nmap Port Scanning Explained

ByChirag

nmap is the standard tool for port scanning and network discovery. Ethical pentesters, network admins, and IT auditors use it daily. Same tool can be used by attackers — which is why the ethics matter. Only scan networks you own or have explicit written permission to test.

The legitimate uses

  • Network inventory — what hosts are on this subnet?
  • Audit your own attack surface — what ports do I expose to the internet?
  • Verify firewall rules — is port 22 actually closed from outside?
  • Find unauthorized services — what’s running on that random IP?
  • Pre-deployment checks — confirm production servers don’t expose dev ports

The basic scan

nmap example.com
nmap 192.168.1.0/24
nmap 192.168.1.1-10

Default behavior: TCP SYN scan of the most common 1000 ports. Lists open / closed / filtered.

Read the output

Nmap scan report for example.com (192.168.1.50)
Host is up (0.012s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https

Three states matter:

  • open — service is accepting connections
  • closed — host is up but nothing is listening on that port
  • filtered — firewall is silently dropping (no response)

Useful scan types

# Default TCP SYN scan (stealthy, fast — needs root)
sudo nmap -sS target

# TCP connect scan (full handshake — works without root, more visible)
nmap -sT target

# UDP scan (slow, less reliable, but find DNS, NTP, etc.)
sudo nmap -sU -p 53,123,161 target

# Both TCP and UDP
sudo nmap -sS -sU -p T:80,443,U:53,123 target

# Skip ping (use when host blocks ICMP but you know it's up)
nmap -Pn target

# Ping scan only (find live hosts, don't scan ports)
nmap -sn 192.168.1.0/24

Service and version detection

# Detect service versions on open ports
nmap -sV target
# 22/tcp open  ssh    OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
# 80/tcp open  http   nginx 1.18.0 (Ubuntu)

# OS detection (often combined with version)
sudo nmap -O target
sudo nmap -A target          # aggressive: OS + version + scripts + traceroute

Port specification

nmap -p 80 target               # single port
nmap -p 80,443,22 target        # multiple
nmap -p 1-1000 target           # range
nmap -p- target                 # all 65535 ports (slow)
nmap -p T:80,U:53 target        # different protocols
nmap --top-ports 100 target     # top 100 most common

Timing and stealth

# 6 timing templates: 0 paranoid → 5 insane
nmap -T4 target                 # default for fast scans
nmap -T0 target                 # extremely slow, less detectable

# Slow scan with delays
nmap --scan-delay 5s target

NSE (Nmap Scripting Engine)

nmap ships with hundreds of scripts for detection, vulnerability checks, and information gathering.

# Run default safe scripts
nmap -sC target

# Specific script category
nmap --script vuln target           # vulnerability checks
nmap --script discovery target
nmap --script auth target

# Specific script
nmap --script http-title target
nmap --script ssl-enum-ciphers -p 443 target
nmap --script smb-os-discovery -p 445 target

Output formats

nmap -oN scan.txt target        # human-readable
nmap -oX scan.xml target        # XML (parse with scripts)
nmap -oG scan.gnmap target      # grep-friendly
nmap -oA scan target            # all three formats

Scan a network sensibly

# Discovery sweep first
nmap -sn 192.168.1.0/24

# Then targeted scans on live hosts
nmap -sV -A 192.168.1.10
nmap -sV --top-ports 100 -T4 192.168.1.0/24

# Find specific services
nmap -p 22 --open 192.168.1.0/24    # show only hosts with SSH open

masscan — when nmap is too slow

For scanning huge address ranges (millions of IPs), masscan is much faster but less feature-rich.

masscan 0.0.0.0/0 -p80 --rate 10000   # the entire internet, port 80
# Use only when you know what you're doing — bandwidth and ethics

Defending against scans

  • Firewall — close ports you don’t need; rate-limit connection attempts
  • fail2ban — auto-ban IPs that scan or fail many auth attempts
  • IDS — Suricata can detect scan signatures and alert
  • Port knocking — hide services until a specific sequence of failed connection attempts (advanced)

Ethics — important

Port scanning is legally ambiguous in some jurisdictions and can violate Terms of Service even where legal. Only scan:

  • Networks you OWN
  • Networks you have WRITTEN permission to test
  • Bug bounty targets explicitly in scope
  • Your own cloud infrastructure

Do NOT:

  • Scan random websites or IPs
  • Scan your employer’s network without explicit IT approval
  • Scan public infrastructure (banks, government, ISPs)
  • Use scans as part of any unauthorized access attempt

What to learn next

netcat — the swiss army knife of network testing. Port testing, file transfers, banner grabbing, ad-hoc servers. Up next.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *