- Joined
- Jun 13, 2020
- Messages
- 8,001
- Reaction score
- 966
- Points
- 212
- Awards
- 2
The open-source tool of choice in host and service discovery on a network is Nmap (Network Mapper). It is flexible, powerful and is used by sysadmins, penetration testers and security teams to create inventories, locate misconfigurations and select fixes to make. This guide will explain how to be responsible when using Nmap, the meaning of common options, how to analyze results and what to do after scanning.
Critical: Scan networks you are the owner or have a specific permission to test (written permission to work with clients). Hacking scans may be unlawful and disruptive.
1) Quick install (one-liners)
Linux (Debian/Ubuntu): sudo apt update && sudo apt install nmap.
macOS (Homebrew): nmap brew install.
Windows: Get the official installer on the Nmap project site, and install.
(Install packages securely and up-to-date)
2) Basic concepts
Host discovery: locate live hosts (ICMP, ARP, TCP pings).
Port scan: identify the open TCP/UDP ports.
Service/version determination: determine services (e.g., ssh, http) and versions.
OS detection: fingerprint the operating system.
NSE ( Nmap Scripting Engine): execute scripts to scan, check vulnerabilities, authenticate, etc.
Output options: human-readable or machine-readable (-oN, -oX, -oG, -oA).
3) Safe scans (laboratory practice or permission)
Scan your local machine
nmap localhost
Easy and benignant - displays open ports on this host.
Ping scan a home subnet (live host scan)
nmap -sn 192.168.1.0/24
-sn host only discovery (no port scan). ARP discovery is employed and it is extremely quick in an ethernet LAN.
4) scan types (useful and common) and flags (explained).
1. TCP SYN scan (fast + common)
sudo nmap -sS 192.168.1.50
-sS gives SYN a half-open scan - the scan is efficient and it is normally applied during security testing. Privileges (sudo/root) are required.
2. TCP Scan without using raw sockets (connect)
nmap -sT 192.168.1.50
-sT relies on OS connect() call -sT works well on systems that do not allow raw sockets.
3. UDP scan
sudo nmap -sU -p 53,123 192.168.1.50
slower and noisier -sU scans UDP ports. Service UDP behavior varies.
4. Service/version detection
nmap -sV 192.168.1.50
-sV probe ports to recognize version and service strings.
5. Aggressive scan (all-in-one)
sudo nmap -A 192.168.1.50
-A allows detecting the version, script scanning, traceroute and OS. In labs it comes in handy; production beware - it is noisy.
6. Port ranges and top ports
nmap --top-ports 100 192.168.1.0/24
nmap -p 1-65535 192.168.1.50
-- top-ports scans port ranges.
7. Safe discovery script.
nmap -sV --script=default,safe 192.168.1.50
--script executes category scripts. Safe or discovery collection should be used in low-risk enumeration. Vuln may not be allowed.
8. Timing and performance
nmap -T4 192.168.1.0/24
-T0 (very slow/very stealthy) to -T5 (very fast). Increased values accelerate the scans at the expense of more noise and increased chances of IDS triggering.
9. Write to files (to report)
nmap -sV -oA myscan 192.168.1.0/24
Produces myscan.nmap (normal), myscan.xml (XML) and myscan.gnmap (grepable).
5) Interpretation of familiar findings.
In case Nmap lists ports, you will find states such as:
open - service accessible (reachable).
closed — available, but no service is active on that port.
filtered Nmap is unable to identify the state (packet filtered/dropped by firewall/ACL).
unfiltered — port is accessible but Nmap is unable to tell open/close.
open |filtered - ambiguous (typical of UDP).
Service banners (-sV) can be used to give priorities: an SSH/ HTTP server of known CVEs must be at a high priority to patch.
6) sample practical processes.
A. Inventory scan (weekly)
nmap -sS -top-ports 200 -T4 -oA inventory_192.168.1.0/24_$(date +%F).
