Nmap: The Network Scanner Every Security Pro Needs
A practical guide to Nmap, the essential network scanning tool, covering installation, scan types, scripting engine, and real-world workflows.
Last updated Apr 7, 2026Current
Continue your mission
A practical guide to Nmap, the essential network scanning tool, covering installation, scan types, scripting engine, and real-world workflows.
Nmap (Network Mapper) is a free, open-source tool for network discovery and security auditing. It is arguably the most important tool in any security professional's toolkit. Nmap discovers hosts on a network, identifies open ports, detects running services and their versions, and can even fingerprint operating systems.
Gordon Lyon (Fyodor) released Nmap in 1997, and it has been continuously developed since. It runs on Linux, Windows, and macOS.
On Linux (Debian/Ubuntu): sudo apt install nmap On macOS: brew install nmap On Windows: Download the installer from nmap.org, which includes Zenmap (the GUI).
TCP SYN scan (-sS): The default and most popular scan. Nmap sends a SYN packet to each target port. If the port responds with SYN-ACK, it is open. Nmap sends RST to close the connection without completing the handshake, making it stealthier than a full connect scan. Requires root/admin privileges.
TCP connect scan (-sT): Completes the full three-way handshake. Used when SYN scan is not available (non-root users). More detectable because the full connection is logged by the target.
UDP scan (-sU): Scans UDP ports, which host services like DNS (53), SNMP (161), and DHCP (67). UDP scanning is slower and less reliable because UDP does not acknowledge packets. Combine with version detection for better results.
Service version detection (-sV): Probes open ports to determine the service name and version. This is essential for vulnerability assessment because knowing that a server runs Apache 2.4.49 (vulnerable to path traversal CVE-2021-41773) versus 2.4.54 (patched) changes your entire assessment.
OS detection (-O): Analyzes TCP/IP stack characteristics to guess the target's operating system. Useful for asset inventory and attack surface assessment.
NSE extends Nmap with scripts written in Lua. Nmap ships with over 600 scripts covering vulnerability detection, brute force, discovery, and more.
Run default scripts: nmap -sC target Run specific scripts: nmap --script=http-title,ssl-enum-ciphers target Run vulnerability scripts: nmap --script=vuln target
Popular scripts include: ssl-enum-ciphers (checks TLS configuration), http-enum (finds common web paths), smb-vuln-ms17-010 (checks for EternalBlue), and dns-brute (enumerates subdomains).
Quick network discovery: nmap -sn 192.168.1.0/24 performs a ping sweep to find live hosts without port scanning.
Full port scan with service detection: nmap -sS -sV -p- target scans all 65,535 TCP ports with version detection. This is thorough but time-consuming.
Targeted scan for security audit: nmap -sS -sV -sC -O -p 22,80,443,3389,445,3306,5432 target scans common service ports with version detection, default scripts, and OS fingerprinting.
Output to file: nmap -oA scan-results target saves output in normal, XML, and grepable formats simultaneously. The XML output integrates with tools like Metasploit and vulnerability management platforms.
Masscan is significantly faster than Nmap for port discovery (it can scan the entire internet in minutes) but lacks Nmap's service detection and scripting capabilities. Use Masscan for speed and Nmap for depth.
Rustscan wraps Nmap to provide faster port discovery and then passes open ports to Nmap for detailed analysis.
Zmap is another high-speed scanner designed for internet-wide surveys.
Only scan networks you own or have explicit written authorization to test. Unauthorized scanning can violate computer fraud laws and terms of service. Even authorized scanning should be coordinated with network and security operations teams to avoid triggering alerts or impacting production systems.
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Wiki Team
Found an issue? Help improve this article.