Nmap Tutorial
Beginner · ⏱ 20 min read · Network Security & Monitoring
Scan any network like a pro with Nmap.
Nmap (Network Mapper) is the world's most popular network scanner used by security professionals and sysadmins to discover hosts, open ports, and vulnerabilities.
Prerequisites
- Linux/macOS/Windows terminal access
- A test network or lab
- Basic TCP/IP knowledge
Installation
Nmap is pre-installed on Kali Linux. For other systems install from nmap.org.
Basic Scan Types
SYN scan (-sS) is fast and stealthy. TCP connect (-sT) completes the handshake. UDP scan (-sU) finds UDP services.
Ping Sweep
Discover live hosts without port scanning using -sn.
Service Version Detection
Add -sV to identify service versions on open ports.
Port Specifications
Control which ports Nmap scans with -p. Scan specific ports, ranges, or all 65535.
OS Detection
Use -O for OS detection and -A for aggressive mode (OS + versions + scripts + traceroute).
NSE Scripts
600+ scripts for vulnerability detection, brute forcing, and information gathering. Use -sC for defaults or --script=vuln.
Useful Script Categories
auth, brute, discovery, exploit, vuln, safe, intrusive.
Output Formats
Save results as Normal (-oN), XML (-oX), Grepable (-oG), or All (-oA).
Timing & Performance
Control speed with -T0 (paranoid) through -T5 (insane). Use --min-rate for guaranteed speed.
Evasion Techniques
Bypass firewalls with fragmentation (-f), decoys (-D RND:10), and source port spoofing (--source-port 53).
Frequently Asked Questions
Is Nmap legal?
Scanning your own networks is legal. Scanning others without permission is illegal. Always get written authorization.
Nmap vs Nessus?
Nmap finds open ports and services. Nessus identifies known CVEs. They complement each other.
How long is a full port scan?
Full 65535-port SYN scan takes 2-15 minutes per host depending on speed and timing.