> nmap -sC -sV -O -oA target 10.0.0.0/24 && echo 'now we see'_
Nmap — Network Mapper — was first released by Gordon Lyon in 1997. Nearly three decades later, it remains the single most important tool in the penetration tester's arsenal for network reconnaissance. Not because it's the flashiest, not because it does the exploitation, but because it answers the questions that every other tool depends on: what's on this network, what's it running, and where are the doors?
Every infrastructure engagement we conduct begins with Nmap. Before BloodHound maps Active Directory, before Responder poisons broadcast traffic, before Burp Suite intercepts web requests — Nmap maps the terrain. It discovers hosts, identifies open ports, fingerprints services and operating systems, and through its scripting engine, performs the first layer of vulnerability assessment. The output of an Nmap scan is the attack surface — and everything that follows is built on it.
Most administrators have run nmap -sS target and looked at the port list. That's roughly 10% of the tool's capability. This article covers the rest.
Scanning systems you do not own or have explicit written authorisation to test is illegal under the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), and equivalent legislation in most jurisdictions. Everything described in this article must only be performed against systems you own or have documented permission to assess. Unauthorised scanning — even without exploitation — can constitute a criminal offence.
Before scanning ports, Nmap needs to know which hosts are alive on the network. By default, Nmap sends an ICMP echo request, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP timestamp request. If any of these elicit a response, the host is marked as "up" and port scanning begins. But this default behaviour doesn't always work — firewalls block ICMP, hosts are configured to ignore pings, and network segmentation may prevent certain probe types from reaching the target.
| Flag | Discovery Method | When to Use It |
|---|---|---|
-sn |
Ping scan only — discover live hosts without port scanning. Sends the default discovery probes but skips the port scan phase entirely. | Initial reconnaissance of a large subnet. Mapping the network before committing to a full port scan. Fast and lightweight — ideal for /16 or larger ranges where a full scan would take hours. |
-Pn |
Skip host discovery entirely — treat every target as alive and scan it regardless of whether it responds to pings. | Scanning through firewalls that block ICMP and discovery probes. If you know the host is there (from DNS records, a provided asset list, or a previous scan), -Pn ensures the port scan runs even if the host doesn't respond to pings. |
-PS<ports> |
TCP SYN discovery — send a SYN packet to the specified ports. A SYN/ACK or RST response confirms the host is alive. | Discovering hosts behind firewalls that block ICMP but allow specific TCP ports. -PS22,80,443,3389 probes four common ports and marks the host as up if any respond. |
-PA<ports> |
TCP ACK discovery — send an ACK packet to the specified ports. An RST response confirms the host is alive (the host is rejecting an unsolicited ACK). | Bypassing stateless firewalls that block SYN packets but allow ACK packets through. Often used in combination with -PS for comprehensive discovery. |
-PU<ports> |
UDP discovery — send a UDP packet to the specified ports. An ICMP port unreachable response confirms the host is alive. | Discovering hosts that don't respond to TCP probes. Particularly useful for network devices, DNS servers, and SNMP-enabled infrastructure that may only expose UDP services. |
-PR |
ARP discovery — send ARP requests on the local network segment. ARP responses confirm the host is alive and reveal its MAC address. | Scanning the local subnet during an internal pen test. ARP cannot be blocked by host-based firewalls and is the most reliable discovery method on the local broadcast domain. Nmap uses ARP automatically when scanning local subnets. |
Once live hosts are identified, Nmap probes their ports to determine which are open, closed, or filtered. The scan type determines how this probing is performed — and each type has different trade-offs in speed, stealth, accuracy, and privilege requirements.
