Network scanning is the starting point of nearly every penetration test, vulnerability assessment, and security audit. Before you can exploit anything, you need to understand what is running, where it is running, and how it is configured. Nmap, the Network Mapper, is the tool that makes that discovery possible with precision and depth that no other scanner matches.
This walkthrough covers Nmap from the ground up, moving through host discovery, port scanning, service enumeration, OS detection, NSE scripting, and evasion techniques. Every section includes real commands with practical flags, output interpretation, and the reasoning behind each approach. This is not a surface-level introduction. It is the kind of working knowledge that belongs in every practitioner's toolkit.
Nmap is a free, open-source network scanner originally written by Gordon Lyon (Fyodor) and first released in 1997. It has grown into one of the most comprehensive and widely used tools in the security industry, present on virtually every penetration tester's machine and referenced in countless security certifications, job descriptions, and real-world engagement reports.
What makes Nmap exceptional is its layered capability. At the most basic level, it tells you which hosts are alive and which ports are open. At a deeper level, it identifies services and their versions, detects the underlying operating system, runs scripted vulnerability checks, and can fingerprint firewall behavior. All of this is available through a single, well-documented CLI tool.
If you are beginning your penetration testing journey and want structured guidance on applying Nmap and other professional tools in real engagement scenarios, Redfox Cybersecurity Academy offers hands-on training that puts these skills in the context of full attack chains.
Nmap is pre-installed on Kali Linux and most security-focused distributions. On other systems, installation is straightforward.
sudo apt update && sudo apt install nmap -y
nmap --version
[cta]
sudo dnf install nmap -y
nmap --version
[cta]
wget https://nmap.org/dist/nmap-7.95.tar.bz2
tar -xvf nmap-7.95.tar.bz2
cd nmap-7.95
./configure
make
sudo make install
[cta]
Building from source ensures you have the most recent NSE scripts, service fingerprints, and OS detection signatures, which matters during engagements where you are dealing with newer services or operating system versions.
Choosing the right scan type is not a minor detail. Different scan types produce different results, generate different levels of noise on the network, and interact differently with firewalls and intrusion detection systems. Understanding what each scan does at the packet level is foundational knowledge for any practitioner.
The SYN scan is the default when Nmap is run with root privileges. It sends a SYN packet and waits for a response. An open port responds with SYN/ACK. A closed port responds with RST. A filtered port produces no response or an ICMP unreachable message.
The SYN scan never completes the three-way handshake, which means it is faster than a full connect scan and less likely to be logged by application-layer logging on the target.
sudo nmap -sS 192.168.56.10
[cta]
The connect scan completes the full TCP handshake. It does not require root privileges, which makes it useful when running Nmap as a standard user. It is slower and more likely to appear in application logs on the target.
nmap -sT 192.168.56.10
[cta]
UDP scanning is slower and more complex than TCP scanning because UDP is connectionless. Nmap sends a UDP packet to each port. A closed port returns an ICMP port unreachable message. An open port may return a response or simply produce no reply, which Nmap marks as open/filtered.
sudo nmap -sU --top-ports 100 192.168.56.10
[cta]
UDP scanning matters because critical services such as DNS (53), SNMP (161), NTP (123), and TFTP (69) run over UDP. Skipping UDP means missing potentially significant attack surface.
These scan types exploit a behavior defined in RFC 793: closed ports should respond to packets with unexpected flag combinations with RST, while open ports should drop them silently. This behavior does not apply to Windows systems, which makes these scans most useful against Unix and Linux targets.
# NULL scan: no flags set
sudo nmap -sN 192.168.56.10
# FIN scan: only FIN flag set
sudo nmap -sF 192.168.56.10
# Xmas scan: FIN, PSH, URG flags set
sudo nmap -sX 192.168.56.10
[cta]
These scan types can bypass certain stateless packet filters that only block SYN packets, making them useful in environments where a standard SYN scan returns filtered results.
Scanning every port on a large network without first identifying live hosts is inefficient. Nmap's host discovery phase lets you quickly map which addresses are active before committing to deeper scans.
sudo nmap -sn 192.168.56.0/24
[cta]
The -sn flag disables port scanning and performs host discovery only. Nmap sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default when run as root.
When ICMP is blocked and targets appear dead in a ping sweep, skip host discovery entirely and scan directly:
sudo nmap -Pn 192.168.56.10
[cta]
The -Pn flag tells Nmap to treat all targets as online and proceed directly to port scanning. This is essential when scanning through a firewall that drops ICMP packets.
