Nmap Network Scanning: A Beginner's Guide to Reconnaissance

Every penetration test and security assessment begins with the same question: what is on this network? Before you can test a system for vulnerabilities, you need to know it exists. Before you can exploit a service, you need to know it is running. Before you can assess an organization's security posture, you need to map its attack surface. This is the role of reconnaissance, and Nmap (Network Mapper) is the tool that has defined it for over two decades.

Nmap is a free, open-source network scanner that discovers hosts, identifies open ports, determines running services, detects operating systems, and can even probe for specific vulnerabilities using its scripting engine. It is used by penetration testers, system administrators, security researchers, and network engineers worldwide. Whether you are scanning a single server or mapping an enterprise network with thousands of hosts, Nmap is almost certainly the right tool for the job.

This guide covers everything you need to get started: installation, fundamental scan types, service and OS detection, the Nmap Scripting Engine, output formats, scanning strategies, and the legal and ethical considerations that must guide every scan you run.

Important disclaimer: Scanning networks and systems you do not own or have explicit written authorization to test is illegal in most jurisdictions. Every scan technique described in this guide should only be used against systems you own, systems you have written permission to test, or purpose-built practice environments like HackTheBox, TryHackMe, or Scanme.nmap.org (a server maintained by the Nmap project specifically for testing).

Installing Nmap

Nmap runs on Linux, Windows, and macOS. The installation process is straightforward on all platforms.

On Kali Linux and most Debian-based distributions, Nmap is pre-installed. If it is missing, install it with:

sudo apt update && sudo apt install nmap

On other Linux distributions (Fedora, CentOS, Arch), use the appropriate package manager:

sudo dnf install nmap        # Fedora/CentOS
sudo pacman -S nmap           # Arch Linux

On macOS, the easiest method is Homebrew:

brew install nmap

On Windows, download the official installer from nmap.org. The Windows installer includes Zenmap, a graphical front-end that some beginners find more approachable, though learning the command line is strongly recommended for serious use. The installer also includes Npcap, the packet capture driver that Nmap requires on Windows.

To verify your installation, run:

nmap --version

You should see the version number and a list of compiled features. With Nmap installed, you are ready to start scanning.

Basic Scans: Your First Commands

The simplest way to use Nmap is to scan a single target for open ports. Let us start with the fundamentals.

Scanning a single host:

nmap 192.168.1.1

This performs a default scan against the target, checking the 1,000 most common TCP ports. For each port, Nmap reports whether it is open, closed, or filtered (blocked by a firewall). This default scan is a SYN scan if you run Nmap with root or administrator privileges, or a TCP connect scan if you run it as a regular user.

Scanning multiple hosts:

nmap 192.168.1.1 192.168.1.2 192.168.1.3
nmap 192.168.1.1-50
nmap 192.168.1.0/24

You can specify individual IPs separated by spaces, a range of IPs, or an entire subnet in CIDR notation. Scanning a /24 subnet checks all 256 addresses, which is common for mapping a local network.

Scanning specific ports:

nmap -p 80,443,8080 192.168.1.1
nmap -p 1-1000 192.168.1.1
nmap -p- 192.168.1.1

The -p flag lets you specify exactly which ports to scan. A comma-separated list checks specific ports, a range checks a contiguous set, and -p- scans all 65,535 TCP ports. A full port scan takes significantly longer but ensures you do not miss services running on non-standard ports -- which is where some of the most interesting findings hide.

Ping scan (host discovery only):

nmap -sn 192.168.1.0/24

The -sn flag tells Nmap to skip port scanning and only determine which hosts are alive. This is useful for getting a quick inventory of a network before committing to deeper scans. On a local network, Nmap uses ARP requests for host discovery, which is fast and reliable. On remote networks, it uses a combination of ICMP echo, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests.

SYN Scan vs. TCP Connect: Understanding Scan Types

Nmap supports numerous scan types, but two are foundational: the SYN scan and the TCP connect scan. Understanding the difference between them is important for both practical and conceptual reasons.

SYN scan (-sS):

sudo nmap -sS 192.168.1.1

The SYN scan, also called a "half-open" scan, is Nmap's default when running with root privileges. For each port, Nmap sends a SYN packet (the first step of the TCP three-way handshake). If the port is open, the target responds with a SYN-ACK. Nmap then sends a RST (reset) to tear down the connection before it completes. If the port is closed, the target responds with a RST.

The advantage of the SYN scan is speed and stealth. Because the TCP handshake is never completed, the connection is never fully established, which means it may not be logged by some applications (though modern intrusion detection systems will absolutely detect it). SYN scans are the workhorse of network scanning.

TCP connect scan (-sT):

nmap -sT 192.168.1.1

The TCP connect scan completes the full three-way handshake for every port it checks. It is the default when Nmap runs without root privileges because creating raw packets (required for SYN scans) requires elevated permissions. TCP connect scans are slower and more visible than SYN scans because fully established connections are logged by the target system. However, they are more reliable in some environments where firewalls interfere with half-open connections.

Other notable scan types:

• UDP scan (-sU): Scans UDP ports instead of TCP. UDP scanning is significantly slower because the protocol is connectionless, and Nmap must wait for responses (or lack thereof) to determine port status. Combine with TCP scans using nmap -sS -sU for comprehensive coverage.
• ACK scan (-sA): Does not determine whether ports are open but reveals which ports are filtered by a firewall. Useful for mapping firewall rules.
• FIN, Xmas, and Null scans (-sF, -sX, -sN): These scans send unusual flag combinations that may bypass certain firewalls. They are less reliable than SYN scans but can be useful in specific situations.

Service Detection With -sV

Knowing that port 80 is open is useful. Knowing that it is running Apache 2.4.51 is far more useful. Service version detection tells you exactly what software is running on each open port, including the version number.

nmap -sV 192.168.1.1

When you add -sV, Nmap probes each open port with a series of requests designed to elicit responses that identify the running service. It compares these responses against a database of thousands of known service signatures. The output changes from a generic label like "http" to specific information like "Apache httpd 2.4.51 ((Ubuntu))."

This is where version detection becomes critical for security testing: once you know the exact software and version, you can search for known vulnerabilities (CVEs) affecting that version. A service running an outdated version of OpenSSH, an unpatched version of Apache, or an end-of-life version of PHP immediately becomes a high-priority target for further investigation.

Controlling detection intensity:

nmap -sV --version-intensity 5 192.168.1.1

The --version-intensity flag controls how many probes Nmap sends, on a scale from 0 (light, fast) to 9 (thorough, slow). The default is 7. Lower values are faster but may miss some services; higher values are slower but more accurate. For a quick initial scan, try --version-light (intensity 2). For maximum accuracy, use --version-all (intensity 9).

OS Detection With -O

Operating system detection analyzes subtle differences in how different operating systems implement the TCP/IP stack to fingerprint the target's OS.

sudo nmap -O 192.168.1.1

OS detection requires root privileges because it sends specially crafted packets and analyzes low-level response characteristics -- things like initial TTL values, TCP window sizes, and the order of TCP options. Nmap compares these characteristics against its database of known OS fingerprints and reports its best guess, often with a confidence percentage.

A typical output might read: "Running: Linux 4.X|5.X, OS details: Linux 4.15 - 5.8." The information is not always precise, but it narrows the field significantly and helps you tailor your subsequent testing to the target platform.

Combine service and OS detection for maximum information:

sudo nmap -sV -O 192.168.1.1

Or use the aggressive scan shorthand, which enables OS detection, version detection, script scanning, and traceroute:

sudo nmap -A 192.168.1.1

The -A flag is convenient but noisy and slow. It is best used against individual targets rather than large subnets.

The Nmap Scripting Engine (NSE)

The Nmap Scripting Engine is what elevates Nmap from a port scanner to a comprehensive security assessment tool. NSE scripts are written in Lua and extend Nmap's capabilities to include vulnerability detection, brute-force attacks, service enumeration, and much more.

Nmap ships with over 600 scripts, organized into categories:

• auth: Tests for authentication issues, including default credentials.
• brute: Performs brute-force password attacks against services.
• discovery: Gathers additional information about targets.
• exploit: Attempts to exploit known vulnerabilities.
• vuln: Checks for specific known vulnerabilities.
• safe: Scripts that are unlikely to cause disruption to the target.

Running default scripts:

nmap -sC 192.168.1.1

The -sC flag runs the default set of scripts, which are considered safe and useful for general enumeration. These scripts perform tasks like retrieving HTTP page titles, checking for anonymous FTP access, enumerating SMB shares, and fetching SSL certificate information.

Running specific scripts:

nmap --script=http-enum 192.168.1.1
nmap --script=smb-vuln-ms17-010 192.168.1.1
nmap --script=vuln 192.168.1.1

The first command runs a single script that enumerates common directories and files on a web server. The second checks for the EternalBlue vulnerability (MS17-010). The third runs all scripts in the "vuln" category, checking for a wide range of known vulnerabilities.

Running scripts with arguments:

nmap --script=http-brute --script-args http-brute.path=/admin 192.168.1.1

Some scripts accept arguments that customize their behavior. This command runs an HTTP brute-force attack against the /admin path on the target.

NSE scripts are one of the most powerful and underutilized features of Nmap. Spending time reading the documentation for available scripts and experimenting with them in a lab environment will dramatically increase your capabilities.

Output Formats: Saving and Sharing Results

In professional engagements, you need to save scan results for documentation, reporting, and further analysis. Nmap supports several output formats, and you can generate multiple formats simultaneously.

Normal output (-oN):

nmap -sV -oN results.txt 192.168.1.0/24

Saves human-readable output, identical to what appears on screen.

XML output (-oX):

nmap -sV -oX results.xml 192.168.1.0/24

Saves results in XML format, which is ideal for parsing with scripts or importing into other tools. Many reporting frameworks and vulnerability management platforms can ingest Nmap XML.

