2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

Nmap: The Complete Guide From Beginner

to Advanced
Nmap is a powerful network scanning tool that discovers hosts, services, and vulnerabilities. It
maps networks, detects OS versions, and etc.

Table of Contents
1. Introduction to Nmap
2. Installation and Basic Setup
3. Understanding Network Basics
4. Basic Scanning Techniques
5. Port Scanning Deep Dive
6. Host Discovery Methods
7. Service and Version Detection
8. Operating System Detection
9. Timing and Performance
10. Firewall and IDS Evasion
11. NSE Scripting
12. Output Formats and Reporting
13. Advanced Techniques
14. Real-World Scenarios
15. Best Practices and Ethics

Introduction to Nmap
https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 1/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

Nmap (Network Mapper) is a powerful open-source tool used for network discovery and
security auditing. It is widely used by network administrators, penetration testers, and
security professionals to assess network security, map out networks, detect vulnerabilities,
and explore services and devices running in a network.

Basic Concepts

Before diving into the scanning commands, let's define a few key terms:

Port: A network endpoint for communication services (e.g., HTTP uses port 80).
Service: The application or program running on a particular port.
State: Describes the current condition of a port, which could be open, closed, or
filtered.
Protocol: The set of rules governing communication (e.g., TCP, UDP).

Installation and Basic Setup

Installing Nmap

On Linux:

For Debian/Ubuntu:

sudo apt install nmap

For Red Hat/CentOS:

sudo yum install nmap

Verifying Installation:

To check if Nmap is installed correctly, run the following command:

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 2/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

$ nmap --version
Nmap version 7.93 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu

This should return the version of Nmap that is installed, confirming the installation.

Understanding Network Basics

Target Specification

Nmap supports several ways to specify targets:

Single IP: Scans a single device.

nmap 192.168.1.1

IP Range: Scans multiple devices in a given range.

nmap 192.168.1.1-10

CIDR Notation: Scans a subnet.

nmap 192.168.1.0/24

Hostname: Scans a domain or host by name.

nmap example.com

Multiple Targets: Scans several targets at once.

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 3/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

nmap 192.168.1.1 192.168.1.2 example.com

Basic Scanning Techniques

1. Simple Scan

A simple Nmap scan will check the top 1000 most common ports on a target by default.

$ nmap 192.168.1.1
Starting Nmap 7.93
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https

Output Breakdown:

Host is up: Indicates the target is online and responsive.

Not shown: 997 closed tcp ports (reset): 1000 ports were scanned, and 997 were
found closed.
PORT: The network port that was scanned.
STATE: The port's state, e.g., open, closed, filtered.
SERVICE: The application/service detected on that port.

2. Specific Port Scan

To scan specific ports, use the -p flag followed by a comma-separated list of ports or a
range.

$ nmap -p 80,443 192.168.1.1

Starting Nmap 7.93

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 4/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced
Nmap scan report for 192.168.1.1
PORT STATE SERVICE
80/tcp open http
443/tcp open https

Output Explanation:

Nmap only scanned ports 80 and 443.

Both ports were open, indicating that HTTP and HTTPS services are running.

Port Scanning Deep Dive

1. TCP SYN Scan (-sS)

The SYN scan is the most popular and stealthy scan type. It sends a SYN packet (part of the
TCP handshake) to each port and listens for responses.

$ sudo nmap -sS 192.168.1.1

Starting Nmap 7.93
Nmap scan report for 192.168.1.1
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp filtered mysql

Explanation:

SYN-ACK: Port 22, 80, and 443 are open (responded with a SYN-ACK).
RST: No response, so the port is filtered (e.g., port 21).
Filtered: Nmap can't determine whether the port is open or closed due to firewall
filtering.

2. TCP Connect Scan (-sT)

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 5/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

A TCP Connect scan completes the handshake with the target port, unlike the SYN scan. This
is less stealthy but more accurate.

$ nmap -sT 192.168.1.1

Use Cases:

This method works without root privileges.

It’s a more straightforward and reliable scan type than SYN scanning.

3. UDP Scan (-sU)

Scans for open UDP ports. UDP doesn’t have the same handshake as TCP, so detecting open
ports is more challenging.

$ sudo nmap -sU 192.168.1.1

Starting Nmap 7.93
Nmap scan report for 192.168.1.1
PORT STATE SERVICE
53/udp open domain
161/udp open|filtered snmp

Explanation:

open: Received a response on port 53, indicating the DNS service is available.
open|filtered: No response from port 161, so it is either open or filtered.

Host Discovery Methods

1. Ping Scan

A ping scan is useful for determining which hosts are online without scanning ports.

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 6/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

$ nmap -sn 192.168.1.0/24

Starting Nmap 7.93
Nmap scan report for 192.168.1.1
Host is up (0.0020s latency).
Nmap scan report for 192.168.1.5
Host is up (0.0031s latency).
Nmap done: 256 IP addresses (2 hosts up)

Explanation:

Nmap only performs a host discovery to see which devices are up on the network.
The result indicates that only two hosts are up.