On the local subnet, ARP scanning is the most reliable host discovery method because ARP requests cannot be filtered at the IP layer:
sudo nmap -sn --send-eth 192.168.56.0/24
[cta]
Alternatively, arp-scan provides a fast ARP-based discovery with clean output:
sudo arp-scan --localnet
[cta]
By default, Nmap scans the 1,000 most common ports. For thorough assessments, this default is often insufficient.
sudo nmap -sS -p- --min-rate 5000 192.168.56.10
[cta]
The --min-rate flag sets a floor on packet transmission rate. A value of 5000 packets per second significantly accelerates full-port scans. Use this carefully in sensitive environments, as it generates noticeable traffic volume.
# Specific ports
sudo nmap -p 22,80,443,3306,8080,8443 192.168.56.10
# A range
sudo nmap -p 1-10000 192.168.56.10
# Top ports by frequency
sudo nmap --top-ports 500 192.168.56.10
[cta]
During initial reconnaissance when speed matters more than depth:
sudo nmap -F -T4 192.168.56.0/24
[cta]
The -F flag limits scanning to the top 100 ports. The -T4 timing template increases speed while remaining stable on most networks.
Knowing that port 80 is open tells you something. Knowing it is running Apache 2.4.49 tells you significantly more, including that it may be vulnerable to CVE-2021-41773, a path traversal and remote code execution vulnerability.
sudo nmap -sV 192.168.56.10
[cta]
The -sV flag probes open ports and attempts to determine the service name, version, and in some cases the application name. Nmap uses a database of service fingerprints (nmap-service-probes) to match responses.
# Light probing, faster but less accurate
sudo nmap -sV --version-intensity 2 192.168.56.10
# Aggressive probing, slower but more thorough
sudo nmap -sV --version-intensity 9 192.168.56.10
[cta]
Higher intensity values cause Nmap to send more probes per port, increasing the likelihood of identifying obscure or custom services at the cost of additional time and network traffic.
Operating system detection works by analyzing subtle differences in how network stacks implement the TCP/IP protocol. Nmap sends a series of crafted packets and compares the responses against a database of known OS fingerprints.
sudo nmap -O 192.168.56.10
[cta]
For more aggressive OS detection that attempts to guess even when fingerprint confidence is low:
sudo nmap -O --osscan-guess 192.168.56.10
[cta]
OS detection requires at least one open and one closed TCP port to function accurately. When both are present, Nmap typically achieves high confidence. When only open ports are visible (common behind firewalls), accuracy drops and Nmap will indicate this in its output.
Knowing the OS informs your attack path significantly. A Linux target running SSH and a web server leads you toward web exploitation and SSH key attacks. A Windows target opens paths involving SMB, WinRM, RDP, and Active Directory enumeration.
The Nmap Scripting Engine is where Nmap transitions from a scanner into a lightweight vulnerability assessment and enumeration platform. NSE scripts are written in Lua and organized into categories including auth, brute, discovery, exploit, safe, vuln, and others.
The script database on Kali Linux lives at /usr/share/nmap/scripts/. There are over 600 scripts available by default.
sudo nmap -sC 192.168.56.10
[cta]
The -sC flag runs scripts in the default category, which covers safe enumeration tasks like grabbing HTTP titles, SSH host keys, FTP banners, and SMB information.
The -A flag enables OS detection, version detection, default scripts, and traceroute simultaneously:
sudo nmap -A -T4 192.168.56.10
[cta]
This is the most common comprehensive scan used during initial host enumeration on an authorized engagement.
sudo nmap --script vuln 192.168.56.10
[cta]
The vuln category includes scripts that check for specific known vulnerabilities including EternalBlue (MS17-010), Shellshock, Heartbleed, and others.
Running a specific script against a specific service gives focused, clean output:
# Check for MS17-010 (EternalBlue) on SMB
sudo nmap -p 445 --script smb-vuln-ms17-010 192.168.56.10
# HTTP enumeration and methods
sudo nmap -p 80,443 --script http-enum,http-methods 192.168.56.10
# FTP anonymous login check
sudo nmap -p 21 --script ftp-anon 192.168.56.10
# SNMP community string brute force
sudo nmap -sU -p 161 --script snmp-brute 192.168.56.10
[cta]
Some scripts accept arguments that control their behavior:
# HTTP brute force with custom credentials
sudo nmap -p 80 --script http-brute \
--script-args http-brute.path=/admin,userdb=users.txt,passdb=passwords.txt \
192.168.56.10
[cta]
If you want to build genuine fluency with NSE scripting and understand how to chain Nmap output into follow-on exploitation workflows, Redfox Cybersecurity Academy covers the full reconnaissance-to-exploitation pipeline in practical, lab-based training modules.