Grepable output (-oG):

nmap -sV -oG results.gnmap 192.168.1.0/24

Saves results in a format designed for easy processing with grep and other command-line text tools. Each host's results appear on a single line, making it easy to extract specific information with simple commands.

All formats at once (-oA):

nmap -sV -oA scan_results 192.168.1.0/24

This generates three files: scan_results.nmap (normal), scan_results.xml (XML), and scan_results.gnmap (grepable). Using -oA is a best practice because it preserves results in the format most suited to any downstream need.

Practical tip: Always save your scan results. If a scan takes thirty minutes to run, you do not want to have to repeat it because you forgot to save the output. Make -oA a habit.

Scanning Strategies for Real-World Assessments

Effective network scanning is not just about knowing the flags -- it is about applying them in a logical sequence that balances speed, thoroughness, and stealth.

Phase 1: Host discovery. Start by identifying which hosts are alive on the network. A ping scan covers a large address space quickly.

sudo nmap -sn 10.0.0.0/16 -oA discovery

Phase 2: Quick port scan. Against discovered hosts, run a fast scan of common ports to identify services of interest.

sudo nmap -sS -T4 --top-ports 1000 -iL live_hosts.txt -oA quick_scan

The -T4 flag increases the scan speed (timing templates range from T0, paranoid, to T5, insane). The --top-ports 1000 flag scans the 1,000 most common ports. The -iL flag reads targets from a file.

Phase 3: Comprehensive scan. Against hosts with interesting services, run a full port scan with version detection.

sudo nmap -sS -sV -p- -T3 192.168.1.50 -oA full_scan

This scans all 65,535 ports with version detection. The -T3 timing (normal) balances speed and accuracy.

Phase 4: Targeted script scans. Based on the services discovered, run relevant NSE scripts for deeper enumeration and vulnerability detection.

sudo nmap -sV --script=vuln -p 80,443,445,3306 192.168.1.50 -oA vuln_scan

This phased approach is more efficient than running a single comprehensive scan against every host. It allows you to direct your deepest scanning toward the most promising targets, saving time and reducing unnecessary network noise.

Additional useful flags:

• --reason: Shows why Nmap classified each port as open, closed, or filtered. Useful for understanding firewall behavior.
• -v or -vv: Increases verbosity, showing results as they are found rather than waiting until the scan completes.
• --open: Shows only open ports in the output, reducing clutter.
• -Pn: Skips host discovery and treats all targets as online. Useful when ICMP is blocked but you know the host exists.
• --min-rate: Sets a minimum packet transmission rate. --min-rate 1000 sends at least 1,000 packets per second, speeding up large scans significantly.

Legal and Ethical Considerations

Nmap is a legitimate network administration and security tool, but scanning systems without authorization is illegal in most countries. The laws governing unauthorized scanning include the Computer Fraud and Abuse Act (CFAA) in the United States, the Computer Misuse Act in the United Kingdom, and similar statutes worldwide.

Rules to follow without exception:

• Only scan systems you own or have written authorization to test. A verbal agreement is not sufficient. Get a signed scope document that specifies which IP addresses and networks you are authorized to scan, what scan types are permitted, and during what time windows.
• Practice on legal targets. The Nmap project maintains scanme.nmap.org specifically for testing Nmap. HackTheBox, TryHackMe, and VulnHub provide purpose-built vulnerable machines for practice. Your own home lab, using virtual machines on an isolated network, is an excellent and risk-free environment.
• Be aware of the impact. Aggressive scanning can cause service disruptions, particularly on older or resource-constrained systems. UDP scans and certain NSE scripts can be especially disruptive. Coordinate with the system owner and start with lighter scans before increasing intensity.
• Understand your network. Even scanning your own local network can generate alerts with your internet service provider if the traffic traverses their infrastructure. Keep scanning activity within your own environment.
• Document your authorization. Keep copies of all scope documents and engagement letters. If there is ever a question about whether your scanning activity was authorized, documentation is your defense.

Network scanning is a fundamental and necessary skill for security professionals. Used responsibly and with proper authorization, Nmap is an indispensable tool. Used irresponsibly, it can lead to criminal charges, civil liability, and career-ending consequences. The difference is always authorization.

Next Steps

Once you are comfortable with the fundamentals covered in this guide, explore these areas to deepen your Nmap skills:

• Write custom NSE scripts to automate checks specific to your environment or engagement.
• Integrate Nmap with other tools -- pipe XML output into tools like Searchsploit to automatically find exploits for discovered services, or import results into Metasploit's database.
• Learn to interpret results critically. A port reported as "filtered" does not mean it is closed -- it means a firewall is blocking your probe. A service version reported by Nmap is a best guess, not a guarantee. Develop the habit of verifying Nmap's findings with manual testing.
• Study packet-level behavior. Run Wireshark alongside Nmap to see exactly what packets are being sent and received during different scan types. This deepens your understanding of both tools and of the protocols themselves.

Nmap is a tool you will use throughout your entire career in security. The time you invest in mastering it pays dividends on every engagement.

To learn more, read our free Ethical Hacking textbook -- covering penetration testing from beginner to advanced.