Nmap (Network Mapper) is the gold standard for network discovery and security auditing. It sends raw IP packets in novel ways to determine what hosts are available on the network, what services (app name and version) those hosts are offering, what operating systems (and OS versions) they are running, and what type of packet filters/firewalls are in use.
The Command You Need
If you memorize only one command, make it this one:
nmap -sC -sV -oA scan_output target_ip
-sC: Runs default scripts (NSE) - detects common vulnerabilities.
-sV: Service Version Detection (Is port 80 running Apache 2.4 or Nginx 1.18?).
-oA: Output All formats (XML, Nmap, Grepable).
1. Scan Types
| Flag | Name | Description |
|---|---|---|
| -sS | SYN Scan | (Stealth) Sends SYN. Receives SYN-ACK. Sends RST. Doesn't complete connection. Fast and quiet. |
| -sT | TCP Connect | Completes the full 3-way handshake. Slower, leaves logs on server. Use only if you don't have root privileges. |
| -sU | UDP Scan | Scans UDP ports (DNS, SNMP). Very slow because UDP doesn't always reply. |
2. NSE (Nmap Scripting Engine)
Nmap isn't just a port scanner. It's an exploitation framework.
Thousands of scripts written in Lua are built-in.
nmap --script vulners 192.168.1.5
This command will scan the target, find service versions, and query the Vulners database to tell you EXACTLY which CVEs affect that machine.
3. Firewall Evasion
Firewalls block pings and scans.
Fragmentation (-f): Splits packets into tiny 8-byte chunks to slip past simple packet filters.
Decoy (-D RND:10): Sends scans from your IP AND 10 fake IPs. The admin sees 11 attackers and doesn't know which one is real.
Source Port (--source-port 53): Firewalls often allow all traffic coming FROM port 53 (DNS). Nmap can spoof this.