Nmap - Network Mapper

What is Nmap?

Nmap (Network Mapper) is an open-source tool that Gordon Lyon (Fyodor) has developed since 1997 for network discovery and port scanning. The tool sends self-crafted IP packets to target hosts and analyzes the responses to determine which hosts are alive, which ports are open, which services run on them and which versions. In almost every pentest this is the first step. Before we can test anything, we need to know what is reachable.

What do we use Nmap for?

In a corporate network pentest, Nmap is the tool we begin with. We scan the agreed IP range to find active hosts and then run a full port scan on each host to see which services run. Based on that we decide where the next steps lie: web applications get Burp Suite and manual testing, vulnerable services go into Nuclei or Metasploit, and an AD pentest often starts from a discovered domain controller.

We also use Nmap for targeted checks: verifying whether a port is actually closed after a change, or getting a bounded subset of services in view before a deeper test begins.

Installation

On Kali, Debian and Ubuntu, Nmap is in the standard repositories:

sudo apt install nmap

For macOS through Homebrew: brew install nmap. On Windows you download the installer from nmap.org/download. The GUI variant is called Zenmap.

Basic usage

Our standard scan combines SYN scanning, service detection, default scripts and the full port range, and saves the result in all formats for later analysis:

# Standard TCP scan in every pentest
nmap -sC -sV -Pn -p- -oA target-tcp target.example.com

# Separate UDP scan (combining is needlessly slow)
sudo nmap -sU --top-ports 100 -oA target-udp target.example.com

What the flags do:

• -sC runs the default NSE scripts (banner info and basic enumeration, no exploits)
• -sV pulls service and version info from banner probing
• -Pn skips host discovery, which would otherwise drop hosts that do not answer ping
• -p- scans all 65535 TCP ports instead of just the top 1000
• -oA target-tcp writes target-tcp.nmap, .xml and .gnmap for parsing and reporting

Important flags

Practical examples

Ping sweep of a subnet. Before we look deeper, we first check which hosts are active within the agreed range. -sn does host discovery only without scanning the ports, which makes it fast and quiet.

nmap -sn 10.0.0.0/24 -oA hosts-up

Targeted vulnerability check through NSE. When we want to know whether a specific issue is present on the system, for example the well-known MS17-010 EternalBlue path, we run the matching NSE script directly instead of a full generic scan.

nmap -p 445 --script=smb-vuln-ms17-010 10.0.0.5

UDP top 100 on an internal range. UDP services often stay open unintentionally (SNMP, NetBIOS-NS, mDNS, NTP). A full UDP scan over all 65535 ports takes days, but the top 100 catches by far the most in practice.

sudo nmap -sU --top-ports 100 -Pn -oA udp-internal 10.0.0.0/24

Detection and defense

An Nmap scan is just TCP or UDP traffic toward every port in the range, not an active exploit. But the volume stands out. A SYN scan on a /24 with -p- sends millions of packets in a short time. An IDS, IPS or EDR with network detection picks this up without trouble.

For the blue-team perspective:

• Suricata and Zeek have ready-made rules for port-scan behavior (rapidly rising dest-IP or dest-port counts from one source IP). A SIEM with netflow data shows that clearly.
• Blocking it entirely is hard without also hitting legitimate admin work. In practice blue teams act on the alert instead of dropping the traffic.
• An attacker who does not want to stand out uses -T0 (extremely slow, several minutes between packets), -f (fragmentation), or decoy scans (-D). In our pentests we only factor that in when detection resistance is explicitly in scope.

Only run an Nmap scan on systems for which you have explicit permission. A scan can disrupt services, generate alerts, and without an agreed scope it is legally unauthorized access.