Penetration testing

Nmap from beginner to advanced [updated 2021]

Irfan Shakeel
February 9, 2021 by
Irfan Shakeel

Network Mapper (Nmap) is a network scanning and host detection tool that is very useful during several steps of penetration testing. Nmap is not limited to merely gathering information and enumeration, but it is also a powerful utility that can be used as a vulnerability detector or a security scanner. 

So Nmap is a multipurpose tool, and it can be run on many different operating systems, including Windows, Linux, BSD and Mac. Nmap is a very powerful utility that can be used to:

  • Detect the live host on the network (host discovery)
  • Detect the open ports on the host (port discovery or enumeration)
  • Detect the software and the version to the respective port (service discovery)
  • Detect the operating system, hardware address and software version
  • Detect the vulnerability and security holes (Nmap scripts)

Nmap is a very common tool, and it is available for both the command line interface and the graphical user interface. The objective of this article is to create a handbook that contains all of the necessary information about Nmap and its usage

In this piece, we’ll look at:

  • Introduction to Nmap
  • What are the important parameters and techniques of scanning
  • Introduction to operating system detection
  • Nmap tutorial

How to use Nmap? You might have heard this question many times before, but in my opinion, this is not the right question to ask. The best way to start off exploring Nmap is to ask: How can I use Nmap effectively? This article was written in an effort to answer that question.

Nmap uses different techniques to perform scanning, including: TCP connect() scanning, TCP reverse ident scanning, FTP bounce scanning and so on. All these types of scanning have their own advantages and disadvantages, and we will discuss them as we go on.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

How to use Nmap effectively

The usage of Nmap depends on the target machine because there is a difference between simple (basic) scanning and advanced scanning. We need to use some advanced techniques to bypass the firewall and intrusion detection/prevention software to get the right result. 

Below are the examples of some basic commands and their usage.

If you want to scan a single system, then you can use a simple command:

nmap target

# nmap

# nmap

If you want to scan the entire subnet, then the command is:

nmap target/cdir

# nmap

It is very easy to scan multiple targets. All you need to do is to separate each target via space:

nmap target target1 target2

# nmap

Let’s suppose you want to scan a range of IP addresses, but not the entire subnet. In this scenario, use this command:

nmap target-100

# nmap

Suppose you have a list of target machines. You can make Nmap scan for the entire list:

# nmap -iL target.txt

Make sure to put the file in the same directory.

If you want to see the list of all the hosts that you are scanning, then use the command with an -sL parameter:

nmap -sL target/cdir

# nmap -sL

In some cases, we need to scan the entire subnet but not a specific IP address because it might be dangerous for us. In this scenario, use the Nmap command with the excluding parameter:

# nmap – -exclude

If you have a file that contains the list of IP addresses that you want to exclude, then you can call the file in the exclude parameter:

# nmap –exclude file target.txt

If you want to scan a specific port on the target machines (for example, if you want to scan the HTTP, FTP and Telnet ports only on the target computer), then you can use the Nmap command with the relevant parameter:

# nmap -p80,21,23 

This scans the target for port number 80, 21 and 23.

You now have a basic understanding of Nmap scanning techniques, but for the purposes of this article, we need to explore in more depth.

Nmap scanning techniques

There are many scanning techniques available on Nmap, including the TCP connect scanning method discussed earlier. In this section, I will discuss the most popular scanning technique in detail.

TCP SYN scan (-sS)

This is a basic scan. It is also called half-open scanning because this technique allows Nmap to get information from the remote host without the complete TCP handshake process. Nmap sends SYN packets to the destination, but it does not create any sessions. As a result, the target computer can’t create any log of the interaction because no session was initiated, making this feature an advantage of the TCP SYN scan.

If there is no scan type mentioned on the command, then avTCP SYN scan is used by default, but it requires the root/administrator privileges.

# nmap -sS

TCP connect() scan (-sT)

This is the default scanning technique used — if and only if the SYN scan is not an option, because the SYN scan requires root privilege. Unlike the TCP SYN scan, it completes the normal TCP three-way handshake process and requires the system to call connect(), which is a part of the operating system. 

Keep in mind that this technique is only applicable to find out the TCP ports, not the UDP ports.

# nmap -sT

UDP scan (-sU)

As the name suggests, this technique is used to find an open UDP port of the target machine. It does not require any SYN packet to be sent because it is targeting the UDP ports. We can make the scanning more effective by using -sS along with –sU. 

UDP scans send the UDP packets to the target machine and waits for a response. If an error message arrives saying the ICMP is unreachable, then it means that the port is closed; but if it gets an appropriate response, then it means that the port is open.