| Flag | Scan Type | How It Works | Trade-offs |
|---|---|---|---|
-sS |
SYN scan (half-open) | Sends a SYN packet to each port. If the target responds with SYN/ACK, the port is open. If RST, it's closed. Nmap sends RST immediately without completing the three-way handshake — hence "half-open." | The default and most common scan type. Fast, relatively stealthy (no full TCP connection is established), and accurate. Requires root/admin privileges because it uses raw sockets. Detected by any modern IDS but less conspicuous than a full connect scan. |
-sT |
TCP connect scan | Completes the full TCP three-way handshake for each port. Uses the operating system's connect() system call rather than raw sockets. |
Does not require root privileges — useful when scanning from a restricted account or through a SOCKS proxy. Slower than SYN scan. More conspicuous — every successful probe creates a full TCP connection that appears in the target's connection logs. |
-sU |
UDP scan | Sends a UDP packet to each port. If an ICMP port unreachable response is received, the port is closed. If no response, the port is open or filtered. For common UDP services, Nmap sends protocol-specific payloads to elicit a response. | Slow — UDP scanning relies on ICMP rate limiting, which most operating systems enforce at one response per second. A full 65,535-port UDP scan can take hours. Critical for finding DNS (53), SNMP (161/162), TFTP (69), NTP (123), and other UDP services that TCP scanning misses entirely. |
-sV |
Version detection | After identifying open ports, Nmap sends protocol-specific probes and analyses the responses to determine the exact service and version running on each port. Uses the nmap-service-probes database. |
Essential for vulnerability assessment — knowing that port 443 is open is useful; knowing it's running Apache 2.4.49 (vulnerable to path traversal, CVE-2021-41773) is actionable. Adds time to the scan but dramatically increases the value of the output. |
-sA |
ACK scan | Sends ACK packets to each port. Doesn't determine whether ports are open or closed — only whether they're filtered (no response / ICMP unreachable) or unfiltered (RST response). | Used to map firewall rules. If a port responds with RST, the firewall is allowing packets through. If no response, the firewall is filtering. Useful for understanding which ports a stateful firewall is blocking versus which it allows. |
-sN / -sF / -sX |
NULL / FIN / Xmas scans | Send TCP packets with unusual flag combinations (no flags, FIN only, or FIN+PSH+URG). RFC 793 states that a closed port should respond with RST and an open port should silently drop the packet. | Niche. Can bypass some stateless firewalls and packet filters that only inspect SYN packets. Unreliable against Windows (which sends RST regardless of port state) and modern firewalls. Useful in specific evasion scenarios, not for general scanning. |
For the majority of penetration testing engagements, the core scan is -sS (SYN scan) combined with -sV (version detection) and -sU (UDP scan on a targeted port list). This combination identifies which ports are open, what services and versions are running, and covers the UDP services that TCP-only scanning misses.
There are 65,535 TCP ports and 65,535 UDP ports. Scanning all of them on every host is thorough but impractical on large networks. Nmap's default scan covers the 1,000 most common ports — which accounts for approximately 93% of the TCP ports typically found open. But that remaining 7% is where interesting things hide.
| Flag | What It Scans | When to Use It |
|---|---|---|
-p- |
All 65,535 TCP ports. | Single-host deep scans. High-value targets where completeness matters more than speed. Will find services running on non-standard ports — web servers on 8443, databases on 33060, management interfaces on 9090. |
-p 1-1024 |
A specific range — in this case, the "well-known" ports. | When you need to control the scope precisely. -p 22,80,443,445,3389 scans only the five specified ports — fast and focused. |
--top-ports <n> |
The top n most common ports from Nmap's frequency database. | --top-ports 100 covers the vast majority of common services while staying fast. --top-ports 10000 is a good compromise between thoroughness and speed for medium-sized networks. |
-F |
Fast mode — the top 100 ports only. | Initial quick-look scan when time is constrained. Reveals the most common services in seconds. Follow up with a deeper scan on interesting hosts. |
An open port is a fact. A service version is actionable intelligence. An operating system fingerprint is context that shapes the entire attack strategy. Nmap's detection capabilities transform a list of open ports into a detailed profile of each target.