Use --top-ports to run: write outputs to drift analysis.
B. Deep scan of a vital server (with permission)
sudo nmap -A -p 1-65535 -oA server_full 203.0.113.10
Full sweep to collect OS, services and script findings - only on explicit authorization.
C. Quick version check
nmap -sV --script=banner 192.168.1.50
Get software details by using banner and version probes.
7) Post (scan) activities (the security lifecycle)
Confirm results - do not operate on a scan. Re-retest or retest some other tool (e.g., service-specific checks).
Triage & prioritize — categorize based on impact (exposed administration ports, old services, weak ciphers).
Remediate- patch, turn off services you do not need, set up firewalls, implement strong authentication.
Record and trace — open tickets, log mitigation measures, and retain scan reports to comply.
Constant observation Schedule scans and use IDS/EDR to conduct continuous detection.
8) Safety, ethics & legal checklist.
Never scan network without written permission of network owner.
Limit production systems rate-wise and with conservative timing to prevent service disruption.
Intrusion NSE scripts (e.g., vuln, exploit scripts) should not be used unless authorized.
Do not try to bypass authentication or address vulnerabilities, unless it is a part of a permitted penetration test.
At all times, keep outdated scanning tools and signatures.
9) Hacky tips and integrations (little)
Discovery Nmap combined with NSE (discovery, auth, safe).
Export XML (-oX) and feed to other tools (vulnerability trackers, asset managers).
Find all the hosts in as little as a second with masscan (then scan the discovered IPs with Nmap). Masscan should only be used with permission - it uses a lot of packets.
Include Nmap scans in the CI/CD pipelines and identify exposed services prior to deployment.
10) Quick cheat sheet (commands)
nmap -sn 192.168.1.0/24 -ping sweep (find live host).
sudo nmap -sS -p 1-1000 192.168.1.50 - SYN scan default ports.
nmap -sV -p 80,443 192.168.1.50 -service/version of web ports.
sudo nmap -sU -p 53 192.168.1.50 — UDP scan DNS.
nmap -A 192.168.1.50 -Aggressive discovery (noisy).
nmap -oA report 192.168.1.0/24 - save output in various forms.
Critical: Scan networks you are the owner or have a specific permission to test (written permission to work with clients). Hacking scans may be unlawful and disruptive.
1) Quick install (one-liners)
Linux (Debian/Ubuntu): sudo apt update && sudo apt install nmap.
macOS (Homebrew): nmap brew install.
Windows: Get the official installer on the Nmap project site, and install.
(Install packages securely and up-to-date)
2) Basic concepts
Host discovery: locate live hosts (ICMP, ARP, TCP pings).
Port scan: identify the open TCP/UDP ports.
Service/version determination: determine services (e.g., ssh, http) and versions.
OS detection: fingerprint the operating system.
NSE ( Nmap Scripting Engine): execute scripts to scan, check vulnerabilities, authenticate, etc.
Output options: human-readable or machine-readable (-oN, -oX, -oG, -oA).
3) Safe scans (laboratory practice or permission)
Scan your local machine
nmap localhost
Easy and benignant - displays open ports on this host.
Ping scan a home subnet (live host scan)
nmap -sn 192.168.1.0/24
-sn host only discovery (no port scan). ARP discovery is employed and it is extremely quick in an ethernet LAN.
4) scan types (useful and common) and flags (explained).
1. TCP SYN scan (fast + common)
sudo nmap -sS 192.168.1.50
-sS gives SYN a half-open scan - the scan is efficient and it is normally applied during security testing. Privileges (sudo/root) are required.
2. TCP Scan without using raw sockets (connect)
nmap -sT 192.168.1.50
-sT relies on OS connect() call -sT works well on systems that do not allow raw sockets.
3. UDP scan
sudo nmap -sU -p 53,123 192.168.1.50
slower and noisier -sU scans UDP ports. Service UDP behavior varies.
