The Swiss Army Knife of Network Auditing
Nmap (Network Mapper) is an open-source tool used for network discovery and vulnerability scanning. It sends specially crafted packets to a target host and analyzes the responses to understand what is happening on that network.
Security professionals and ethical hackers use Nmap to discover active devices, identify open ports, and map out network topology.
How Nmap Works
At its core, Nmap operates by probing a target and listening for replies. It uses the responses to determine:
- Host Detection: Is the machine alive or dead?
- Port Scanning: Which ports are open, closed, or filtered by a firewall?
- Service/Version Detection: What application is listening on that port (e.g., Apache 2.4.41)?
- OS Detection: What operating system is the target running?
Essential Nmap Scans & Commands
Here are the most common scanning techniques used in the field:
| Scan Type | Command | Description | Pros/Cons |
|---|---|---|---|
| Ping Scan | nmap -sn | Discovers live hosts without scanning ports. | Fast, but misses hidden hosts behind firewalls. |
| SYN Scan (Stealth) | nmap -sS | Default scan. Half-opens a TCP connection (never completes the 3-way handshake). | Fast and relatively quiet, but requires root privileges. |
| TCP Connect Scan | nmap -sT | Completes the 3-way handshake. Used when root access isn’t available. | Easily logged by firewalls and target systems. |
| UDP Scan | nmap -sU | Scans for UDP services (like DNS, DHCP, SNMP). | Crucial for full audits, but notoriously slow. |
| Service & OS Detection | nmap -sV -O | Grabs banners to identify the exact service version and OS. | Highly informative, but highly intrusive. |
| Aggressive Scan | nmap -A | Combines OS detection, service versioning, script scanning, and traceroute. | Loud and aggressive, but gives you a complete picture quickly. |
Understanding Port States
When Nmap finishes a scan, it will label ports with one of these key states:
- Open: An application is actively accepting connections on this port. This is a potential entry point for an attacker.
- Closed: The port is accessible, but no application is listening on it.
- Filtered: Nmap cannot determine if the port is open or closed because a firewall or network filter is blocking the probes.
The Nmap Scripting Engine (NSE)
Nmap isn’t just for finding ports—it can also exploit them. The Nmap Scripting Engine (NSE) allows users to write and share scripts to automate network tasks.
NSE scripts are categorized into groups like:
- safe: Won’t crash the target.
- discovery: Retrieves more deep network info.
- vuln: Checks for specific known vulnerabilities.
- exploit: Attempts to actively exploit a vulnerability.
Example: Running nmap –script vulnwill automatically check the target against a database of known vulnerabilities.
What specific aspect of Nmap are you looking to explore further—are you trying to secure a personal network, preparing for a certification, or troubleshooting a specific command?




