NMAP (Network Mapper) Guide | NOC.org

Introduction to NMAP

NMAP (Network Mapper) is the industry-standard open-source tool for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services they are running, what operating systems they use, what packet filters or firewalls are in place, and dozens of other characteristics. Whether you are auditing your own infrastructure for open ports or conducting an authorized penetration test, NMAP is the starting point.

This guide covers NMAP's core scanning capabilities in depth. For installation instructions, see Install NMAP on Ubuntu.

Port Scanning Types

NMAP supports multiple scan techniques, each with different trade-offs in speed, stealth, accuracy, and the information they reveal.

SYN Scan (-sS)

The SYN scan (also called "half-open" or "stealth" scan) is NMAP's default and most popular scan type. It sends a SYN packet (the first step of a TCP handshake) and analyzes the response:

• SYN/ACK response: The port is open (a service is listening).
• RST response: The port is closed (no service).
• No response or ICMP unreachable: The port is filtered (firewall is dropping the packet).

# SYN scan (requires root/sudo)
sudo nmap -sS 192.168.1.1

The SYN scan never completes the TCP handshake — it sends a RST after receiving SYN/ACK. This makes it faster than a full TCP connect scan and less likely to be logged by the target application (though modern IDS/IPS systems easily detect SYN scans).

TCP Connect Scan (-sT)

The TCP connect scan completes the full three-way handshake (SYN, SYN/ACK, ACK) for each port. It does not require root privileges because it uses the operating system's connect() system call rather than raw packets:

# TCP connect scan (no root required)
nmap -sT 192.168.1.1

TCP connect scans are slower, generate more network traffic, and are more likely to be logged by the target. Use them when you do not have root access or when SYN scans are blocked by a firewall.

UDP Scan (-sU)

UDP scanning is essential but often overlooked. Many critical services run on UDP: DNS (53), SNMP (161), NTP (123), DHCP (67/68), and TFTP (69). UDP scans are significantly slower than TCP scans because there is no handshake — NMAP must wait for a response or timeout for each port.

# UDP scan (requires root/sudo, very slow for all ports)
sudo nmap -sU 192.168.1.1

# Scan only common UDP ports
sudo nmap -sU --top-ports 100 192.168.1.1

# Combine TCP SYN and UDP scan
sudo nmap -sS -sU 192.168.1.1

For each UDP port, NMAP sends an empty UDP datagram (or a protocol-specific payload for known services). An ICMP "port unreachable" response means the port is closed. No response could mean the port is open or filtered — NMAP marks these as open|filtered.

ACK Scan (-sA)

The ACK scan does not determine whether a port is open or closed. Instead, it maps firewall rulesets by determining which ports are filtered (blocked by a stateful firewall) versus unfiltered (reachable, whether open or closed):

# ACK scan to map firewall rules
sudo nmap -sA 192.168.1.1

If a RST is received, the port is unfiltered (the firewall allows packets through). No response or ICMP unreachable means the port is filtered. This is useful for understanding firewall configurations during security assessments.

Other Scan Types

• FIN scan (-sF): Sends a FIN packet. Closed ports respond with RST; open ports may not respond (OS-dependent).
• Xmas scan (-sX): Sends packets with FIN, PSH, and URG flags set. Named for the "lit up like a Christmas tree" flag combination.
• Null scan (-sN): Sends packets with no flags. Like FIN and Xmas scans, effectiveness depends on the target OS (works on Unix/Linux, not on Windows).
• Window scan (-sW): Similar to ACK scan but examines the TCP window field to distinguish open from closed ports on certain systems.
• Maimon scan (-sM): Uses FIN/ACK flags. Effective against certain BSD-derived systems.

Host Discovery

Before scanning ports, NMAP determines which hosts are alive. The default discovery process sends an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request.

# Ping scan (host discovery only, no port scan)
nmap -sn 192.168.1.0/24

# Disable host discovery (scan even if host appears down)
nmap -Pn 192.168.1.1

# Use specific discovery techniques
nmap -PS22,80,443 192.168.1.0/24    # TCP SYN discovery on specific ports
nmap -PA80,443 192.168.1.0/24       # TCP ACK discovery
nmap -PE 192.168.1.0/24              # ICMP echo only
nmap -PP 192.168.1.0/24              # ICMP timestamp

On local networks, NMAP uses ARP requests for host discovery, which is faster and more reliable than ICMP since ARP cannot be blocked by host firewalls.

