Nmap scanning

The beginner’s guide to Nmap scanning

Ethical hacking Security

Nmap is probably one of the most known scanning tools. Nmap is a free and open-source network scanning tools created by Gordon Lyon. It’s used to scan hosts for open ports and running services. In the present post, you will have a great understanding of the most useful scanning commands implemented by Nmap. Let’s dive in 🙂

Before we start, I have to mention that to fully understand, you need to have some basics about networking, TCP/IP and the OSI model. I’m gonna be using a Kali Linux on a Metasploitable target virtual machine.


Obviously, before using Nmap, you have to install it first.


yum install nmap


apt-get install nmap


sudo apt-get install nmap


For windows, you just need to go to the website, download it and install it like usual windows software.

Basic commands


The most basic command is straight forward one. Just write nmap followed by the IP address you want to scan.

Ping scan


using the command above means that we are using a ping scan discovering live hosts in that range. We do that trying to map the network.

nmap -Pn

This is exactly the opposite of the ping scanning. Here, we are scanning the host without sending the ping packets. This is useful with hosts that do no allow ping scanning.

In the table below, we summarize the Flags that we can use as packet requests.

-PnNo host discovery
-PSTCP SYN Request
-PATCP ACK Request
-PUUDP Request
-PEICMP Echo Request
-PRARP Request
Host discovery Flags

The -n Flag skips the DNS resolution. We use it as follows

nmap -n 

TCP SYN scan

The SYN is the default scan for nmap and the most used one. It can be performed quickly scanning thousands of ports. The SYN scan is stealthy because it never completes a TCP connection. It also allows for a clear separation between open/closed and filtered status.

nmap -sS 

TCP connect scan

As described in the Nmap official website, the TCP connect scan which can be used by the -sT flag, is the default TCP scan when the SYN is not an option. It is basically, used by the web browsers and P2P clients.

nmap -sT 

TCP scan table

To summarize things up, the table below mention all the TCP scan types.

-sSTCP SYN scan
-sTTCP connect scan
-sNTCP NULL scan
-sFTCP FIN scan
-sXTCP Xmas scan
-sATCP ACK scan
-sWTCP window scan
-sMTCP Maimon scan
TCP scan types

UDP scan

In order to scan for UDP based ports and services the command below is used

nmap -sU 

Multiple scans

We most certainly can use one command to scan for multiple protocols and options. We can use for example a scan for TCP and UDP SYN scan as follows

nmap -sU -sS 

Scan for the 100 top known ports

nmap -F 

The -F flag is very quick and useful when it comes to scanning the known ports.

Customised scan for some ports

We can use the -p flag to scan for specific ports as follows

nmap -p 80 

Or in a different way using the name of the service in a more straight forward way

nmap -p http,https 

Full scan

nmap -p- 

the -p- flag will scan every ports there.

Nmap timing templates

-T5Insane speed
-T3Normal speed

You have to be careful when choosing timing templates. Some of them take forever to finish. Other ones are just too quick to provide precise information.

Operating system detection

We can use nmap to detect operating systems using the flag -O

nmap -O 

Service version detection

Nmap is able to detect also service versions if are not protected enough as follows

nmap -sV 

Version detection is very important in terms of searching for vulnerabilities.

Shortcut scanning

-A flag offers a scanning shortcut that activated several popular options

  • Remote OS detection
  • Service and version detection
  • Traceroute to the target
  • Nmap Scripting Engine (NSE) – allows customised

If we want to use it with a timing template, it would be like that for example

nmap -A -T4 

Output the scan

-oNHuman-readable text file
-oXmachine-readable XML file
-oGGrepable text file

Saving the file in the appropriate format is important since it can be used to automate scanning and utilising other tools as well.

Verbose mode

The verbose mode is very important when the scanning should take a while. It tells us what is doing and how much percentage it is completed. We can use it for example with a timing template -T2 as follows

nmap -A -T2 -v 

Leave a Reply

Your email address will not be published. Required fields are marked *