Nmap Tutorial for Beginners: Complete Guide 2026

Nmap (Network Mapper) is the single most important tool in the ethical hacker's toolkit. Released in 1997 and still actively maintained, it is the de-facto standard for network discovery, port scanning, service enumeration, and lightweight vulnerability detection — used in virtually every penetration test on the planet. This tutorial walks complete beginners through everything they need to know in 2026: installation on every major operating system, the core scan types, port and service detection, OS fingerprinting, the Nmap Scripting Engine (NSE), output formats, and real-world workflows. By the end you will be able to map a network, fingerprint its services, and identify common misconfigurations confidently from the command line.

What Is Nmap?

Nmap is a free, open-source command-line tool that uses raw IP packets to probe networks. It identifies which hosts are alive, which ports are open, what services and software versions are running, what operating systems and device types are in play, and what firewall rules sit in front of them. Created by Gordon Lyon (Fyodor), it now ships in Kali Linux, Parrot OS, and most major distributions by default. Nmap is the first tool launched in nearly every penetration test because the data it produces shapes every subsequent decision in an engagement.

Installation

On Debian and Ubuntu Linux:

$ sudo apt update && sudo apt install nmap -y

On Red Hat, Fedora, and CentOS:

$ sudo dnf install nmap -y

On macOS via Homebrew:

$ brew install nmap

On Windows, download the official installer (which includes the Zenmap graphical front-end) from nmap.org/download.html. Verify your installation with:

$ nmap --version

Basic Scan Commands

The simplest possible Nmap command takes a target IP, hostname, or CIDR range:

$ nmap scanme.nmap.org

This runs a default TCP scan of the 1,000 most common ports. The three foundational scan types every beginner must know are:

$ sudo nmap -sS 192.168.1.0/24    # SYN (stealth) scan — the default for privileged users
$ nmap -sT scanme.nmap.org        # TCP connect scan — works without root, more "noisy"
$ sudo nmap -sU 192.168.1.10      # UDP scan — slow but essential for DNS, SNMP, NTP, etc.

SYN scan (-sS) sends a half-open TCP handshake and never completes the connection, which is faster and less likely to be logged. It is the default when Nmap runs as root. TCP connect (-sT) completes the full three-way handshake and is the fallback when you are not running with elevated privileges. UDP scan (-sU) is significantly slower because UDP responses are non-deterministic, but you cannot ignore it — many critical services (DNS port 53, SNMP port 161, NTP port 123) only listen on UDP.

Port Scanning Options

By default Nmap scans the 1,000 most common ports. You will routinely override that. Specify exact ports, ranges, or all 65,535:

$ nmap -p 80,443,8080 target.com               # specific ports
$ nmap -p 1-1024 target.com                    # port range
$ nmap -p- target.com                          # all 65,535 TCP ports
$ nmap --top-ports 100 target.com              # 100 most common ports
$ nmap -p T:80,U:53 target.com                 # mix TCP and UDP in one scan
$ nmap -F target.com                           # fast scan (top 100 ports)

For real engagements, always run a full -p- scan in parallel with your standard top-1,000 scan — services hiding on uncommon ports are a frequent source of high-impact findings. Combine it with timing and parallelism flags to keep things fast:

$ sudo nmap -sS -p- --min-rate 1000 -T4 target.com

The --min-rate 1000 flag forces at least 1,000 packets per second, and -T4 sets aggressive timing — both safe defaults on a healthy network.

Service and Version Detection

Knowing port 80 is open is useful; knowing it is running nginx 1.24.0 with Lua scripting enabled is far more useful. The -sV flag turns on service and version detection:

$ nmap -sV -p 22,80,443 target.com

For maximum detail in a single command, use -A, which combines service detection, OS detection, default scripts, and traceroute:

$ sudo nmap -A -p- target.com

-A is the "kitchen sink" option — extremely informative, but loud on the wire and slow against large networks. Use it for individual high-value targets rather than full subnet sweeps. The version intensity can be tuned from --version-intensity 0 (light) to 9 (try every probe), with the default at level 7 striking a good balance between accuracy and speed.

OS Detection

Nmap fingerprints operating systems by analyzing subtle differences in how each OS implements its TCP/IP stack — initial sequence numbers, window sizes, ICMP behavior, and dozens of other signals.

$ sudo nmap -O target.com
$ sudo nmap -O --osscan-guess target.com    # be more aggressive when unsure

OS detection requires root (raw socket access) and at least one open and one closed port to compare responses. Accuracy degrades through firewalls and load balancers, so always treat the result as a best-effort fingerprint rather than ground truth.

Nmap Scripting Engine (NSE)

NSE is what transforms Nmap from a port scanner into a lightweight vulnerability scanner. It ships with over 600 pre-written Lua scripts covering enumeration, brute forcing, vulnerability detection, and even limited exploitation. Run scripts with --script:

$ nmap --script default target.com               # safe default scripts (same as -sC)
$ nmap --script vuln target.com                  # all vulnerability-detection scripts
$ nmap --script http-enum -p 80,443 target.com   # web app enumeration
$ nmap --script smb-vuln-* -p 445 target.com     # all SMB vulnerability checks (EternalBlue, etc.)
$ nmap --script ssl-enum-ciphers -p 443 target.com  # TLS configuration audit

Combine scripts with version detection for the most thorough results:

$ sudo nmap -sV --script vuln -p- target.com

NSE is excellent for catching low-hanging vulnerabilities, but it is not a substitute for a dedicated DAST or SAST tool on serious engagements. For deeper coverage, see our roundup of the best AI-powered vulnerability scanners.

