Nmap (Network Mapper) is the industry standard for network discovery and security auditing. Used by penetration testers worldwide, Nmap can discover hosts, services, operating systems, and vulnerabilities across networks of any size.

Basic Scanning Techniques

Host Discovery

Host discovery is the first step in any network reconnaissance. Before scanning ports, you need to identify which hosts are alive on the network.

Ping scan - discover live hosts

nmap -sn 192.168.1.0/24

Skip ping - scan even if host appears down

nmap -Pn target.com

TCP SYN ping

nmap -PS22,80,443 192.168.1.0/24

List scan - just list targets without scanning

nmap -sL 192.168.1.0/24

The -sn flag performs a ping scan without port scanning, which is faster for host discovery. The -Pn flag treats all hosts as online, useful when ICMP is blocked.

Port Scanning

Port scanning reveals which services are running on target systems. Different scan types have varying levels of stealth and accuracy.

Scan most common 1000 ports

nmap target.com

Scan all 65535 ports

nmap -p- target.com

Scan specific ports

nmap -p 22,80,443,3306 target.com

Scan port range

nmap -p 1-100 target.com

Fast scan - top 100 ports

nmap -F target.com

TCP SYN scan (stealth scan)

nmap -sS target.com

TCP connect scan

nmap -sT target.com

UDP scan

nmap -sU target.com

TCP SYN scans (-sS) are the default and most popular. They're relatively fast and stealthy since they don't complete the TCP handshake. UDP scans (-sU) are slower but essential for discovering DNS, SNMP, and DHCP services.

Advanced Enumeration

Service and Version Detection

Once you've identified open ports, determining the exact services and versions running is crucial for vulnerability assessment.

Detect service versions

nmap -sV target.com

Aggressive version detection

nmap -sV --version-intensity 5 target.com

Light version detection (faster)

nmap -sV --version-intensity 0 target.com

Version detection with default scripts

nmap -sV -sC target.com

Comprehensive scan

nmap -sV -sC -O -p- target.com

The version intensity ranges from 0 (light) to 9 (try all probes). Level 5 is aggressive and comprehensive, while level 0 is faster but less accurate.

Operating System Detection

OS fingerprinting helps identify the target's operating system and version, which is essential for selecting appropriate exploits.

# OS detection
nmap -O target.com

Aggressive OS detection

nmap -O --osscan-guess target.com

OS detection with version scanning

nmap -A target.com

Limit OS detection to promising targets

nmap -O --osscan-limit 192.168.1.0/24

The -A flag enables OS detection, version detection, script scanning, and traceroute - a comprehensive but noisy scan. Use --osscan-limit to skip hosts that don't have at least one open and one closed TCP port.

NSE Scripts

The Nmap Scripting Engine (NSE) provides hundreds of scripts for vulnerability detection, exploitation, and advanced enumeration.

Vulnerability Scanning

Run default scripts

nmap -sC target.com

Run all vuln scripts

nmap --script vuln target.com

Run specific script

nmap --script http-sql-injection target.com

Run script category

nmap --script "auth" target.com

Multiple categories

nmap --script "default or safe" target.com

Script with arguments

nmap --script http-wordpress-enum --script-args check-latest=true target.com

NSE scripts are organized into categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.

Useful NSE Scripts

Web Enumeration Scripts:

• http-enum - Enumerates directories and files
• http-headers - Shows HTTP headers
• http-methods - Lists supported HTTP methods
• http-robots.txt - Checks robots.txt
• http-title - Displays page titles

• smb-os-discovery - Detects OS, computer name, domain
• smb-enum-shares - Lists SMB shares
• smb-enum-users - Enumerates domain users
• smb-vuln-ms17-010 - Checks for EternalBlue

• mysql-info - Gathers MySQL information
• mysql-databases - Lists databases
• mysql-enum - Enumerates users and databases
• mongodb-info - MongoDB information

• ssh-brute - SSH brute force
• ftp-brute - FTP brute force
• http-brute - HTTP brute force
• smtp-brute - SMTP brute force

Example: Comprehensive Web Server Scan

nmap -sV -p 80,443 \
  --script "http-* and not http-brute and not http-slowloris*" \
  target.com

Output includes:

- HTTP methods

- Server headers

- Directory enumeration

- Detected technologies

- Security headers

- SSL/TLS information

This scan runs all HTTP scripts except brute force and DoS scripts, providing comprehensive web server enumeration without aggressive testing.

Output and Reporting

Proper documentation is essential for penetration testing. Nmap supports multiple output formats.

Normal output

nmap -oN scan.txt target.com

XML output (for tools)

nmap -oX scan.xml target.com

Grepable output

All formats

Verbose output

nmap -v target.com

Very verbose

nmap -vv target.com

XML format (-oX) is ideal for importing into tools like Metasploit or custom parsers. Grepable format (-oG) is useful for command-line parsing with grep, awk, or sed.

Timing and Performance

Scan timing affects both speed and detectability. Choose based on your network conditions and stealth requirements.

Timing templates (0-5)

T0 - Paranoid (IDS evasion)

T1 - Sneaky (IDS evasion)

T2 - Polite (less bandwidth)

T3 - Normal (default)

T4 - Aggressive (fast, assumes fast network)

T5 - Insane (very fast, may miss ports)

nmap -T4 target.com

Custom timing

nmap --min-rate 1000 target.com
nmap --max-retries 2 target.com

Parallel scanning

nmap --min-parallelism 100 target.com

T4 is recommended for most penetration tests on modern networks. T0 and T1 are extremely slow but may evade IDS/IPS detection. --min-rate ensures a minimum number of packets per second.

Evasion Techniques

When facing firewalls, IDS, or IPS, evasion techniques can help your scans succeed.

# Fragment packets
nmap -f target.com

# Decoy scans
nmap -D RND:10 target.com

# Spoof source address
nmap -S spoofed_ip target.com

# Randomize hosts
nmap --randomize-hosts 192.168.1.0/24

# Add random data
nmap --data-length 25 target.com

# Use proxy
nmap --proxies http://proxy:8080 target.com

Fragmentation (-f) splits packets to evade packet filters. Decoy scans (-D) make it appear as if multiple hosts are scanning, making it harder to identify the real source.

Practical Scan Examples

Quick Network Survey

nmap -sn -T4 192.168.1.0/24 -oA network-survey

Full TCP Port Scan

nmap -sS -p- -T4 -v target.com -oA full-tcp-scan

Comprehensive Enumeration

nmap -sS -sV -sC -O -p- -T4 target.com -oA comprehensive

Vulnerability Assessment

nmap -sV --script vuln -p- target.com -oA vuln-scan

Best Practices

Always Get Permission: Only scan networks you own or have explicit authorization to test. Unauthorized scanning is illegal and unethical.

Start Slow: Begin with non-intrusive scans before moving to aggressive techniques. This helps avoid detection and system crashes.

Save Everything: Always save scan results for documentation and comparison. Use -oA to save all formats simultaneously.

Understand Your Scans: Know what each flag does and its impact on the target. Some scans can cause service disruptions or trigger alerts.

Be Mindful of IDS/IPS: Adjust timing and techniques based on target environment. Corporate networks often have robust monitoring.

Verify Results: False positives and false negatives occur. Manually verify critical findings before reporting.

Conclusion

Nmap is an indispensable tool for network reconnaissance and security assessment. Mastering its capabilities - from basic port scanning to advanced NSE scripting - is essential for any penetration tester. Practice in your own lab environment to build proficiency before using these techniques in authorized engagements.

Remember: With great power comes great responsibility. Use Nmap ethically and legally.