Back to tools

What is Nmap?

Nmap (Network Mapper) is an open-source tool for port scanning and host discovery on a network. It is widely used by system administrators and security professionals.

  • -sS (SYN Scan): Fast and stealthy, requires root
  • -sT (TCP Connect): Complete, no root required
  • -sU (UDP Scan): Scans UDP ports
  • -sV (Service Version): Detects service versions
  • -O (OS Detection): Detects operating system
  • --script: Runs NSE scripts for vulnerability detection

Frequently Asked Questions

How to scan open ports on an IP address with nmap?

To scan open ports use `nmap -sS -F 192.168.1.1`. `-sS` performs a SYN scan (half-open TCP handshake, fast and stealthy, requires root). `-F` (fast) scans the top 100 ports instead of the default 1000. For thorough scanning use `-sS -p-` to scan all 65535 ports (slow but complete). Add `-T4` for aggressive timing, `-sV` for service version detection and `-O` for OS detection. Combine these with `-A` for a comprehensive aggressive scan.

How to detect operating system and service versions with nmap?

Use `nmap -sS -sV -O -T4 192.168.1.1`. `-sV` enables service version detection by analyzing banners and running probes to identify software like Apache 2.4.41, OpenSSH 8.9p1 or MySQL 8.0. `-O` performs OS detection based on TCP/IP fingerprinting, distinguishing between Linux, Windows, macOS or Cisco routers. For maximum accuracy add `--osscan-guess`. The `-A` flag combines `-sV -O -sC --traceroute` for comprehensive analysis in a single command.

Nmap scan types: SYN, TCP Connect, UDP and NULL which one to use?

Each nmap scan type serves different purposes. SYN scan (`-sS`) is fast, stealthy and the most commonly used but requires root privileges. TCP Connect (`-sT`) completes the full handshake, does not require root but is noisier in logs. UDP scan (`-sU`) is slow but necessary for ports like DNS (53), SNMP (161) or DHCP (67/68). NULL (`-sN`), FIN (`-sF`) and Xmas (`-sX`) are stealth scans that may bypass simple SYN filters but do not work against Windows.

What are NSE scripts in nmap and how to use them for vulnerability detection?

NSE (Nmap Scripting Engine) extends nmap with scripts for vulnerability detection, enumeration and auditing. Run `nmap -sV --script vuln 192.168.1.1` to execute all vulnerability detection scripts against a target. Available categories: `vuln` (vulnerabilities), `discovery` (service discovery), `auth` (authentication testing), `brute` (brute force), `safe` (non-intrusive), `default` (standard). Specific scripts: `--script http-enum` enumerates web directories, `--script smb-enum-shares` lists SMB shared resources.

Explore detailed information for thousands of TCP/UDP ports with nmap commands, firewall rules and security risks in our port guide.