Nmap basics: host discovery, port scanning, and service fingerprinting

What Nmap does at the IP layer

Nmap (Network Mapper) is open-source software for network discovery and security auditing. Given an IP address or prefix, it probes transport ports and collects responses that reveal which services appear to be listening, how filters behave, and (with optional probes) likely operating systems. It does not read arbitrary user files; it infers remote behavior from protocol replies—information that is also visible to other hosts on the same path when packets are exposed to local observers.

Nmap is widely used by administrators for authorized asset inventory, change validation, and incident triage. Because the same techniques can probe systems you do not own, policy and law vary by jurisdiction and contract; treat unsolicited scanning of third-party networks as out of scope unless you have explicit written permission. For broader discovery patterns, see scanning a network for IPs and reducing exposure to inbound scans.

TL;DR: Quick Summary

Role: Network Discovery, Port Scanning, and Security Auditing.
Method: Sends packets and observes 'TCP/IP Fingerprints' in the response.
Ports: Scans from 1 to 65,535 to find 'Open Doors' (Services).
SYN scan: On supported platforms, -sS sends raw half-open probes that may produce less application-visible noise than a full connect scan (logging still depends on the target stack and sensors).
OS detection: Optional TCP/IP and ICMP probes compared to an internal fingerprint database (accuracy varies by target and filters).
Engine: Includes the Nmap Scripting Engine (NSE) for finding deep vulnerabilities.
Visuals: Has a graphical version called 'Zenmap' for those who hate the command line.

The Top 4 Nmap Scan Types

TCP header semantics for scans (RFC 793)

A SYN scan sends TCP segments with SYN set and ACK clear, eliciting SYN-ACK (open) or RST (closed) without completing the handshake. Filtered results often mean no reply or ICMP administratively prohibited. Understanding sequence numbers and reset generation helps interpret IDS alerts and differentiate retransmissions from scan patterns.

Common scan modes differ in privilege requirements, completion of the TCP handshake, and how firewalls respond:

1. TCP SYN scan (`-sS`)

On Unix-like systems with raw sockets, half-open SYN probes can classify ports without completing the handshake. Many modern environments still log or alert on this traffic via host agents, IDS, or cloud flow logs—do not equate SYN scanning with invisibility. Use -sS on networks you are permitted to test. For hardening context, read IoT and server exposure best practices.

2. TCP connect scan (`-sT`)

Completes a normal TCP connection via the OS socket API. It is simpler to permission than raw SYN scanning but typically leaves clear server-side connection logs—useful when validating what a real client would experience.

3. UDP scan (`-sU`)

UDP has no connection setup; many services respond only to a well-formed probe or remain silent when filtered. UDP scans are slower and more ambiguous than TCP scans, but they remain important for DNS, RTP, and many gaming or telemetry ports.

4. Aggressive bundle (`-A`)

Combines OS detection, version detection, default script scanning, and traceroute. Service banners and stack quirks are high-signal data for patch prioritization—and also for anyone else who can reach the port. Treat aggressive scans as high-impact and run them only with scope approval. See limiting what scanners learn from your public footprint.

Comparison table: scan flags, network impact, and speed

Command Flag	Network Impact	Speed	Best Use Case
`-sn` / older `-sP`	Very Low	Very Fast	Discover which hosts are online
`-sS` (SYN scan)	Moderate	Fast	General TCP port discovery and security audits
`-sU` (UDP scan)	Moderate to High	Slow	Finding UDP services like DNS, SNMP, SIP, DHCP
`-A` (aggressive scan)	High	Slow	OS detection, version detection, traceroute, NSE scripts
`-p-` (all ports)	Depends on scan type	Slow	Finding services on non-standard ports

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) runs Lua modules against discovered services—for example default-credential checks, TLS configuration probes, and CVE-oriented tests when scripts exist. Running nmap --script vuln [target] can be intrusive; scope, rate limits, and rollback plans belong in a formal test plan. Pair script output with normal patch management rather than treating a green scan as a guarantee of safety.

