Back to Articles

NMAP – A Free Network Mapping Tool

By Tony Perez (@perezbox) Posted in: security-tools

The Network Mapper (Nmap) is an open-source, free security scanner widely loved by network and security analysts. Many commercial tools try to replicate its power, but most end up bundling Nmap itself as a “feature.”

Under the hood, Nmap is a precise instrument for discovery and reconnaissance. This primer introduces what it is, how to think about its scripting engine, and a few practical scans to add to your toolkit.

About Nmap

Nmap helps you analyze your infrastructure’s external exposure: open ports, services, versions, and basic OS traits. While it began as a network scanner, its ecosystem now stretches across layers of your stack (network and application). You’ll typically run it from the command line; a GUI called Zenmap exists if you prefer a UI.

Use Nmap only on systems you own or have explicit permission to test.

Leverage the Scripting Engine (NSE)

A big reason Nmap remains best-in-class is the Nmap Scripting Engine (NSE). It ships with Nmap and offers 600+ scripts, grouped by categories such as discovery, safe, vuln, and more. You can run individual scripts or entire categories—and write your own when you need to automate repeatable tasks.

Example: running a specific script (ASN lookup):

nmap --script asn-query [--script-args dns=<resolver>] <target>

Or run a whole category (all discovery scripts):

nmap --script discovery <target>

Real-World Application

Say your team deployed five new servers. A basic scan helps you validate what’s visible from the Internet and whether exposure matches intent.

Simple port discovery:

# Basic TCP scan
nmap 173.255.xxx.xxx

# Sample output (abridged)
PORT    STATE     SERVICE
22/tcp  open      ssh
25/tcp  filtered  smtp
80/tcp  open      http
443/tcp open      https
465/tcp filtered  smtps
587/tcp filtered  submission

We can see SSH and HTTP(S) are open; SMTP appears filtered. Should SSH be exposed? Is a mail service expected on this host? These quick checks catch misconfigurations early.

Add version detection (-sV) to learn more about what’s running:

nmap -sV 173.255.xxx.xxx

PORT    STATE  SERVICE  VERSION
22/tcp  open   ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp  open   http     Apache httpd 2.4.29 ((Ubuntu))
443/tcp open   ssl/http Apache httpd 2.4.29 ((Ubuntu))
...

Version data helps prioritize patching and quickly check exposure to known CVEs. You can scan multiple hosts at once by listing them:

nmap -sV 192.155.xxx.xxx 198.58.xxx.xxx

Nmap Empowers the Analyst

Even with default scans, Nmap provides high-value visibility into your perimeter. Combine it with NSE for scripted discovery, and you’ll accelerate validation, reduce guesswork, and surface drift across environments.

For safe testing, the Nmap team provides scanme.nmap.org. Don’t scan systems without authorization.

NOC — Authoritative DNS, CDN & WAF

Accelerate and protect your sites with global DNS, edge caching, and an always-on web application firewall.

See Plans