| Flag | What It Does | Why It Matters |
|---|---|---|
-sV |
Probes open ports to determine the service name and version. Sends protocol-specific queries and matches responses against Nmap's nmap-service-probes database of over 11,000 signatures. |
Port 8080 could be anything: a web server, a proxy, a Java application server, a management interface. -sV tells you it's Apache Tomcat 9.0.31 — which is vulnerable to CVE-2020-1938 (Ghostcat). Without version detection, you have a port number. With it, you have a vulnerability. |
--version-intensity <0-9> |
Controls how many probes Nmap sends to fingerprint each service. Default is 7. Higher values send more probes (more accurate, slower). Lower values are faster but may miss unusual services. | Use --version-intensity 9 on high-value targets where you need maximum accuracy. Use lower values on large networks where speed is more important. |
-O |
OS detection. Analyses TCP/IP stack characteristics — window sizes, TTL values, TCP options, IP ID sequences — and matches them against Nmap's database of known OS fingerprints. | Knowing the target runs Windows Server 2012 R2 (end of extended support October 2023) versus Windows Server 2022 changes the attack strategy entirely. OS detection also reveals the target's kernel version, which maps to specific kernel exploits. |
-A |
Aggressive mode. Enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute in a single flag. |
The convenience option for single-host deep scans. Not recommended for large networks (slow) but ideal for detailed profiling of individual targets after initial discovery. |
The Nmap Scripting Engine (NSE) transforms Nmap from a port scanner into a vulnerability assessment platform. NSE scripts — written in Lua — can enumerate services, check for specific vulnerabilities, extract information, brute-force credentials, and even exploit certain weaknesses. Nmap ships with over 600 scripts, and custom scripts can be written for specific engagement needs.
| Flag / Category | What It Does | Example Scripts |
|---|---|---|
-sC (or --script=default) |
Runs the default script set — a curated collection of safe, informative scripts that provide useful enumeration without being intrusive or dangerous. | http-title (page title), ssl-cert (certificate details), smb-os-discovery (SMB OS info), ssh-hostkey (SSH key fingerprint) |
--script=vuln |
Runs all scripts in the "vuln" category — scripts that check for known vulnerabilities. These send probes designed to detect (not exploit) specific CVEs. | smb-vuln-ms17-010 (EternalBlue), http-vuln-cve2017-5638 (Struts2 RCE), ssl-heartbleed (Heartbleed), smb-vuln-ms08-067 (Conficker) |
--script=safe |
Runs all scripts categorised as "safe" — scripts that are unlikely to cause disruption, crash services, or consume excessive resources on the target. | Good for production environments where stability is critical. Excludes brute-force, DoS, and exploit scripts. |
--script=auth |
Runs scripts that test authentication — default credentials, anonymous access, authentication bypasses. | ftp-anon (anonymous FTP), smb-enum-shares (accessible SMB shares), http-default-accounts (default web app credentials) |
--script=brute |
Runs brute-force scripts against discovered services. Tests common username/password combinations. Use with caution — may lock accounts or generate significant log volume. | ssh-brute, ftp-brute, http-brute, smb-brute. Always confirm account lockout policies before running brute-force scripts in a production environment. |
--script=<name> |
Run a specific script by name. Multiple scripts can be comma-separated. | --script=smb-vuln-ms17-010 runs only the EternalBlue check. --script=http-enum,http-headers runs two specific HTTP enumeration scripts. |
Nmap's timing controls determine how aggressively it scans — balancing speed against stealth, accuracy, and the risk of overwhelming the target network or triggering IDS alerts.
| Flag | Template | Behaviour | Use Case |
|---|---|---|---|
-T0 |
Paranoid | 5-minute delay between probes. Serial scanning. Minimal network footprint. | Evading IDS in highly monitored environments. Extremely slow — a full scan can take days. |
-T1 |
Sneaky | 15-second delay between probes. Still serial. | IDS evasion with slightly more practicality. Still very slow. |
-T2 |
Polite | 0.4-second delay between probes. Reduces network load. | Scanning production networks where stability is a concern. Slower but gentler on network infrastructure. |
-T3 |
Normal | The default. Parallel scanning with adaptive timing based on network responsiveness. | Most engagements. Good balance of speed and accuracy. |
-T4 |
Aggressive | Faster timeouts, more parallel probes. Assumes a fast, reliable network. | Internal network pen tests where stealth isn't required and the network can handle the load. Significantly faster than default. |
-T5 |
Insane | Minimal timeouts, maximum parallelism. Sacrifices accuracy for speed. | CTF competitions and lab environments. Not recommended for production — may miss open ports due to dropped packets and can overwhelm network devices. |
For professional engagements, -T4 is the standard for internal testing and -T3 for external testing. Beyond the templates, individual timing parameters can be fine-tuned: --min-rate and --max-rate set packets per second, --max-retries controls probe retransmission, and --host-timeout sets a per-host time limit to prevent a single unresponsive host from stalling the entire scan.