Common Mistakes and Practical Issues

Scanning too fast: If you use -T5 (Insane speed), you might crash a cheap router or trigger a 'Block' on your IP from an ISP who thinks you are attacking them. Tip: Always use -T3 or -T4 for a balance of speed and safety.
Scanning without authorization: Even low-intensity probes can trigger abuse desk tickets, automated blocks, or legal exposure depending on jurisdiction and target policies. Document written scope before scanning anything outside your lab.
Interpreting filtered: A filtered state means Nmap cannot distinguish open from closed because a filter dropped or altered probes; it is not proof the port is secure. ICMP host discovery can be blocked—-Pn skips ping discovery and only helps when you already understand the blast radius.

How to Perform Your First Scan (Step-by-Step)

Install it: Download it for free at nmap.org.
Start Simple: Type nmap -sn 192.168.1.0/24. This will 'Ping' everything in your house to see who is awake.
Scan a Target: Type nmap scanme.nmap.org. This is a special server set up by the creators for you to practice on safely.
Get Versions: Try nmap -sV scanme.nmap.org to see the versions of software it is running.
Save the map: Use -oN results.txt to save your findings to a file so you can analyze them later.

Operational takeaway

Nmap turns IP reachability questions into structured evidence: which addresses respond, which ports accept connections, and what software banners suggest. That evidence is foundational for firewall reviews, cloud security groups, and attack-surface reduction—when gathered under clear authorization. After tightening listener exposure, validate what the Internet still sees from your address using your public IP context alongside internal scans.

Nmap (Network Mapper) is used for network discovery and security auditing. It allows users to scan an IP address or a range of IPs to find which devices are online, what ports they have open, what services (like websites or databases) are running, and even what operating system they are using.

Scanning your own network or a network you have permission to test is 100% legal. Scanning third-party networks without permission is generally considered antisocial and may violate the 'Terms of Service' of your ISP, lead to your IP being blacklisted, or in some extreme cases, be interpreted as a precursor to a cyberattack.

A SYN scan (or stealth scan) is the most popular Nmap scan. It sends a SYN packet to a port but never completes the connection (the 'three-way handshake'). This is faster and more likely to go unnoticed by standard server logging systems compared to a full connection scan.

Yes. By using the '-O' flag, Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. It then compares these 'fingerprints' to a database of thousands of known OS signatures to make a highly accurate guess.

Zenmap is the official multi-platform graphical user interface (GUI) for Nmap. It provides a visual representation of network maps, searchable scan results, and easy-to-use profiles for beginners who may not be comfortable with the command-line interface.

You can use the '-oN' flag followed by a filename to save results in a human-readable text format. Use '-oX' for XML (good for importing into other tools) or '-oG' for 'Greppable' output (easy to search with command-line tools like grep).

A 'Filtered' status means that Nmap cannot determine if the port is open or closed because a firewall, filter, or other network obstacle is blocking its packets from reaching the port or its responses from getting back.

By using the Nmap Scripting Engine (NSE) with the '--script' flag, you can run hundreds of security scripts that check for common vulnerabilities, misconfigurations, and default passwords on various network services.

A ping sweep (using the '-sn' or '-sP' flag) is a fast way to discover which hosts are alive on a network without performing a full port scan. It sends ICMP Echo requests and other probes to see which IP addresses respond.

Yes. Nmap is free, open-source software released under the GPL license. You can download and use it for any purpose on Windows, Linux, macOS, and many other operating systems without any cost.

What Nmap does at the IP layer

TL;DR: Quick Summary

Role: Network Discovery, Port Scanning, and Security Auditing.
Method: Sends packets and observes 'TCP/IP Fingerprints' in the response.
Ports: Scans from 1 to 65,535 to find 'Open Doors' (Services).
SYN scan: On supported platforms, -sS sends raw half-open probes that may produce less application-visible noise than a full connect scan (logging still depends on the target stack and sensors).
OS detection: Optional TCP/IP and ICMP probes compared to an internal fingerprint database (accuracy varies by target and filters).
Engine: Includes the Nmap Scripting Engine (NSE) for finding deep vulnerabilities.
Visuals: Has a graphical version called 'Zenmap' for those who hate the command line.