4. Service/version detection
nmap -sV 192.168.1.50
-sV probe ports to recognize version and service strings.
5. Aggressive scan (all-in-one)
sudo nmap -A 192.168.1.50
-A allows detecting the version, script scanning, traceroute and OS. In labs it comes in handy; production beware - it is noisy.
6. Port ranges and top ports
nmap --top-ports 100 192.168.1.0/24
nmap -p 1-65535 192.168.1.50
-- top-ports scans port ranges.
7. Safe discovery script.
nmap -sV --script=default,safe 192.168.1.50
--script executes category scripts. Safe or discovery collection should be used in low-risk enumeration. Vuln may not be allowed.
8. Timing and performance
nmap -T4 192.168.1.0/24
-T0 (very slow/very stealthy) to -T5 (very fast). Increased values accelerate the scans at the expense of more noise and increased chances of IDS triggering.
9. Write to files (to report)
nmap -sV -oA myscan 192.168.1.0/24
Produces myscan.nmap (normal), myscan.xml (XML) and myscan.gnmap (grepable).
5) Interpretation of familiar findings.
In case Nmap lists ports, you will find states such as:
open - service accessible (reachable).
closed — available, but no service is active on that port.
filtered Nmap is unable to identify the state (packet filtered/dropped by firewall/ACL).
unfiltered — port is accessible but Nmap is unable to tell open/close.
open |filtered - ambiguous (typical of UDP).
Service banners (-sV) can be used to give priorities: an SSH/ HTTP server of known CVEs must be at a high priority to patch.
6) sample practical processes.
A. Inventory scan (weekly)
nmap -sS -top-ports 200 -T4 -oA inventory_192.168.1.0/24_$(date +%F).
Use --top-ports to run: write outputs to drift analysis.
B. Deep scan of a vital server (with permission)
sudo nmap -A -p 1-65535 -oA server_full 203.0.113.10
Full sweep to collect OS, services and script findings - only on explicit authorization.
C. Quick version check
nmap -sV --script=banner 192.168.1.50
Get software details by using banner and version probes.
7) Post (scan) activities (the security lifecycle)
Confirm results - do not operate on a scan. Re-retest or retest some other tool (e.g., service-specific checks).
Triage & prioritize — categorize based on impact (exposed administration ports, old services, weak ciphers).
Remediate- patch, turn off services you do not need, set up firewalls, implement strong authentication.
Record and trace — open tickets, log mitigation measures, and retain scan reports to comply.
Constant observation Schedule scans and use IDS/EDR to conduct continuous detection.
8) Safety, ethics & legal checklist.
Never scan network without written permission of network owner.
Limit production systems rate-wise and with conservative timing to prevent service disruption.
Intrusion NSE scripts (e.g., vuln, exploit scripts) should not be used unless authorized.
Do not try to bypass authentication or address vulnerabilities, unless it is a part of a permitted penetration test.
At all times, keep outdated scanning tools and signatures.
9) Hacky tips and integrations (little)
Discovery Nmap combined with NSE (discovery, auth, safe).
Export XML (-oX) and feed to other tools (vulnerability trackers, asset managers).
Find all the hosts in as little as a second with masscan (then scan the discovered IPs with Nmap). Masscan should only be used with permission - it uses a lot of packets.
Include Nmap scans in the CI/CD pipelines and identify exposed services prior to deployment.
10) Quick cheat sheet (commands)
nmap -sn 192.168.1.0/24 -ping sweep (find live host).
sudo nmap -sS -p 1-1000 192.168.1.50 - SYN scan default ports.
nmap -sV -p 80,443 192.168.1.50 -service/version of web ports.
sudo nmap -sU -p 53 192.168.1.50 — UDP scan DNS.
nmap -A 192.168.1.50 -Aggressive discovery (noisy).
nmap -oA report 192.168.1.0/24 - save output in various forms.