Service and Version Detection (-sV)

Port scanning tells you a port is open. Version detection tells you what is running on that port — the software name, version number, and sometimes additional details like the protocol, hostname, or device type:

# Version detection
nmap -sV 192.168.1.1

# Increase version detection intensity (0-9, default 7)
nmap -sV --version-intensity 9 192.168.1.1

# Light version detection (faster, less accurate)
nmap -sV --version-light 192.168.1.1

Version detection works by sending a series of probes to open ports and matching the responses against a database of known service signatures (the nmap-service-probes file). This information is critical for identifying outdated or vulnerable software.

OS Detection (-O)

NMAP can identify the target's operating system by analyzing TCP/IP stack behavior — timing, window sizes, flag responses, and other characteristics that differ between operating system implementations:

# OS detection (requires root/sudo)
sudo nmap -O 192.168.1.1

# Limit OS detection to promising targets
sudo nmap -O --osscan-limit 192.168.1.1

# Aggressive OS detection (try harder)
sudo nmap -O --osscan-guess 192.168.1.1

OS detection requires at least one open and one closed port to be effective. Results include the OS family, version, and a confidence percentage.

Nmap Scripting Engine (NSE)

The NSE is one of NMAP's most powerful features. It includes hundreds of scripts organized into categories for vulnerability detection, service enumeration, brute force testing, and more:

# Run default scripts (safe and useful)
nmap -sC 192.168.1.1

# Run scripts from a specific category
nmap --script vuln 192.168.1.1
nmap --script auth 192.168.1.1
nmap --script discovery 192.168.1.1

# Run a specific script
nmap --script http-title 192.168.1.1
nmap --script ssl-heartbleed 192.168.1.1

# Run multiple scripts
nmap --script "http-title,http-headers,ssl-cert" 192.168.1.1

# Run scripts with arguments
nmap --script http-brute --script-args http-brute.path=/admin 192.168.1.1

NSE Script Categories

Output Formats

NMAP supports multiple output formats for different use cases:

# Normal output (human-readable)
nmap -oN results.txt 192.168.1.1

# XML output (for parsing and tool integration)
nmap -oX results.xml 192.168.1.1

# Grepable output (one host per line, easy to grep/awk)
nmap -oG results.gnmap 192.168.1.1

# All three formats simultaneously
nmap -oA results 192.168.1.1

XML output is the most useful for automation — it can be parsed by vulnerability management tools, imported into databases, or processed with custom scripts. Grepable output is convenient for quick command-line analysis.

Timing Templates (-T0 through -T5)

Timing templates control how fast NMAP sends probes and how long it waits for responses. The template affects scan speed, network load, and detection risk:

# Polite scan (good for production networks)
nmap -T2 -sV 192.168.1.0/24

# Aggressive scan (fast, good for lab environments)
nmap -T4 -A 192.168.1.1

Common Scan Profiles

Quick Security Audit

sudo nmap -sS -sV -O --top-ports 1000 -T4 target

Comprehensive Vulnerability Assessment

sudo nmap -sS -sV -O -sC --script vuln -p- -T3 -oA full_scan target

Stealthy Reconnaissance

sudo nmap -sS -T2 -f --data-length 24 target

The -f flag fragments packets, and --data-length appends random data to make packets less recognizable to IDS.

Web Server Audit

nmap -sV --script "http-*" -p 80,443,8080,8443 target

SSH Security Check

nmap -sV --script ssh-auth-methods,ssh2-enum-algos -p 22 target

This reveals what authentication methods SSH accepts and what cryptographic algorithms are supported — useful for verifying SSH hardening.

Scanning Best Practices

• Get authorization first. Scanning without permission may be illegal. Always obtain written authorization specifying scope, timing, and allowed techniques.
• Start with discovery. Use -sn to find live hosts before running port scans, reducing scan time and network impact.
• Be conservative on production networks. Use -T2 or -T3 timing, avoid intrusive or exploit scripts, and scan during maintenance windows when possible.
• Save results. Always use -oA to save results in all formats. You will want to compare results over time to detect changes.
• Scan regularly. A single scan is a snapshot. Schedule regular scans to detect new services, open ports, or configuration changes.
• Correlate with known attack vectors. Use scan results to prioritize hardening the most exposed services.

Understand Your Attack Surface

NMAP reveals what attackers see when they look at your infrastructure. Regular scanning, combined with server hardening and a web application firewall, ensures that your attack surface is minimized and monitored. Explore NOC.org's security solutions for comprehensive infrastructure protection.