Firewalls, intrusion detection systems, and packet filters are designed to prevent or detect scanning. During a penetration test, part of the assessment is determining what the firewall reveals and what it conceals — and whether evasion techniques can bypass the filtering to discover the true attack surface.
| Flag | Evasion Technique | How It Works |
|---|---|---|
-f |
Fragment packets | Splits probe packets into 8-byte fragments. Some older firewalls and IDS systems can't reassemble fragmented packets and allow them through. Less effective against modern stateful firewalls. |
-D <decoys> |
Decoy scanning | Sends scan packets from multiple spoofed source addresses alongside the real scan. The target sees probes from many IPs, making it harder to identify the actual scanner. -D RND:10 generates 10 random decoy addresses. |
-S <ip> |
Source IP spoofing | Sends packets with a spoofed source address. Only useful if you can sniff the responses (e.g. on the same subnet). The target attributes the scan to a different IP. |
--source-port <port> |
Source port specification | Sets the source port to a specific value. Some misconfigured firewalls allow traffic from port 53 (DNS) or port 80 (HTTP) through on the assumption it's reply traffic. --source-port 53 exploits this. |
--data-length <n> |
Append random data | Adds random bytes to probe packets, changing their size. Some IDS signatures match on specific packet lengths; adding data breaks the signature match. |
--scan-delay <time> |
Inter-probe delay | Adds a fixed delay between probes. Avoids triggering rate-based IDS rules that alert on rapid sequential connection attempts. |
Evasion techniques are part of the penetration tester's methodology — they test whether the organisation's defensive controls can be bypassed. A finding that says "the IDS detected the scan" is valuable. A finding that says "fragmenting the scan packets bypassed the IDS entirely" is more valuable.
Nmap's output is only useful if it's captured in a format that supports analysis, correlation with other tools, and inclusion in reports. Running a scan without saving the output is a mistake you make once.
| Flag | Format | Best For |
|---|---|---|
-oN <file> |
Normal — human-readable text output identical to what's displayed on screen. | Quick reference and manual review. Easy to read but difficult to parse programmatically. |
-oX <file> |
XML — structured machine-readable output. | Integration with other tools. Parseable by scripts, importable into Metasploit (db_import), and used by reporting frameworks. The most versatile output format. |
-oG <file> |
Grepable — one line per host, designed for easy grep/awk/cut processing. |
Quick command-line filtering. grep 'open' scan.gnmap | grep '445' instantly lists every host with SMB open. |
-oA <base> |
All formats — generates .nmap, .xml, and .gnmap files simultaneously. |
Always use this. There is no reason not to save all three formats. You will want the normal output for reading, the XML for tool integration, and the grepable for quick filtering. |
In practice, a penetration tester doesn't run a single Nmap scan. They run a structured series of scans, each building on the last — progressively refining the picture of the target environment from broad discovery to deep, targeted analysis.
Each phase narrows the focus: from the entire network down to live hosts, from live hosts down to interesting services, from interesting services down to confirmed vulnerabilities. The output of each phase feeds the next — and the XML output feeds directly into tools like Metasploit, Searchsploit, and custom reporting scripts that drive the rest of the engagement.
Nmap is the foundation of infrastructure penetration testing. It answers the questions that every subsequent tool and technique depends on: what hosts are alive, what ports are open, what services and versions are running, what operating systems are in use, and — through the Nmap Scripting Engine — which known vulnerabilities are present. No other single tool provides this breadth of capability.
The difference between a basic Nmap user and a professional pen tester isn't the tool — it's the methodology. Tiered scanning from broad discovery to deep analysis. UDP coverage that most people skip. NSE scripts that transform port data into vulnerability intelligence. Output formats that feed the rest of the engagement. And the discipline to save every scan, review every result, and follow every lead.
Nmap won't exploit a vulnerability, capture a credential, or write a report. But it will tell you exactly where to look — and in penetration testing, knowing where to look is half the battle.
Nmap is where our infrastructure assessments begin — not where they end. We combine automated scanning with manual analysis, service-specific testing, and exploitation validation to identify the vulnerabilities that actually matter to your organisation.