Nmap
Industry-standard open-source network scanner for port discovery, service enumeration, and OS fingerprinting.
Continue your mission
Industry-standard open-source network scanner for port discovery, service enumeration, and OS fingerprinting.
# Nmap
Nmap (Network Mapper) is a free, open-source network scanning utility that has served as the foundational tool for network discovery and security auditing since Gordon Lyon released it in 1997. It exists because organizations cannot defend what they cannot see. Before tools like Nmap, administrators had no practical, automated method to inventory exposed services across a network or verify that firewall rules were behaving as intended. Nmap solves that problem by sending precisely crafted packets to target hosts and interpreting the responses to build an accurate map of open ports, running services, operating system versions, and network topology. It runs on Linux, Windows, macOS, and BSD, making it universally accessible to defenders and assessors regardless of environment.
---
Nmap is a command-line network reconnaissance tool that performs host discovery, port scanning, service enumeration, operating system fingerprinting, and scriptable interaction with target systems through its built-in scripting engine. It is not a vulnerability scanner in the traditional sense. Tools such as Nessus, OpenVAS, or Qualys are purpose-built vulnerability scanners that cross-reference discovered service versions against CVE databases and produce risk-rated reports. Nmap identifies what is present and what is reachable; it does not automatically assign CVSS scores or generate compliance reports.
Nmap is also not an intrusion detection system, a packet capture tool, or a firewall. It does not passively monitor traffic. It actively probes targets, which means its use requires authorization or it constitutes unauthorized computer access under laws such as the Computer Fraud and Abuse Act (CFAA) in the United States and analogous statutes internationally.
Several variants and companion projects extend Nmap's core functionality. Zenmap is the official graphical user interface for users who prefer visual output and topology graphs. Ncat (distributed with Nmap) is a modern reimplementation of Netcat that supports SSL connections and port redirection. Ndiff compares two Nmap scan results to surface changes between scans, making it useful for change detection workflows. Nping is a packet generation and analysis tool derived from Nmap's packet construction libraries.
Nmap is distinct from passive reconnaissance tools such as Shodan or Censys, which aggregate scan data collected externally. Nmap performs active, on-demand scanning from a point of presence the operator controls. This distinction matters operationally: Nmap results reflect the network state at the moment of the scan from a specific vantage point, such as inside a corporate LAN, from a DMZ, or from an external IP address.
---
Nmap's scanning process follows a logical sequence: host discovery, port scanning, service version detection, OS fingerprinting, and optional NSE script execution. Each phase builds on the previous one and each can be tuned or disabled independently.
Host Discovery
Before scanning ports, Nmap determines which hosts on a given subnet or IP range are alive. By default, it sends an ICMP echo request, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP timestamp request. If any of these receive a response, the host is considered up. In environments that block ICMP, operators use the -Pn flag to skip host discovery and treat all targets as live, which is common when scanning hardened perimeters or cloud endpoints that drop pings.
Port Scanning Techniques
Nmap supports more than a dozen scan types. The most common in professional use are:
-sS): The default scan when run with root privileges. Nmap sends a SYN packet and waits for a SYN-ACK (port open), RST (port closed), or no response (filtered). Because Nmap never completes the three-way handshake, this scan is faster and less likely to appear in application logs than a full connect scan. It is sometimes called a "half-open" scan for this reason.-sT): Used when the operator lacks raw socket privileges. Nmap completes the full TCP handshake using the operating system's connect() call. This scan is fully logged by target applications.-sU): Sends UDP packets to target ports. Open UDP ports often do not respond at all; closed ports return an ICMP port unreachable message. UDP scanning is significantly slower than TCP scanning and is frequently skipped during time-constrained assessments, which leads to missed attack surface.-sI): An advanced technique that routes scan traffic through a "zombie" host with a predictable IP ID sequence. The target sees packets coming from the zombie, not the scanner, providing a degree of source IP obfuscation.Service Version Detection
Once Nmap identifies open ports, the -sV flag activates service version detection. Nmap sends protocol-specific probes to each open port and compares the response against the nmap-service-probes database, which contains thousands of known application banners and response signatures. For example, an HTTP server on port 8080 will respond to an HTTP GET request with a Server header and status line. Nmap parses that response and reports "Apache httpd 2.4.51" or equivalent. This information is directly actionable: knowing the exact version allows an assessor to check whether that version has known CVEs.
OS Fingerprinting
The -O flag triggers OS detection. Nmap sends a series of TCP, UDP, and ICMP probes designed to elicit responses that vary subtly between operating system TCP/IP stack implementations. It compares the pattern of responses against the nmap-os-db database. Differences in TCP window sizes, IP TTL values, TCP options ordering, and ICMP error message quoting collectively produce a fingerprint that Nmap matches to a known OS. Results include a percentage confidence rating; lower confidence scores indicate the target may be behind a load balancer or NAT device.
Nmap Scripting Engine (NSE)
NSE is what transforms Nmap from a port scanner into an extensible security assessment platform. Scripts are written in Lua and organized into categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln. Running nmap --script=default executes all scripts in the default category, which includes safe, informative scripts. Running nmap --script=vuln executes vulnerability-checking scripts, some of which send potentially disruptive probes.
