NMAP Network Scanning — Host Discovery, Port Scanning, and Security Auditing
A practical guide to using NMAP for network discovery, port scanning, service detection, and security auditing — from basic scans to advanced scripting.
What is NMAP?
NMAP (Network Mapper) is the most widely used open-source tool for network discovery and security auditing. It can discover hosts on a network, identify open ports, detect services and their versions, and even find vulnerabilities using its scripting engine.
When to Use NMAP
- Network inventory — Discover all devices on your network
- Security auditing — Find open ports and exposed services
- Vulnerability assessment — Identify potential security weaknesses
- Compliance — Verify firewall rules and access controls
- Troubleshooting — Check if services are reachable
Important: Only scan networks you own or have explicit authorization to test.
Installation
# Linux
sudo apt install nmap # Debian/Ubuntu
sudo yum install nmap # CentOS/RHEL
# Windows: Download from nmap.org (includes Zenmap GUI)
# Verify
nmap --versionHost Discovery
Before port scanning, discover which hosts are alive on a network:
Ping Scan
# Discover live hosts (no port scan)
nmap -sn 192.168.1.0/24
# Output:
# Nmap scan report for 192.168.1.1
# Host is up (0.0012s latency).
# Nmap scan report for 192.168.1.50
# Host is up (0.0034s latency).
# ...
# Nmap done: 256 IP addresses (12 hosts up)Discovery Methods
# ARP discovery (fastest, LAN only)
nmap -sn -PR 192.168.1.0/24
# ICMP echo (ping)
nmap -sn -PE 192.168.1.0/24
# TCP SYN to port 443
nmap -sn -PS443 10.0.0.0/24
# UDP probe
nmap -sn -PU53 10.0.0.0/24
# Multiple methods combined
nmap -sn -PE -PS22,80,443 -PU53 10.0.0.0/24Scan a List of Targets
# From a file
nmap -sn -iL targets.txt
# Multiple ranges
nmap -sn 192.168.1.0/24 10.0.0.0/24
# Exclude hosts
nmap -sn 192.168.1.0/24 --exclude 192.168.1.1Port Scanning
Common Scan Types
# TCP SYN scan (default, fast, stealthy)
sudo nmap -sS 192.168.1.50
# TCP Connect scan (no root required)
nmap -sT 192.168.1.50
# UDP scan (slower, but important)
sudo nmap -sU 192.168.1.50
# Combined TCP and UDP
sudo nmap -sS -sU 192.168.1.50Port Selection
# Scan specific ports
nmap -p 22,80,443,1883,8080 192.168.1.50
# Scan port range
nmap -p 1-1024 192.168.1.50
# Scan all 65535 ports
nmap -p- 192.168.1.50
# Top 100 most common ports
nmap --top-ports 100 192.168.1.50
# Scan specific UDP ports
nmap -sU -p 161,162,53 192.168.1.50Understanding Port States
| State | Meaning | |-------|---------| | open | Service is accepting connections | | closed | Port is reachable but no service listening | | filtered | Firewall is blocking the probe | | unfiltered | Port is accessible but NMAP can't determine open/closed | | open|filtered | NMAP can't determine if open or filtered (common with UDP) |
Service and Version Detection
# Detect service versions
nmap -sV 192.168.1.50
# Output:
# PORT STATE SERVICE VERSION
# 22/tcp open ssh OpenSSH 8.9p1 Ubuntu
# 80/tcp open http nginx 1.24.0
# 443/tcp open ssl/http nginx 1.24.0
# 1883/tcp open mqtt Mosquitto 2.0.18
# 3306/tcp open mysql MySQL 8.0.35
# Aggressive version detection
nmap -sV --version-intensity 5 192.168.1.50
# OS detection
sudo nmap -O 192.168.1.50
# Combined (version + OS + scripts + traceroute)
sudo nmap -A 192.168.1.50NMAP Scripting Engine (NSE)
NSE extends NMAP with hundreds of scripts for vulnerability detection, brute force, discovery, and more.
Script Categories
| Category | Purpose | |----------|---------| | auth | Authentication and credential checks | | broadcast | Network broadcast discovery | | brute | Brute force password attacks | | default | Safe, useful scripts (run with -sC) | | discovery | Additional service discovery | | exploit | Active exploitation (use with caution) | | safe | Non-intrusive scripts | | vuln | Vulnerability detection |
Running Scripts
# Default scripts (safe and useful)
nmap -sC 192.168.1.50
# Specific script
nmap --script http-title 192.168.1.50
# Script category
nmap --script vuln 192.168.1.50
# Multiple scripts
nmap --script "http-* and not http-brute" 192.168.1.50
# Script with arguments
nmap --script snmp-brute --script-args snmp-brute.communitiesdb=communities.txt 192.168.1.50Useful NSE Scripts
# SNMP enumeration
nmap -sU -p 161 --script snmp-info,snmp-sysdescr 192.168.1.50
# HTTP enumeration
nmap -p 80,443 --script http-title,http-headers,http-methods 192.168.1.50
# SSL/TLS analysis
nmap -p 443 --script ssl-enum-ciphers,ssl-cert 192.168.1.50
# SMB vulnerabilities
nmap -p 445 --script smb-vuln* 192.168.1.50
# DNS zone transfer check
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=example.com 192.168.1.1
# MQTT broker info
nmap -p 1883 --script mqtt-subscribe 192.168.1.50Output Formats
# Normal output to file
nmap -oN scan_results.txt 192.168.1.0/24
# XML output (for parsing)
nmap -oX scan_results.xml 192.168.1.0/24
# Grepable output
nmap -oG scan_results.gnmap 192.168.1.0/24
# All formats at once
nmap -oA scan_results 192.168.1.0/24Practical Security Audit Scenarios
Scenario 1: Network Inventory Audit
# Step 1: Discover all live hosts
sudo nmap -sn 10.0.0.0/24 -oG hosts.gnmap
# Step 2: Port scan all discovered hosts
sudo nmap -sS -sV --top-ports 1000 -iL live_hosts.txt -oX inventory.xml
# Step 3: Parse results
# Use nmap-parse-output or import XML into a spreadsheetScenario 2: Firewall Rule Verification
# Test specific ports that should be open/closed
nmap -sS -p 22,80,443,3389,1433 -Pn firewall-external-ip
# Compare results against your firewall policy
# Open ports should match your documented rulesScenario 3: IoT Device Security Check
# Scan IoT network segment
sudo nmap -sS -sV -sU -p T:22,80,443,1883,8883,8080,U:161,162,5683 \
--script default,vuln 10.0.40.0/24
# Look for:
# - Default credentials (telnet, HTTP admin panels)
# - Unencrypted MQTT (port 1883 without TLS)
# - SNMP with default community strings
# - Open management portsPerformance Tuning
# Fast scan (reduce probes)
nmap -F 192.168.1.0/24
# Timing templates (T0=paranoid to T5=insane)
nmap -T4 192.168.1.0/24 # Aggressive but reliable
# Parallel probes
nmap --min-parallelism 100 192.168.1.0/24
# Reduce retries
nmap --max-retries 1 192.168.1.0/24Conclusion
NMAP is an essential tool for network administrators and security professionals. From basic host discovery to advanced vulnerability scanning with NSE scripts, it provides deep visibility into your network's attack surface. Regular NMAP scans should be part of your security routine — you can't protect what you can't see.
Related: OpenVAS Vulnerability Assessment, Wireshark Packet Analysis, and Linux Server Hardening.