Skip to content
>_devvkit
$devvkit learn --librarie nmap-guide

Nmap Guide

[networking][security][scanning][enumeration]
Network Diagnostics
Install
sudo apt install nmap
brew install nmap
# Windows: nmap.org/download.html
# GUI: Zenmap (included with Windows installer)

Nmap sends crafted packets and analyzes responses to determine which hosts are alive, what ports are open, and what services are running. The NSE (Nmap Scripting Engine) extends this with vulnerability checks, service enumeration, and brute-force modules.

Master these scan types: `-sS` (SYN stealth scan — default as root), `-sT` (TCP connect — no root needed), `-sU` (UDP scan — slow, pair with `--top-ports`), `-sn` (ping sweep — find live hosts). Always use `-sV` for service version detection.

NSE scripts are located in `/usr/share/nmap/scripts/`. Run `--script vuln` for a quick vulnerability assessment. Use `-oA output` to save all formats (normal, XML, grepable). GUI: Zenmap for visual topology maps and saved profiles.

Host Discovery

Ping sweepFind live hosts on subnet.
nmap -sn 192.168.1.0/24           # Fast: ICMP + TCP 443 + TCP 80
nmap -sn 10.0.0.0/24 --exclude 10.0.0.1
sudo nmap -sL 192.168.1.0/24      # List scan — no packets, just DNS resolution
Output formatsSave results.
nmap -oN scan.txt 192.168.1.1    # Normal
nmap -oX scan.xml 192.168.1.1    # XML
nmap -oG scan.gnmap 192.168.1.1  # Grepable
nmap -oA scan 192.168.1.1        # All formats at once

# XML to HTML:
xsltproc scan.xml -o scan.html

Port Scanning

Quick port scanTop 1000 ports.
sudo nmap -sS 192.168.1.1                    # SYN scan (fast, needs root)
nmap -sT 192.168.1.1                         # TCP connect (no root)
nmap -sS -p- 192.168.1.1                     # ALL ports (65535 — slow)
nmap -sS -p 22,80,443,8080,8443 192.168.1.1  # Specific ports
UDP scanFind UDP services.
sudo nmap -sU 192.168.1.1                       # UDP scan (slow)
sudo nmap -sU --top-ports 200 192.168.1.1       # Only top 200 UDP ports
sudo nmap -sS -sU -p U:53,161,T:22,80 10.0.0.1 # Mix UDP + TCP ports

Service Detection

Service + OS detectionFingerprint services and OS.
sudo nmap -sS -sV 192.168.1.1                  # Service versions
sudo nmap -sS -sV -O 192.168.1.1               # + OS detection
sudo nmap -sS -sV -O --osscan-guess 192.168.1.1 # Aggressive OS guess
nmap -A 192.168.1.1                             # Aggressive: OS, version, scripts, traceroute

NSE Scripts

Vulnerability scriptsRun NSE vuln scan.
nmap --script vuln 192.168.1.1                  # All vulnerability checks
nmap --script http-* 192.168.1.1                # All HTTP-related scripts
nmap --script ssl-enum-ciphers -p 443 example.com  # TLS cipher audit
nmap --script dns-brute --script-args dns-brute.domain=example.com
Script: HTTP enumEnumerate web server.
nmap --script http-enum -p 80,443 example.com
# Discovers: /admin, /backup, /wp-admin, /.git, /api

nmap --script http-headers -p 80,443 example.com
nmap --script http-methods --script-args http-methods.url-path=/api -p 80 example.com

Performance

Performance tuningSpeed up large scans.
sudo nmap -sS -T5 -p 80,443 --max-rtt-timeout 100ms 192.168.1.0/24
sudo nmap -sS --min-rate 10000 -p 80,443 10.0.0.0/8
sudo nmap -sS -T4 --max-retries 2 192.168.1.1
# -T0 (paranoid) .. -T5 (insane) — timing templates

Stealth

Firewall evasionDetect firewall rules.
sudo nmap -sS -f 192.168.1.1                       # Fragment packets (bypass some filters)
sudo nmap -sS -D decoy1.com,decoy2.com 192.168.1.1  # Decoy scans
sudo nmap -sS --data-length 200 192.168.1.1          # Pad packets to normal size
nmap -sT --source-port 53 192.168.1.1               # Use DNS port (often allowed)