A concrete example: a security engineer conducting an internal network assessment scans a /24 subnet with the command nmap -sS -sV -O --script=default,vuln -p- 192.168.10.0/24 -oA internal_scan_results. This single command performs a SYN scan of all 65,535 TCP ports, runs service version detection, attempts OS fingerprinting, executes default and vulnerability scripts, and writes output in normal, XML, and grepable formats. The XML output can be imported directly into Metasploit, parsed by custom scripts, or fed into a SIEM for asset inventory correlation. The grepable format allows quick command-line filtering: grep "open" internal_scan_results.gnmap extracts all open port findings for rapid triage.
Timing and Evasion
Nmap's timing templates (-T0 through -T5) control the speed and aggressiveness of scans. -T1 (sneaky) introduces long delays between probes to reduce IDS alert probability. -T4 (aggressive) is commonly used in internal assessments where detection is less of a concern and speed matters. Fragment scanning (-f) splits packets into fragments that some older inspection systems fail to reassemble correctly. These options are tuning parameters, not guaranteed evasion methods, as modern NGFW and IDS platforms detect Nmap signatures regardless of timing.
---
Organizations that do not regularly scan their own networks operate on assumption rather than evidence. They assume their firewall rules are correct. They assume no unauthorized services have been stood up. They assume the attack surface documented in their CMDB reflects reality. Nmap removes assumption from the equation.
The practical consequences of not scanning are well-documented. The 2017 Equifax breach exposed data on 147 million people. One contributing factor identified in the post-breach Senate investigation was inadequate visibility into the company's network, including expired SSL certificates and unmonitored network segments. While Nmap alone would not have prevented the breach, systematic scanning would have surfaced the unpatched Apache Struts instance in an application that was supposed to be retired. Visibility is the precondition for remediation.
A common misconception is that firewall rules make scanning unnecessary. Firewalls are misconfigured, rules accumulate over years, shadow IT circumvents them, and cloud deployments frequently bypass them entirely. Nmap validates firewall posture from the attacker's vantage point, not the administrator's configuration file. There is a meaningful difference between what a firewall is configured to block and what it actually blocks when probed from a specific network segment.
Another misconception is that Nmap scanning is only a penetration tester's activity. Defenders run Nmap continuously. Scheduled scans with Ndiff comparisons produce a delta report showing new open ports, newly discovered hosts, and disappeared services, all of which are potential indicators of unauthorized change or compromise. A new port appearing on a domain controller overnight is an immediate investigation trigger.
Nmap is also integral to compliance workflows. The CIS Controls explicitly address continuous asset inventory and port-level monitoring. PCI DSS Requirement 11 mandates regular network scans. NIST SP 800-115 identifies port scanning as a required component of technical security assessments. Using Nmap to produce scan records satisfies the evidentiary requirements of these frameworks when properly documented.
---
CDA approaches Nmap within the Vulnerability Surface Domain (VSD) of the Planetary Defense Model (PDM). The governing methodology is Continuous Surface Reduction (CSR), summarized operationally as: every surface you expose is a surface we eliminate.
Most organizations scan quarterly or as part of annual penetration tests. CDA treats that cadence as fundamentally inadequate. A service exposed between quarterly scans is a surface that exists for up to 89 days without detection. CDA deploys Nmap in automated, scheduled scanning pipelines that run against all known IP ranges on a rotating basis, with critical segments scanned daily and internet-facing assets scanned continuously using a combination of Nmap and supplementary passive sources.
The operational difference in CDA's approach is what happens after the scan. Nmap output is not reviewed manually and filed. It is parsed into a structured asset database and compared against the previous scan baseline using Ndiff. Deviations trigger automated tickets in the client's change management system with a defined SLA for review. A new open port on an internal server generates a P2 ticket requiring acknowledgment within four hours. An unrecognized host appearing on a network segment generates a P1 requiring immediate investigation.
CDA also uses Nmap's NSE capability as part of initial engagement scoping. During a client onboarding, a full-range scan with service version detection produces a current-state attack surface inventory that frequently reveals assets the client did not know were exposed, running software the client believed was decommissioned, or services running on non-standard ports specifically to avoid detection in standard scans. On a recent engagement, an nmap -sV -p- scan of a client's /16 internal range identified 23 hosts running outdated Telnet services that the client's CMDB showed as decommissioned two years prior.
Within the SPH (Security Program Health) domain, Nmap scan records serve as evidence artifacts for audit and compliance reporting. CDA maintains timestamped scan archives that document the client's exposed surface over time, providing auditors with a verifiable history of surface reduction progress rather than point-in-time snapshots.
---
-p- flag to scan all 65,535 TCP ports, not just the default top 1,000; attackers do not limit themselves to common ports and neither should your assessment methodology.-sV with --script=vuln on internal assessments to surface service version information alongside known vulnerability checks in a single scan pass, reducing assessment time without sacrificing coverage.-oX) for all production scans; XML output integrates directly with Metasploit, custom parsers, and SIEM platforms and preserves more data than normal or grepable formats.---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.