Output Formats

Always save Nmap output for later parsing, reporting, and pipeline integration. Nmap supports four output formats simultaneously via -oA:

$ nmap -oN scan.txt target.com    # normal human-readable output
$ nmap -oX scan.xml target.com    # XML — feeds into Metasploit, Burp, custom tooling
$ nmap -oG scan.gnmap target.com  # grepable — quick filtering with grep/awk
$ nmap -oA scan target.com        # all three formats at once

XML output is the format of choice for tooling integration: Metasploit can import it directly with db_import scan.xml, and most custom reporting pipelines parse it natively.

Real-World Use Cases

Penetration test reconnaissance: the first hour of nearly every engagement is a full -sS -p- -sV --script vuln sweep of the in-scope subnets, saved to XML for ingestion into Metasploit. Network inventory and asset management: scheduled -sn ping sweeps catch unauthorized devices the moment they appear on a corporate subnet. Vulnerability assessment: NSE vuln scripts catch unpatched MS17-010 (EternalBlue), SMBGhost, expired TLS certificates, and misconfigured database services in seconds. Compliance audits: the ssl-enum-ciphers and http-security-headers scripts validate TLS and HTTP hardening for PCI DSS, HIPAA, and ISO 27001 reviews. For situations where Nmap is not the best fit — for example, internet-scale scanning across millions of hosts — see our Nmap alternatives directory for purpose-built scanners like Masscan and Zmap.

How Do I Interpret Nmap Scan Results?

Nmap reports each port in one of several states. Open means a service is actively accepting connections — your most actionable finding. Closed means the port is reachable but no service is listening. Filtered means a firewall or packet filter is blocking the probe and Nmap could not determine the true state. The service column shows the detected service name (http, ssh, mysql). With -sV, you also get version numbers like Apache httpd 2.4.52. The OS-detection section (-O) shows the most likely operating system with a confidence percentage. Key things to look for: unexpected open ports that could indicate compromise, outdated service versions with known CVEs, and services running on non-standard ports (a common indicator of intentional or unintentional security-by-obscurity). Always cross-reference findings against CVE databases such as NIST NVD or MITRE before declaring a vulnerability.

Using Nmap for Network Discovery

Network discovery identifies live hosts on a subnet without performing any port scanning, which is faster and stealthier than a full scan. Use a simple ping sweep across your local subnet:

$ nmap -sn 192.168.1.0/24                              # ping sweep a /24
$ nmap -sn -PE -PA21,23,80,3389 10.0.0.0/8             # ICMP echo + TCP ACK probes for large nets
$ nmap -sL 192.168.1.0/24                              # list scan: DNS resolution only, no packets sent
$ nmap -sn -PS443 target.com                           # stealthy TCP-SYN discovery on port 443
$ nmap -sn 192.168.1.0/24 --exclude 192.168.1.10       # skip a sensitive host
$ nmap -sn 192.168.1.0/24 -oG hosts.gnmap              # grep-friendly output for piping

Combining ICMP echo with TCP ACK probes (-PE -PA) maximizes host-discovery success across networks where ICMP is filtered. For more reference material on the underlying tool, see our full Nmap tool page.

Best Practices for Using Nmap Safely and Legally

Always obtain written authorization before scanning any network you do not own — verbal permission will not protect you in a legal dispute. On production systems, throttle aggressive scans with --max-rate 100 to avoid overwhelming legacy or fragile hardware. Log every scan with -oA for an audit trail. Never scan government, military, or financial networks without explicit written permission. In most jurisdictions, unauthorized port scanning can violate computer-misuse laws including the U.S. Computer Fraud and Abuse Act (CFAA) and the U.K. Computer Misuse Act 1990. For practice, scan your own home lab, use intentionally vulnerable VMs like Metasploitable, or train safely on legal platforms such as Hack The Box and TryHackMe. Document your scope, timing window, and authorization for every engagement.

Final Thoughts

Master the dozen flags above and you can handle 90% of real-world Nmap work. The remaining 10% — evasion, decoys, IPv6, distributed scanning — is well-documented in the official Nmap reference guide and best learned by running scans against your own lab network.

Want a personalized scanning and reconnaissance toolkit built for your specific environment? Try our free AI Stack Recommender — it builds a tailored set of network and vulnerability tools for your scenario in under 60 seconds.

Frequently Asked Questions

Is Nmap legal to use?

Nmap itself is completely legal — it is a standard piece of network administration software shipped in nearly every Linux distribution. What matters is the target. Scanning your own network, your employer's network with written authorization, or systems with explicit permission (such as scanme.nmap.org and HackTheBox/TryHackMe lab boxes) is fully legal everywhere. Scanning systems you do not own and do not have written authorization to test can violate the U.S. Computer Fraud and Abuse Act, the U.K. Computer Misuse Act, and equivalent laws worldwide. Always get written permission before scanning anything that is not yours.

What is the most common Nmap scan?

The most common single command in real engagements is sudo nmap -sS -sV -p- --min-rate 1000 -oA scan target: a stealthy SYN scan across all 65,535 TCP ports with version detection, sane parallelism, and output saved in all three formats. For quick day-to-day work, the simple default nmap target (top 1,000 TCP ports, no flags) remains the most-used command in absolute terms.

Can Nmap detect vulnerabilities?

Yes — through the Nmap Scripting Engine (NSE). The --script vuln category bundles roughly 150 detection scripts covering well-known CVEs like EternalBlue (MS17-010), Heartbleed, ShellShock, and POODLE, plus weak TLS configurations and default-credential checks. NSE is excellent for fast, low-noise vulnerability triage during reconnaissance, but it is not a replacement for purpose-built scanners like Nessus, OpenVAS, or Nuclei when you need broad CVE coverage and accurate remediation guidance.