The Top 4 Nmap Scan Types

TCP header semantics for scans (RFC 793)

Common scan modes differ in privilege requirements, completion of the TCP handshake, and how firewalls respond:

1. TCP SYN scan (`-sS`)

2. TCP connect scan (`-sT`)

3. UDP scan (`-sU`)

4. Aggressive bundle (`-A`)

Comparison table: scan flags, network impact, and speed

Command Flag	Network Impact	Speed	Best Use Case
`-sn` / older `-sP`	Very Low	Very Fast	Discover which hosts are online
`-sS` (SYN scan)	Moderate	Fast	General TCP port discovery and security audits
`-sU` (UDP scan)	Moderate to High	Slow	Finding UDP services like DNS, SNMP, SIP, DHCP
`-A` (aggressive scan)	High	Slow	OS detection, version detection, traceroute, NSE scripts
`-p-` (all ports)	Depends on scan type	Slow	Finding services on non-standard ports

Nmap Scripting Engine (NSE)

Common Mistakes and Practical Issues

Scanning too fast: If you use -T5 (Insane speed), you might crash a cheap router or trigger a 'Block' on your IP from an ISP who thinks you are attacking them. Tip: Always use -T3 or -T4 for a balance of speed and safety.
Scanning without authorization: Even low-intensity probes can trigger abuse desk tickets, automated blocks, or legal exposure depending on jurisdiction and target policies. Document written scope before scanning anything outside your lab.
Interpreting filtered: A filtered state means Nmap cannot distinguish open from closed because a filter dropped or altered probes; it is not proof the port is secure. ICMP host discovery can be blocked—-Pn skips ping discovery and only helps when you already understand the blast radius.

How to Perform Your First Scan (Step-by-Step)

Install it: Download it for free at nmap.org.
Start Simple: Type nmap -sn 192.168.1.0/24. This will 'Ping' everything in your house to see who is awake.
Scan a Target: Type nmap scanme.nmap.org. This is a special server set up by the creators for you to practice on safely.
Get Versions: Try nmap -sV scanme.nmap.org to see the versions of software it is running.
Save the map: Use -oN results.txt to save your findings to a file so you can analyze them later.

Operational takeaway

Yes. Nmap is free, open-source software released under the GPL license. You can download and use it for any purpose on Windows, Linux, macOS, and many other operating systems without any cost.

What Nmap does at the IP layer

TL;DR: Quick Summary

The Top 4 Nmap Scan Types

TCP header semantics for scans (RFC 793)

1. TCP SYN scan (-sS)

2. TCP connect scan (-sT)

3. UDP scan (-sU)

4. Aggressive bundle (-A)

Comparison table: scan flags, network impact, and speed

Nmap Scripting Engine (NSE)

Common Mistakes and Practical Issues

How to Perform Your First Scan (Step-by-Step)

Operational takeaway

Frequently Asked Questions

Q.What is Nmap used for?

Q.Is port scanning with Nmap legal?

Q.What is a 'SYN Scan' (-sS) in Nmap?

Q.Can Nmap detect the operating system of a target?

Q.What is 'Zenmap'?

Q.How do I save my Nmap scan results?

Q.What does a 'Filtered' port mean in Nmap results?

Q.Can Nmap find vulnerabilities in my server?

Q.What is a 'Ping Sweep' in Nmap?

Q.Is it possible to use Nmap for free?

What Nmap does at the IP layer

TL;DR: Quick Summary

The Top 4 Nmap Scan Types

TCP header semantics for scans (RFC 793)

1. TCP SYN scan (-sS)

2. TCP connect scan (-sT)

3. UDP scan (-sU)

4. Aggressive bundle (-A)

Comparison table: scan flags, network impact, and speed

Nmap Scripting Engine (NSE)

Common Mistakes and Practical Issues

How to Perform Your First Scan (Step-by-Step)

Operational takeaway

Frequently Asked Questions

Q.What is Nmap used for?

Q.Is port scanning with Nmap legal?

Q.What is a 'SYN Scan' (-sS) in Nmap?

Q.Can Nmap detect the operating system of a target?

Q.What is 'Zenmap'?

Q.How do I save my Nmap scan results?

Q.What does a 'Filtered' port mean in Nmap results?

Q.Can Nmap find vulnerabilities in my server?

Q.What is a 'Ping Sweep' in Nmap?

Q.Is it possible to use Nmap for free?

1. TCP SYN scan (`-sS`)

2. TCP connect scan (`-sT`)

3. UDP scan (`-sU`)

4. Aggressive bundle (`-A`)

1. TCP SYN scan (`-sS`)

2. TCP connect scan (`-sT`)

3. UDP scan (`-sU`)

4. Aggressive bundle (`-A`)