# nmap -sU

FIN scan (-sF)

Sometimes a normal TCP SYN scan is not the best solution because of the firewall. IDS and IPS scans might be deployed on the target machine, but a firewall will usually block the SYN packets. A FIN scan sends the packet only set with a FIN flag, so it is not required to complete the TCP handshaking.

root@bt:~# nmap -sF

Starting Nmap 5.51 ( ) at 2012-07-08 19:21 PKT

Nmap scan report for

Host is up (0.000026s latency).

Not shown: 999 closed ports


111/tcp open|filtered rpcbind

The target computer is not able to create a log of this scan (again, an advantage of FIN). Just like a FIN scan, we can perform an xmas scan (-sX) and Null scan (-sN). The idea is the same, but there is a difference between each type of scan. For example, the FIN scan sends the packets containing only the FIN flag, whereas the Null scan does not send any bit on the packet. The xmas sends FIN, PSH and URG flags.

Ping scan (-sP)

Ping scanning is unlike the other scan techniques because it is only used to find out whether the host is alive or not, it is not used to discover open ports. Ping scans require root access as ICMP packets can be sent, but if the user does not have administrator privilege, then the ping scan uses connect() call.

# nmap -sP

Version detection (-sV)

Version detection is the technique used to find out what software version is running on the target computer and on the respective ports. It is unlike the other scanning techniques because it is not used to detect the open ports, but it requires the information from open ports to detect the software version. In the first step of this scan technique, version detection uses the TCP SYN scan to find out which ports are open.

# nmap -sV

Idle scan (-sI)

The idle scan is one of my favorite techniques. It is an advance scan that provides complete anonymity while scanning. In an idle scan, Nmap doesn’t send the packets from your real IP address — instead of generating the packets from the attacker machine, Nmap uses another host from the target network to send the packets. 

Let’s consider an example to understand the concept of idle scan:

nmap -sI zombie_host target_host

# nmap -sI

The idle scan technique is used to discover the open ports on while it uses the zombie_host ( to communicate with the target host. So this is an ideal technique to scan a target computer anonymously.

There are many other scanning techniques available like FTP bounce, fragmentation scan, IP protocol scan. and so on. We have discussed the most important scanning techniques (although all of the scanning techniques can be important, depending on the situation you are dealing with).

In the next section, we will discuss Nmap’s operating system (OS) detection and discovery techniques.

OS detection in Nmap

One of the most important features that Nmap has is the ability to detect remote operating systems and software. During a penetration test, it’s very helpful to know about the operating system and the software used by the remote computer. You can easily predict the known vulnerabilities from this information.

Nmap has a database called nmap-os-db. The database contains the information of more than 2,600 operating systems. Nmap sends TCP and UDP packets to the target machine and examines the response by comparing the result with the database. The Nmap operating system discovery technique is slightly slower then the scanning techniques because OS detection involves the process of finding open ports.

Initiating SYN Stealth Scan at 10:21

Scanning localhost ( [1000 ports]

Discovered open port 111/tcp on

Completed SYN Stealth Scan at 10:21, 0.08s elapsed (1000 total ports)

Initiating OS detection (try #1) against localhost (

Retrying OS detection (try #2) against localhost (

The example above clearly demonstrates that the Nmap first discovers the open ports, then sends the packets to discover the remote operating system. The OS detection parameter is -O (capital O).

Nmap OS fingerprinting technique discovers the:

  • Device type (router, workstation and so on)
  • Running (running operating system)
  • OS details (the name and the version of OS)
  • Network distance (the distance in hops between the target and attacker)

Suppose that the target machine has a firewall, IDS and IPS all enabled. You can use the command -PN to ensure that you do not ping to find the remote operating system. The -PN tells Nmap not to ping the remote computer, since sometimes firewalls block the request.

# nmap -O -PN

The command informs the sender every host on the network is alive so there is no need to send a ping request as well. In short, it bypasses the ping request and goes on to discover the operating system.

The Nmap OS detection technique works on the basis of an open and closed port. If Nmap fails to discover the open and closed port, then it gives the error:

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

This is an undesirable situation, and it is good to limit the operating system scans if Nmap is not sure about the OS. If Nmap is not sure about the OS, then there is no need to detect by using –osscan_limit.

If it is very difficult for Nmap to detect the remote OS accurately, you have the option of using Nmap’s guess feature: –osscan-guess finds the nearest match of the target operating system.

# nmap -O --osscan-guess

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Nmap is a very powerful tool and it has the ability to cover the very first aspects of penetration testing, which include information gathering and enumeration. This article was written in an effort to discuss Nmap from the beginner level to the advanced level. There are so many other things that you can do with the Nmap, and we will discuss them in future articles.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.