Most people meet Nmap the same way: someone tells them to “just run a scan,” they type nmap followed by an IP address, and a wall of ports scrolls past. It works, which is exactly why so many users never learn what actually happened. Under the hood, that default scan made a dozen decisions for you: which ports to probe, how to probe them, how to decide whether a port is open, and how hard to knock. Understanding those decisions is the difference between reading a scan and merely running one. Nmap is not one tool with one behavior; it is a toolbox of scanning techniques, and picking the right one is most of the skill.
What Nmap Is Really Doing
At its core, Nmap sends crafted network packets to a target and interprets the responses. When you scan a TCP port, Nmap is watching for the signatures of the TCP handshake: a SYN-ACK means something is listening (open), a RST means the port is closed, and silence usually means a firewall is dropping the packet (filtered). That three-way distinction — open, closed, filtered — is the heartbeat of the whole tool. Everything else is a variation on how to provoke and read those responses.
Because raw packet crafting requires elevated privileges, many of Nmap’s most useful scans need to run as root (Linux/macOS) or Administrator (Windows). Run without those rights and Nmap silently falls back to a slower, less capable connect scan. If your results look strange, checking your privilege level is the first thing to rule out.
Getting Started: Targets and Basic Scans
Nmap is flexible about how you specify targets. You can scan a single host, a whole subnet in CIDR notation, an octet range, or a hostname.
nmap 192.168.1.10
nmap 192.168.1.0/24
nmap 192.168.1.1-50
nmap scanme.nmap.orgThe bare command above runs Nmap’s default: a SYN scan (if privileged) against the 1,000 most common ports. Two flags you will reach for constantly are verbosity and reasoning:
nmap -v -T4 192.168.1.10 # verbose, faster timing
nmap --reason 192.168.1.10 # show WHY each port got its stateThe --reason flag is underrated. Instead of just telling you a port is “filtered,” it tells you how Nmap concluded that — no response, an ICMP unreachable, a RST — which is often the clue you need when a firewall is in the way.
The Core Scan Types
The single most important choice you make is the scan technique, selected with a capital-letter flag. These are the ones worth knowing:
-sS(SYN scan): The default when you have privileges. It sends a SYN, watches for the SYN-ACK, and then sends a RST to tear the connection down before it completes. Because the handshake never finishes, it is fast and relatively quiet. This is your everyday workhorse.-sT(TCP connect scan): Completes the full handshake using the operating system’s networking calls. It is slower and more likely to be logged by the target, but it needs no special privileges, so it is the fallback when you can’t run as root.-sU(UDP scan): Probes UDP services like DNS, SNMP, and DHCP. UDP scanning is slow and often ambiguous because closed ports may simply not respond, but it is essential — plenty of critical services live on UDP and a TCP-only scan misses them entirely.-sn(ping scan / host discovery): Skips port scanning altogether and just asks “which hosts are alive?” Perfect for mapping a subnet before you commit to deeper scans.
nmap -sS 192.168.1.10 # SYN scan (needs privileges)
nmap -sT 192.168.1.10 # full-connect scan (no privileges)
nmap -sU --top-ports 50 192.168.1.10 # top 50 UDP ports
nmap -sn 192.168.1.0/24 # discover live hosts onlyBeyond these, Nmap offers stealthier or more specialized probes — the FIN scan (-sF), Xmas scan (-sX), and Null scan (-sN) send unusual flag combinations to try to slip past simple stateless firewalls. They exploit a quirk in the TCP spec where closed ports must reply with RST while open ports stay silent. They are less reliable against modern stacks (Windows notably ignores the RFC here) but remain a useful trick when a standard scan gets stonewalled.
Choosing Which Ports to Scan
By default Nmap checks 1,000 common ports, but you almost always want to be explicit.
nmap -p 22,80,443 192.168.1.10 # specific ports
nmap -p 1-1000 192.168.1.10 # a range
nmap -p- 192.168.1.10 # ALL 65,535 ports
nmap --top-ports 100 192.168.1.10 # the 100 statistically most common
nmap -F 192.168.1.10 # fast mode: top 100 portsThe -p- flag is one to remember. Attackers and administrators alike hide services on high, non-standard ports specifically because the default scan won’t find them. A full port sweep is slower but catches the SSH server someone parked on port 47000.
Digging Deeper: Versions, OS, and Scripts
Knowing a port is open is only half the story. The real value comes from identifying what is running there.
nmap -sV 192.168.1.10 # detect service versions
nmap -O 192.168.1.10 # guess the operating system
nmap -A 192.168.1.10 # aggressive: -sV, -O, scripts, traceroute-sV performs version detection, comparing responses against a database of service fingerprints to report not just “http” but “Apache httpd 2.4.52.” That version string is what turns a port list into a vulnerability assessment, because you can now check it against known CVEs. -O attempts OS fingerprinting from subtle differences in how the TCP/IP stack behaves. -A bundles the heavy detection features together for when you want everything at once and don’t care about speed or subtlety.
The Nmap Scripting Engine (NSE) is where Nmap stops being a port scanner and becomes an extensible framework. Scripts, written in Lua, can grab banners, test for specific vulnerabilities, brute-force logins, and much more.
nmap -sC 192.168.1.10 # run the default script set
nmap --script vuln 192.168.1.10 # run vulnerability-detection scripts
nmap --script http-title -p 80,443 192.168.1.10Scripts are organized into categories — default, safe, vuln, auth, discovery, intrusive, and others — so you can dial in how aggressive you want to be. Be aware that some categories actively probe or attempt exploits, so run them only against systems you are authorized to test.
Timing, Output, and Staying Reasonable
Nmap’s -T templates (0 through 5) trade speed for stealth. -T0 is glacially slow to evade detection; -T4 is a sensible fast default on a reliable network; -T5 is aggressive enough to miss results or trip alarms. For saving work, direct output to a file:
nmap -sV -oN scan.txt 192.168.1.10 # human-readable
nmap -sV -oX scan.xml 192.168.1.10 # XML for tooling
nmap -sV -oA fullscan 192.168.1.10 # all major formats at onceThe -oA flag writes normal, XML, and grepable output simultaneously, which is invaluable when you want a readable report and something a script can parse later.
The Takeaway
Nmap rewards intent. The default scan is a reasonable guess, but every serious use starts with a question — Which hosts exist? What ports are open? What software is running? Is it vulnerable? — and each question maps to a specific technique: -sn for discovery, -sS or -sU for port state, -sV and -O for identification, and NSE for verification. Learn those four verbs and the flags fall into place. One caution that never expires: scanning systems you don’t own or have explicit permission to test can be illegal, and even a “harmless” scan can disrupt fragile devices. Practice on your own lab or on hosts like scanme.nmap.org that exist for the purpose, and treat the tool with the same care you would want someone to use when pointing it at your network.
