Nmap Complete Guide — Network Scanning from Beginner to Advanced
Nmap (Network Mapper) is the most widely used network scanning and reconnaissance tool in cybersecurity. This guide takes you from basic scanning to advanced techniques used by professional penetration testers.
Installing Nmap
# Kali Linux (pre-installed)
nmap --version
# Ubuntu/Debian
sudo apt install nmap
# Windows
# Download installer from https://nmap.org/download.html
# macOS
brew install nmapBasic Scanning
Scan a single host
nmap 192.168.1.1Scan a range of hosts
# Scan entire subnet
nmap 192.168.1.0/24
# Scan range
nmap 192.168.1.1-50Scan specific ports
# Single port
nmap -p 80 192.168.1.1
# Multiple ports
nmap -p 80,443,8080 192.168.1.1
# Port range
nmap -p 1-1000 192.168.1.1
# All 65535 ports
nmap -p- 192.168.1.1Scan Types
# TCP SYN scan (default, fast, requires root)
sudo nmap -sS 192.168.1.1
# TCP connect scan (no root needed, slower)
nmap -sT 192.168.1.1
# UDP scan (slow but important)
sudo nmap -sU 192.168.1.1
# Ping scan only (no port scan)
nmap -sn 192.168.1.0/24Service and Version Detection
# Detect service versions
nmap -sV 192.168.1.1
# Aggressive version detection
nmap -sV --version-intensity 9 192.168.1.1
# OS detection (requires root)
sudo nmap -O 192.168.1.1
# Combined: version + OS
sudo nmap -A 192.168.1.1Output Formats
# Normal output to file
nmap -oN scan.txt 192.168.1.1
# XML output (for tools like Metasploit)
nmap -oX scan.xml 192.168.1.1
# All formats at once
nmap -oA scan_results 192.168.1.1
# Grepable output
nmap -oG scan.gnmap 192.168.1.1NSE Scripts (Nmap Scripting Engine)
# Run default safe scripts
nmap -sC 192.168.1.1
# Run specific script
nmap --script http-title 192.168.1.1
# Run vulnerability scripts
nmap --script vuln 192.168.1.1
# SMB vulnerability check
nmap --script smb-vuln* -p 445 192.168.1.1
# HTTP enumeration
nmap --script http-enum -p 80,443 192.168.1.1
# List all available scripts
ls /usr/share/nmap/scripts/ | grep -i vulnStealth and Evasion Techniques
# Slow scan to avoid IDS detection
nmap -T1 192.168.1.1
# Fragment packets
sudo nmap -f 192.168.1.1
# Decoy scan (spoof source IPs)
sudo nmap -D RND:10 192.168.1.1
# Spoof source IP
sudo nmap -S 10.0.0.1 192.168.1.1
# Randomize host order
nmap --randomize-hosts 192.168.1.0/24Timing Templates
- T0 (Paranoid) — Very slow, maximum stealth
- T1 (Sneaky) — Slow, good for IDS evasion
- T2 (Polite) — Slower than default, less bandwidth
- T3 (Normal) — Default timing
- T4 (Aggressive) — Fast, assumes good network
- T5 (Insane) — Very fast, may miss results
Real-World Pentesting Commands
# Quick recon of a target
sudo nmap -sS -sV -O -T4 --script=default TARGET_IP
# Full port scan with service detection
sudo nmap -p- -sV -T4 TARGET_IP
# Web server enumeration
nmap -p 80,443,8080,8443 --script=http-headers,http-title,http-methods TARGET_IP
# Find all live hosts on network
sudo nmap -sn 192.168.1.0/24 | grep "Nmap scan report"Important Note
Only scan networks and systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions. Use these techniques for ethical hacking, CTFs, and authorized penetration tests only.