Address: BC:24:11:0A:45:BA (Proxmox Server Solutions GmbH)

Nmap done: 1 IP address (1 host up) scanned in 11.53 seconds

2

Host-Discovery Scan

---

To discover online hosts in a Network there are several techniques:

• Ping Sweeps (ICMP Echo Requests): Sending ICMP echo requests to a set of IP addresses, and it might work in most cases

• ARP Scanning: Sends ARP requests to every IP of the subnet to see if anyone responds. You can only use it in an internal network, so, only if you're already connected to the Network!

• TCP-SYN Scan: It sends TCP-SYN packets to hosts in the network. If the host is alive, they will respons with a SYN-ACK. Then, a TCP-RST will be sent to close the connection, not completing the three-way handshake.

ICMP Scan

---

To quickly determine which hosts are online without performing a full port scan, use the ping scan (-sn or --sn). It will send ICMP echo requests to each device and see if they reply. For example, if we want to scan a range of IP addresses to check if they're online (let's suppose, 192.168.1.0 to 192.168.1.255, we can use the following command

nmap -PE -sn 192.168.1.0/24

• -PE → Use ICMP Echo Request (classic ping) for host discovery.

• -sn → “Ping scan” mode — no port scanning, just discover live hosts.

• 192.168.1.0/24 → Your subnet. Replace with your real local network range

How it works

1. Sends ICMP Echo Request packets to each IP.

2. If the target replies with an ICMP Echo Reply, it’s marked as “up”.

ARP Scan

---

If you want to discover hosts in your local network using ARP with nmap, the key is that ARP discovery works only on the local Ethernet segment (Layer 2).

nmap -PR -sn 192.168.1.0/24

• -PR → Use ARP requests for host discovery (instead of ICMP or TCP ping).

• -sn → “Ping scan” mode — no port scanning, just discover live hosts.

• 192.168.1.0/24 → Your subnet. Replace with your real local network range.

How it works

1. Sends ARP requests to every IP in the range.

2. Any device that’s up will reply with an ARP response (you don’t need to worry about firewalls blocking ICMP or TCP).

TCP-SYN Ping Scan

---

A TCP SYN ping scan in nmap is a way to discover hosts by sending TCP SYN packets to specific ports and seeing who replies — kind of like a "stealth handshake" just for host discovery.

nmap -PS80,443 -sn 192.168.1.0/24

• -PS → TCP SYN ping — sends a SYN packet to the given port(s).

• 80,443 → The ports to probe (web ports are common because they’re often open).

• -sn → Ping scan mode (no port scan after host discovery).

• 192.168.1.0/24 → Target range.

How it works

1. Sends a TCP SYN to the target ports.

2. If the target replies with SYN/ACK, the port is open → host is considered up.

3. If the target replies with RST, the port is closed but the host is still considered up (because, otherwise, how could an offline computer respond?)

4. No reply at all? Possibly filtered or offline.

3

Port-Scanning

---

Nmap offers various port scanning methods, each with its own characteristics regarding speed, stealth, and accuracy.

1. TCP SYN Scan (-sS): The "Stealth" Scan This is the default and most popular type of TCP scan. It's called "stealthy" because it doesn’t complete the full TCP three-way handshake — instead, it only sends the initial part of the connection request. Specifically, it sends a SYN packet (which is like knocking on the door), but if the target replies with a SYN-ACK (meaning the door is open), the scanner immediately sends a RST (reset) packet to stop the connection before it fully opens.

   Because the connection never fully establishes, this scan is less likely to be noticed or logged by the target system’s monitoring tools, making it useful for quietly checking which ports are open.

nmap -sS 192.168.1.10

1. TCP Connect Scan (-sT): The "Full Connect" Scan This type of scan completes the full TCP three-way handshake, just like when two devices actually connect and communicate over the network. It sends a SYN packet to start, waits for a SYN-ACK reply from the target, and then sends an ACK to finish establishing the connection. After that, it usually closes the connection normally.

   Because it completes all these steps, this scan takes more time than other types and is easier for firewalls or security systems to notice. However, it’s still useful in situations where the scanner can’t use special low-level network access (called raw packet access)—for example, on some Windows computers that don’t allow sending custom network packets directly.

What is low-level (raw packet) access?

Think of your computer like a post office.

• Normally, when programs send data over the network, they use envelopes (TCP, UDP, etc.) and your operating system handles all the details — like the address, stamps, and delivery rules.

• But raw packet access lets a program build its own envelopes and write anything it wants inside — even weird or incomplete ones.

This is called "low-level" access because the program is working closer to the core of the network system, not just using the high-level tools the OS gives it.

nmap -sT 192.168.1.10

1. UDP Scan (-sU): Scanning for Connectionless Services

   Some network services, like DNS, SNMP, and DHCP, use UDP (User Datagram Protocol) instead of TCP (Transmission Control Protocol). Unlike TCP, which starts a connection with a three-way handshake (a sort of "hello, are you there?" process), UDP doesn't do any handshake at all. It just sends data without checking if the other side is ready or even exists.

   Because of this, UDP is faster, but also less reliable — there's no guarantee the data will arrive or be received correctly.

   When you're scanning a network, UDP scans are harder to perform than TCP scans:

   • They are usually slower, because there's no response unless the service is listening and chooses to reply.

   • They can be unreliable, because firewalls often block or ignore UDP traffic.

   • However, they’re still important — if you skip UDP scans, you might miss important services running on a network.

nmap -sU 192.168.1.10

1. Scanning Specific Ports (-p): You can specify individual ports, ranges, or a combination.

• Single Port

nmap -p 80 192.168.1.10 # <- "80" is the port you want to scan

• Multiple Ports

nmap -p 22,80,443 192.168.1.10 # <- "22", "80", "443" are the ports you want to scan.

• Port Range

nmap -p 1-1024 192.168.1.10 # <- You want to scan ports from 1 to 1024

• All Ports

nmap -p- 192.168.1.10 # <- Scans for all ports (0-65535

4

Service and Version Detection

Once Nmap finds open ports, it can attempt to determine the specific service and its version running on that port. This is crucial for identifying known vulnerabilities associated with particular software versions.

nmap -sV 192.168.1.10

5

Operating System Detection

Nmap can try to guess the operating system of the target host by analyzing its TCP/IP stack fingerprint. This often requires root/administrator privileges

nmap -O 192.168.1.10

6

Aggressive Scan

The aggressive scan option enables OS detection, version detection, script scanning, and traceroute in one go. It provides a wealth of information but generates more network traffic and can be more easily detected

Shell

nmap -A 192.168.1.10

I also recommend saving your output to a file, so that you don't lose track of it.

Normal output

nmap 192.168.1.10 -oN results.txt

XML output (useful for parsing with other tools)

nmap -sV -O 192.168.1.10 -oX results.xml

---

Conclusion

Nmap is a powerhouse tool that every tech enthusiast, network administrator, and cybersecurity professional should have in their arsenal. From simple host discovery to in-depth service and OS fingerprinting, it provides the visibility needed to understand, secure, and troubleshoot networks effectively. Start with the basic commands, experiment in a controlled environment (like your own home network or a lab VM), and gradually explore its more advanced features. The knowledge you gain from Nmap will be invaluable on your journey through the world of computer science and cybersecurity.

Happy scanning!