2. ARP Scan

An ARP scan is used for local network host discovery. It uses ARP packets to identify devices.

$ sudo nmap -PR 192.168.1.0/24

3. No Ping Scan

If the target does not respond to ping requests, you can skip host discovery entirely with -
Pn .

$ nmap -Pn 192.168.1.1

Service and Version Detection

Basic Version Detection

To detect the services and their versions running on open ports, use -sV .

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 7/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

$ nmap -sV 192.168.1.1

Starting Nmap 7.93
Nmap scan report for 192.168.1.1
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
80/tcp open http nginx 1.18.0
443/tcp open ssl/http Apache/2.4.41 (Ubuntu)

Explanation:

SERVICE: Identifies the service running on the port (e.g., SSH, HTTP, HTTPS).
VERSION: Shows the version of the service (e.g., OpenSSH 8.2p1, nginx 1.18.0).

Aggressive Version Detection

For more intense scanning, including script scanning and OS detection, use the -A flag.

$ nmap -sV -A 192.168.1.1

Operating System Detection

Basic OS Detection

To identify the operating system on the target device, use the `

-O` option.

$ sudo nmap -O 192.168.1.1

Starting Nmap 7.93
Nmap scan report for 192.168.1.1
OS details: Linux 4.15 - 5.6
Device type: general purpose
Running: Linux 4.X|5.X

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 8/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

Explanation:

Nmap attempts to determine the target's OS based on network responses.

It returns the detected OS version and the device type (general purpose, embedded,
etc.).

Aggressive OS Detection

You can use more aggressive OS detection with the --osscan-guess option to guess less
obvious OS types.

$ sudo nmap -O --osscan-guess 192.168.1.1

Timing and Performance

Timing Templates

Nmap provides several timing templates to adjust the scan's speed and stealthiness.

# Aggressive Mode (Fast Scan)

$ nmap -T4 192.168.1.1

# Paranoid Mode (Slow Scan)

$ nmap -T0 192.168.1.1

Explanation:

-T0 (Paranoid): Slowest scan to avoid detection, but increases scan time.
-T4 (Aggressive): Faster scan, suitable for most environments.

Firewall and IDS Evasion

1. Fragment Packets
https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 9/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

To avoid detection by firewalls or Intrusion Detection Systems (IDS), you can fragment
packets.

$ sudo nmap -f 192.168.1.1

2. Custom MTU

You can set a custom Maximum Transmission Unit (MTU) to evade detection.

$ sudo nmap --mtu 16 192.168.1.1

3. Decoy Scanning

This method uses decoy IP addresses to confuse detection systems.

$ sudo nmap -D RND:10 192.168.1.1

NSE Scripting

Default Scripts

Nmap supports script scanning using the Nmap Scripting Engine (NSE) to detect
vulnerabilities and other network services.

$ nmap -sC 192.168.1.1

Specific Scripts

To run specific scripts (e.g., vulnerability scanning), use the --script option.

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 10/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

$ nmap --script=vuln 192.168.1.1

Output Formats and Reporting

Normal Output

You can save the results of your scan to a text file.

$ nmap -oN scan.txt 192.168.1.1

XML Output

For machine-readable output, save the results in XML format.

$ nmap -oX scan.xml 192.168.1.1

Advanced Techniques

1. Comprehensive Scan

A comprehensive scan combines service detection, OS detection, and script scanning.

$ sudo nmap -sS -sV -O -A -p- --script=vuln 192.168.1.1

2. Network Sweep with Version Detection

Scanning a range of IPs and detecting versions on top ports.

$ sudo nmap -sS -sV -T4 --top-ports 100 192.168.1.0/24

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 11/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

Real-World Scenarios

1. Web Server Audit

Scan a web server for vulnerabilities and services running on HTTP/HTTPS ports.

$ sudo nmap -sS -sV -p80,443 --script=http-* 192.168.1.1

2. Network Inventory

Create a quick inventory of a network using ping and port scanning.

$ nmap -sn -PE -PS22,80,443 -PA21,23,80 -n --min-rate 1000 192.168.1.0/24

3. Vulnerability Assessment

Scan for vulnerabilities and exploits in a network.

$ sudo nmap -sS -sV -O --script=vuln,exploit -p- 192.168.1.1

Best Practices and Ethics

Common Scanning Strategies

Initial Reconnaissance: Start with ping scans to identify hosts and quick port scans.
Detailed Host Analysis: Use comprehensive scans to gather detailed service
information.
Stealth Assessment: Use slow, stealthy scans to avoid detection.

Performance Optimization Tips

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 12/13
2/5/25, 3:28 PM Nmap: The Complete Guide From Beginner to Advanced

Parallel Host Scanning: Use options like --min-hostgroup and --max-hostgroup to

speed up scans.
Aggressive Timing: Use -T4 or -T5 for faster results when time is critical.

Remember, with great power comes great responsibility. Always ensure you have permission
before scanning networks or devices.

https://blog.geekinstitute.org/2024/11/nmap-network-mapping-and-security-scanning.html 13/13