HK
Helix Kitten Security
/
← Back to Documentation

Nmap: Network Scanning Essentials

👤 Helix Kitten Research 📅 March 10, 2026 ⏱ 15 min read
Reconnaissance Network Scanning Tools T1046

Overview

Nmap (Network Mapper) is the industry-standard open-source tool for network discovery and security auditing. Originally created by Gordon "Fyodor" Lyon and first released in 1997, it has evolved into the most widely used network scanning tool in the world, employed by penetration testers, system administrators, and security researchers.

Nmap uses raw IP packets to determine available hosts on a network, services running on those hosts, operating systems and versions, types of packet filters/firewalls in use, and dozens of other characteristics. It maps to MITRE ATT&CK T1046 (Network Service Discovery).

ℹ️
Nmap is pre-installed on most penetration testing distributions including Kali Linux, Parrot OS, and BlackArch. It is available for Linux, Windows, and macOS.

Installation

While Nmap comes pre-installed on most security-focused distributions, here are installation commands for major platforms:

bash 
# Debian / Ubuntu / Kali
$ sudo apt install nmap

# RHEL / CentOS / Fedora
$ sudo dnf install nmap

# macOS (via Homebrew)
$ brew install nmap

# Verify installation
$ nmap --version
Nmap version 7.94SVN ( https://nmap.org )

Basic Scanning Techniques

Nmap supports numerous scan types. Understanding when to use each is fundamental to effective reconnaissance.

Host Discovery

Before port scanning, Nmap performs host discovery to identify live hosts on the network:

bash 
# Ping sweep — discover live hosts
$ nmap -sn 192.168.1.0/24

# ARP discovery (local network, requires root)
$ sudo nmap -sn -PR 10.0.0.0/24

# TCP SYN ping on specific ports
$ nmap -sn -PS22,80,443 172.16.0.0/16

Port Scanning Fundamentals

bash 
# TCP SYN scan (default, fast, stealthy — requires root)
$ sudo nmap -sS target.com

# TCP Connect scan (no root required, completes 3-way handshake)
$ nmap -sT target.com

# UDP scan (slow but essential for DNS, SNMP, DHCP)
$ sudo nmap -sU --top-ports 100 target.com

# Scan all 65535 ports
$ sudo nmap -p- target.com

# Scan specific ports
$ nmap -p 22,80,443,8080,3306 target.com

Advanced Techniques

Service and Version Detection

Version detection probes open ports to determine the application and version running on each service:

bash 
# Service/version detection with OS fingerprinting
$ sudo nmap -sV -O target.com

# Aggressive scan (OS detection, version, scripts, traceroute)
$ sudo nmap -A target.com

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.4
80/tcp  open  http     Apache httpd 2.4.52
| http-server-header: Apache/2.4.52 (Ubuntu)
443/tcp open  ssl/http nginx 1.24.0
|_ssl-date: TLS randomness does not represent time
OS: Linux 5.x (96%), Ubuntu (94%)

Firewall Evasion Techniques

  • Fragmented packets: nmap -f target.com — splits probes into tiny fragments
  • Decoy scan: nmap -D RND:10 target.com — generates decoy source addresses
  • Idle scan: nmap -sI zombie_host target.com — uses a zombie host for completely blind scanning
  • Source port manipulation: nmap --source-port 53 target.com — masquerade as DNS traffic
  • Timing control: nmap -T0 target.com — paranoid timing to evade IDS

NSE Scripts

The Nmap Scripting Engine (NSE) extends Nmap with scripts written in Lua for vulnerability detection, service enumeration, and exploitation:

bash 
# Run default scripts (safe category)
$ nmap -sC target.com

# Vulnerability scan
$ nmap --script vuln target.com

# SMB enumeration
$ nmap --script smb-enum-shares,smb-enum-users -p 445 target.com

# HTTP enumeration
$ nmap --script http-enum,http-title,http-headers -p 80,443 target.com

# Check for EternalBlue (MS17-010)
$ nmap --script smb-vuln-ms17-010 -p 445 target.com
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1
⚠️
Scripts in the exploit and intrusive categories may crash services or trigger alerts. Only use these against systems you are authorized to test. Prefer safe and default categories during initial reconnaissance.

Output Formats

Nmap supports multiple output formats for different use cases:

bash 
# Normal output to file
$ nmap -oN scan.txt target.com

# XML output (for parsing with tools)
$ nmap -oX scan.xml target.com

# Grepable output
$ nmap -oG scan.gnmap target.com

# All formats simultaneously
$ nmap -oA full_scan target.com

Practical Examples

Full Pentest Recon Workflow

bash 
# Phase 1: Fast host discovery
$ nmap -sn -T4 10.10.10.0/24 -oG hosts.gnmap

# Phase 2: Quick top-port scan on live hosts
$ nmap -sS -T4 --top-ports 1000 -iL live_hosts.txt -oA quick_scan

# Phase 3: Deep scan on discovered services
$ nmap -sV -sC -O -A -p 22,80,443,445,3389 -iL live_hosts.txt -oA deep_scan

# Phase 4: Full port scan (background)
$ nmap -sS -p- -T4 --min-rate 1000 -iL live_hosts.txt -oA full_ports

Defense Considerations

Understanding Nmap from a defensive perspective helps security teams detect and respond to reconnaissance activity:

  • IDS/IPS signatures: Tools like Snort and Suricata have built-in rules to detect Nmap scan patterns (SYN scans, version probes, OS fingerprinting)
  • Firewall logging: Monitor for connection attempts to many ports from a single source in a short time window
  • Network segmentation: Limit the blast radius of internal network scanning by segmenting VLANs and enforcing ACLs
  • Port knocking: Hide sensitive services behind port knocking sequences to reduce attack surface
  • Rate limiting: Configure firewalls to rate-limit connection attempts from individual source IPs
  • Honeypots: Deploy tools like HoneyD or OpenCanary to detect scanning activity with fake services
"If you know the enemy and know yourself, you need not fear the result of a hundred battles." — Understanding how attackers use Nmap is essential for building effective defenses.