Nmap is a powerful yet often underestimated network scanning tool. Many know it for basic usage like detecting open ports, but its modular architecture and the depth of its scripting engine (NSE) take it far beyond that: from OS detection and service fingerprinting to light exploitation of known vulnerabilities. Its use spans from internal network audits to offensive reconnaissance during Red Team operations.
For instance, running nmap 192.168.1.1 performs a basic scan that will detect open TCP ports on the target host, using a SYN scan (-sS) by default. This scan is fast and stealthy because it doesn’t complete the TCP handshake, making it less detectable by monitoring systems like Snort or Suricata. However, a poorly configured firewall might still log the attempt.
Even at this basic level, knowing the options makes a difference. TCP connect scans (-sT) may be necessary when running without root privileges, such as on restricted environments. The -Pn flag can be useful to bypass the initial ICMP ping, especially when scanning systems that block ICMP responses.
To move beyond the basics, one can enable service version detection (-sV) and OS fingerprinting (-O). This yields critical information during enumeration phases of a pentest.
For example:nmap -sS -sV -O 192.168.1.50
might reveal “Microsoft Windows Server 2012, port 445 open running SMB v1.0,” which could immediately be correlated with known vulnerabilities like MS17-010 (EternalBlue).
Scanning ranges and entire subnets is also part of intermediate use. With nmap 192.168.1.0/24, you can map an entire Class C network. To avoid touching sensitive systems, the --exclude option lets you omit specific hosts. This is especially useful in corporate networks with critical devices. For instance:nmap -sS 10.0.0.0/16 --exclude 10.0.0.1,10.0.0.254
lets you scan a large network without hitting the firewall or domain controller.
Scan timing matters too. In stealth scenarios, -T0 or -T1 reduce the scan speed and likelihood of detection. For faster scans in trusted environments, -T4 or -T5 work better. For example:nmap -sS -T0 -v 192.168.1.1
scans a host slowly and verbosely, lowering the risk of triggering SIEM alerts in poorly tuned environments.
But Nmap’s real strength lies in its NSE — the Nmap Scripting Engine. These Lua-based scripts allow advanced tasks: from discovering common web paths (http-enum) to identifying critical vulnerabilities (smb-vuln-ms17-010, ftp-vsftpd-backdoor). A command like:nmap -p 445 --script smb-vuln-ms17-010 192.168.1.33
directly checks whether a host is vulnerable to EternalBlue without relying on third-party tools.
Scanning internal web servers with:nmap -p 80,443 --script http-title,http-enum 10.1.1.0/24
retrieves page titles and common paths like /admin, /login, or /test, enabling a more effective passive reconnaissance process.
Nmap can also be used for brute force attacks:nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=creds.txt 192.168.1.55
launches a controlled dictionary attack on an SSH service. These scripts are particularly helpful in internal audits, where weak or reused credentials are often discovered.
Nmap’s output can be exported in various formats, with XML (-oX) being ideal for automated processing. A common workflow might be:nmap -sS -sV -O -oX results.xml 10.0.0.0/24
and then parsing that file with tools like xsltproc, nmap-parser, or custom Python scripts to generate reports or feed into post-exploitation tools like Metasploit.
Defensively, Nmap also adds value. Running scheduled internal scans with --script vuln helps uncover misconfigured systems or outdated software before attackers do. It can even act as a decoy: Blue Teams can generate test alerts to check if the SIEM is properly detecting and classifying events.
In industrial environments, NSE scripts can detect exposed SCADA devices using:nmap -p 502 --script modbus-discover 192.168.100.0/24
which is especially useful for OT security teams in energy or manufacturing sectors.
Nmap is not just a discovery tool. It’s a bridge between knowing your network and taking control of it. Mastery doesn’t mean memorizing commands, but understanding its flexibility and adapting it to each analysis phase — both offensive and defensive. That mastery starts when you go beyond nmap -sS and truly leverage everything this scanner can offer.
All nmap commands used in this article:
| Nmap Command | Description |
|---|---|
nmap 192.168.1.1 | Basic host scan to detect open TCP ports. |
nmap -sS 192.168.1.1 | SYN (stealth) scan that doesn’t complete the TCP handshake, ideal for stealthy scanning. |
nmap -sT 192.168.1.1 | Full TCP connect scan, used when root privileges are not available. |
nmap -Pn 192.168.1.1 | Skips host discovery (ping), useful when the target blocks ICMP. |
nmap -sS -sV -O 192.168.1.50 | SYN scan with service version detection and OS fingerprinting. |
nmap 192.168.1.0/24 | Scans all hosts in a Class C network. |
nmap -sS 10.0.0.0/16 --exclude 10.0.0.1,10.0.0.254 | SYN scan of a Class B network excluding specific hosts. |
nmap -sS -T0 -v 192.168.1.1 | Slow and verbose SYN scan, useful to avoid triggering IDS/IPS alerts. |
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.33 | Uses NSE to check if a host is vulnerable to EternalBlue (MS17-010). |
nmap -p 80,443 --script http-title,http-enum 10.1.1.0/24 | Web scan that retrieves page titles and enumerates common HTTP/HTTPS paths. |
nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=creds.txt 192.168.1.55 | Brute-force attack against SSH using username and password dictionaries. |
nmap -sS -sV -O -oX results.xml 10.0.0.0/24 | SYN scan with service and OS detection, exporting results in XML format. |
nmap -p 502 --script modbus-discover 192.168.100.0/24 | Detects exposed SCADA/PLC devices using the Modbus protocol (for OT/ICS environments). |