How to nmap scan

Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.

Last updated: April 4, 2026

Quick Answer: Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. To perform an Nmap scan, you typically open a terminal or command prompt, type 'nmap' followed by scan options and the target IP address or hostname. Common scans include ping sweeps, port scans, and OS detection.

Key Facts

Nmap was first released in 1997 by Gordon Lyon (Fyodor).
There are over 15 different scan types available in Nmap.
Nmap can detect over 1000 different service versions.
Nmap is used by cybersecurity professionals for vulnerability assessment and network inventory.
Nmap scripts (NSE) can automate a wide variety of tasks, from network discovery to advanced vulnerability detection.

What is Nmap?

Nmap, which stands for Network Mapper, is a free and open-source utility for network exploration and security auditing. It is widely used by system administrators and cybersecurity professionals for tasks such as network discovery, port scanning, and vulnerability assessment. Nmap was created by Gordon Lyon, also known as "Fyodor", and was first released in 1997. It runs on major operating systems, including Linux, Windows, and macOS.

Why Use Nmap?

Nmap serves several crucial purposes:

Network Discovery: It helps identify active hosts on a network, determining which devices are online and reachable.
Port Scanning: Nmap can scan a range of ports on target systems to determine which services are running and available. This is essential for understanding a system's attack surface.
Service and Version Detection: It can identify the applications and their versions running on open ports, helping to uncover potential vulnerabilities associated with outdated software.
Operating System Detection: Nmap can often determine the operating system of a target host based on its network responses.
Security Auditing: Security professionals use Nmap to identify potential security weaknesses, such as open ports that shouldn't be, or services running with known vulnerabilities.
Network Inventory: It assists in creating an inventory of network devices and the services they offer.

Basic Nmap Scan Commands

The fundamental syntax for Nmap is:

nmap [Scan Type(s)] [Options] {target specification}

Let's break down some common scan types and options:

Target Specification

IP Address:nmap 192.168.1.1
Hostname:nmap example.com
IP Range:nmap 192.168.1.1-100
CIDR Notation:nmap 192.168.1.0/24
List from a file:nmap -iL targets.txt

Common Scan Types

TCP SYN Scan (Stealth Scan): This is the default scan type when run with root/administrator privileges. It's fast and less likely to be logged by the target system.
nmap -sS
TCP Connect Scan: This scan completes the TCP three-way handshake. It's used when SYN scans are not permitted or when you don't have root privileges. It's more easily detected.
nmap -sT
UDP Scan: Scans UDP ports. UDP is connectionless, making scans slower and less reliable than TCP scans.
nmap -sU
Ping Scan (Host Discovery): Determines which hosts are online.
nmap -sn (formerly -sP)

Useful Options

Port Specification: Scan specific ports, ranges, or all ports.
nmap -p 80,443
nmap -p 1-1000
nmap -p- (scans all 65535 ports)
Service Version Detection: Tries to determine the service and version running on open ports.
nmap -sV
OS Detection: Attempts to identify the operating system.
nmap -O
Aggressive Scan: Enables OS detection, version detection, script scanning, and traceroute.
nmap -A
Timing Templates: Control scan speed and intensity. '-T4' (aggressive) is common for faster scans, while '-T0' (paranoid) is very slow.
nmap -T4
Verbosity: Provides more detailed output during the scan.
nmap -v
Output Formats: Save scan results to a file.
nmap -oN output.txt (normal format)
nmap -oX output.xml (XML format)
nmap -oG output.grep (Grepable format)
nmap -oA output (all formats)

Nmap Scripting Engine (NSE)

Nmap's power is significantly extended by the Nmap Scripting Engine (NSE). NSE allows users to write and share scripts to automate a wide variety of networking tasks. These scripts can be used for:

Advanced vulnerability detection
More in-depth service discovery
Exploiting certain vulnerabilities (use with extreme caution and proper authorization)
Backdoor detection
And much more.

To run scripts, you use the -sC option (runs default safe scripts) or --script for specific scripts or categories.

Example: nmap --script vuln

Ethical Considerations and Legality

It is crucial to understand that scanning networks without explicit permission from the owner is illegal and unethical. Unauthorized scanning can be considered a violation of privacy and potentially lead to legal consequences. Always ensure you have the necessary authorization before scanning any network, especially those outside your own controlled environment.

Nmap is a tool for network administrators and security professionals to manage and secure their networks. When used responsibly and ethically, it is an invaluable asset.