Nmap is the essential tool for network reconnaissance and security auditing. Every pentester and security professional must master it.
Basic Scans
# Simple host discovery
nmap -sn 192.168.1.0/24
# Port scan (1000 common ports)
nmap 192.168.1.1
# All ports
nmap -p- 192.168.1.1
# Specific ports
nmap -p 22,80,443,8080 192.168.1.1Scan Types
| -sS | SYN stealth scan (default, requires root) |
| -sT | TCP connect scan |
| -sU | UDP scan |
| -sV | Service version detection |
| -O | OS detection |
| -A | Aggressive (OS, version, script, traceroute) |
Advanced Usage
# Comprehensive scan
nmap -sS -sV -O -A -p- --script=default target.com
# Vulnerability scanning
nmap --script vuln target.com
# Specific vulnerability check
nmap --script ssl-heartbleed -p 443 target.com
# Output formats
nmap -oA output target.com # All formats
nmap -oX output.xml target.com # XML
nmap -oG output.gnmap target.com # GreppableNSE Scripts
# List available scripts
ls /usr/share/nmap/scripts/
# Common scripts
--script=http-enum # Web directory enumeration
--script=smb-vuln-ms17-010 # EternalBlue check
--script=ssh-brute # SSH brute force
--script=ftp-anon # Anonymous FTPLegal Reminder
Only scan systems you have permission to test. Unauthorized scanning is illegal in most jurisdictions.
December 2024