Output management is a professional habit. On real engagements, you need to produce evidence, feed results into other tools, and refer back to earlier scans. Nmap supports multiple output formats designed for these different use cases.
sudo nmap -sV -sC -p- -T4 \
-oA full_scan_$(date +%Y%m%d_%H%M) \
192.168.56.0/24
[cta]
The -oA flag produces three files simultaneously: .nmap for human-readable output, .gnmap for grepable output, and .xml for tool ingestion.
The .gnmap format is designed for quick command-line filtering:
# Extract all hosts with port 22 open
grep "22/open" full_scan.gnmap | awk '{print $2}'
# Extract all hosts with SMB open
grep "445/open" full_scan.gnmap | cut -d' ' -f2
[cta]
xsltproc full_scan.xml -o full_scan.html
[cta]
The resulting HTML file provides a formatted, shareable report of your scan results, useful for interim deliverables during longer engagements.
A scan that gets blocked, filtered, or immediately triggers an IDS alert has limited value. Nmap includes several techniques for reducing detection probability and bypassing basic packet filtering.
Splitting packets into smaller fragments can bypass some packet filters that inspect full packets but cannot reassemble fragments:
sudo nmap -f 192.168.56.10
[cta]
Decoy scanning spoofs traffic from multiple source IPs, making it harder for a defender to identify the true origin of the scan:
sudo nmap -D RND:10 192.168.56.10
[cta]
RND:10 generates ten random decoy addresses. The real scan traffic is mixed in with the spoofed traffic. Note that this technique is less effective against modern stateful firewalls and NDR systems, but remains relevant against simpler filtering mechanisms.
Some firewalls allow traffic from trusted source ports like 53 (DNS) or 80 (HTTP). Spoofing the source port can sometimes bypass these rules:
sudo nmap --source-port 53 192.168.56.10
[cta]
Timing templates control how aggressively Nmap sends packets. Slower templates reduce the scan's network footprint and can evade IDS rules that trigger on high packet rates:
# T0 (paranoid): one packet every 5 minutes
sudo nmap -T0 192.168.56.10
# T1 (sneaky): one packet every 15 seconds
sudo nmap -T1 192.168.56.10
[cta]
These timing modes are impractical for large ranges but appropriate when scanning a single high-value target where stealth is the priority.
By default, Nmap scans targets in sequential order. Randomizing the scan order makes the traffic pattern less recognizable to behavioral detection systems:
sudo nmap --randomize-hosts -iL targets.txt
[cta]
Professional penetration testers do not run a single Nmap command and move on. They use a phased approach that balances speed, depth, and stealth according to the engagement scope.
sudo nmap -sn --send-eth 10.10.10.0/24 -oA phase1_discovery
grep "Up" phase1_discovery.gnmap | awk '{print $2}' > live_hosts.txt
[cta]
sudo nmap -sS -p- --min-rate 3000 \
-iL live_hosts.txt \
-oA phase2_fullports
[cta]
sudo nmap -sV -sC \
-p $(grep "open" phase2_fullports.gnmap | grep -oP '\d+/open' | \
cut -d'/' -f1 | sort -u | tr '\n' ',' | sed 's/,$//') \
-iL live_hosts.txt \
-oA phase3_services
[cta]
sudo nmap --script vuln \
-iL live_hosts.txt \
-oA phase4_vulns
[cta]
This phased approach is how structured reconnaissance is conducted on real engagements. Each phase informs the next, and the output files provide a documented evidence trail that feeds directly into your report.
Students at Redfox Cybersecurity Academy practice this exact workflow against realistic lab environments, learning not just how to run the commands but how to interpret and act on the results.
Nmap is not a tool you learn once and set aside. It is a tool you develop a deeper relationship with over hundreds of hours of practice. The scan types, timing controls, NSE scripts, output formats, and evasion techniques covered in this walkthrough represent the practical working knowledge that separates an Nmap user from an Nmap practitioner.
To summarize the core principles: start host discovery before port scanning, choose your scan type deliberately based on environment and stealth requirements, always save output in multiple formats, use NSE scripts to extract maximum intelligence from open ports, and build a phased workflow that scales from quick triage to thorough enumeration.
Every technique covered here is applicable immediately in a properly configured home lab or an authorized engagement environment. None of it requires anything beyond Nmap itself and a solid understanding of what each flag actually does at the packet level.
When you are ready to apply these skills in structured, guided penetration testing scenarios with professional mentorship, Redfox Cybersecurity Academy is the next step.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
