惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Spread Privacy
Spread Privacy
P
Palo Alto Networks Blog
P
Proofpoint News Feed
AI
AI
Help Net Security
Help Net Security
S
Securelist
T
Troy Hunt's Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
Cisco Blogs
Scott Helme
Scott Helme
Hacker News - Newest:
Hacker News - Newest: "LLM"
Vercel News
Vercel News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
P
Proofpoint News Feed
S
Security Affairs
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
T
Tenable Blog
H
Help Net Security
NISL@THU
NISL@THU
F
Fortinet All Blogs
博客园_首页
G
GRAHAM CLULEY
L
LINUX DO - 最新话题
P
Privacy International News Feed
G
Google Developers Blog
博客园 - Franky
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Security Archives - TechRepublic
Security Archives - TechRepublic
The Register - Security
The Register - Security
L
LangChain Blog
aimingoo的专栏
aimingoo的专栏
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
Forbes - Security
Forbes - Security
S
Secure Thoughts
Simon Willison's Weblog
Simon Willison's Weblog
D
Docker
Recorded Future
Recorded Future
博客园 - 三生石上(FineUI控件)
L
Lohrmann on Cybersecurity
T
Tailwind CSS Blog

Mapping the <mark>Internet</mark> on Netlas: Comprehensive Internet-Wide Scanning & OSINT Platform

Weaponized RMM: Hunting the Adversary Abuse of Remote Monitoring Tools Device Code Phishing: Technical Analysis and Proactive Hunting via Netlas Discovering Data Exposure with Netlas Telegram Bot API Abuse - Netlas Blog Using OWASP Amass with Netlas Module - Netlas Blog How we hunt C2 infrastructure at RST Cloud using Netlas - Netlas Blog Using Uncover with Netlas.io module - Netlas Blog Netlas Updates Terms and API & Data License Agreement - Netlas Blog Top 10 Hacking Devices for Ethical Hackers in 2026 - Netlas Blog Inside ClickFix: How Fake Prompts Took Over the Web Top 10 Critical Threat Actors to Watch in 2026: Ransomware, APTs & Defensive Strategies - Netlas Blog Bug Bounty 101 - A Complete Bug Bounty Roadmap for Beginners (2026) - Netlas Blog Supply Chain Attack - How Attackers Weaponize Software Supply Chains - Netlas Blog The Evolution of C2: Centralized to On-Chain - Netlas Blog From Starlink to Star Wars - The Real Cyber Threats in Space - Netlas Blog LLM Vulnerabilities: Why AI Models Are the Next Big Attack Surface - Netlas Blog When AI Turns Criminal: Deepfakes, Voice-Cloning & LLM Malware - Netlas Blog Zero-Click Exploits - Netlas Blog When Patches Fail: An Analysis of Patch Bypass and Incomplete Security - Netlas Blog I Analysed Over 3 Million Exposed Databases Using Netlas - Netlas Blog Post-Quantum Now: From AES & RSA to ML-KEM Hybrids - Netlas Blog Bug Bounty 101: Top 10 Reconnaissance Tools - Netlas Blog Mapping Dark Web Infrastructure - Netlas Blog Top Vibe-Coding Security Risks - Netlas Blog From Chaos to Control: Kanvas Incident Management Tool - Netlas Blog Bug Bounty 101: The Best Courses to Get Started in 2025 - Netlas Blog I, Robot + NIST AI RMF = Complete Guide on Preventing Robot Rebellion - Netlas Blog The $1.5B Bybit Hack & How OSINT Led to Its Attribution - Netlas Blog Hannibal Stealer: A Deep Technical Analysis - Netlas Blog Proactive Threat Hunting: Techniques to Identify Malicious Infrastructure - Netlas Blog The Pyramid of Pain: Beyond the Basics - Netlas Blog SOCMINT: Intelligence in the Social Media Era - Netlas Blog Hannibal Stealer vs. Browser Security - Netlas Blog The Largest Data Breach Ever? How Hackers Stole 16 Billion Credentials - Netlas Blog DNS Cache Poisoning – Is It Still Relevant? - Netlas Blog Modern Cybercrime: Who’s Behind It and Who’s Stopping It - Netlas Blog AI-Driven Attack Surface Discovery - Netlas Blog Netlas vs Urlscan: Tools Comparison - Netlas Blog Track Adversary Infrastructure Challenge 2025 Recap - Netlas Blog What is Threat Intelligence - Netlas Blog Netlas vs IPinfo: Tools Comparison - Netlas Blog Best Nmap Alternatives - Netlas Blog Whois History: How to Check the Domain Owner History - Netlas Blog Top WHOIS & RDAP Tools for Fast IP Address Lookup - Netlas Blog ASN Lookup Explained: Tools, Methods & Insights - Netlas Blog How to Detect CVEs Using Nmap Vulnerability Scan Scripts - Netlas Blog Netlas vs ZoomEye: Platforms Comparison - Netlas Blog Top 6 Most Widely Used Port Scanners in Cybersecurity - Netlas Blog FAQ: Understanding Root DNS Servers and the Root Zone - Netlas Blog Domain Recon: Must-Know Tools for Security Professionals - Netlas Blog DNS History: Exploring Domains Past by Inspecting DNS Trails - Netlas Blog DNSSEC: Should You Use It? An Expert’s View on the Pros, Cons, and When to Implement - Netlas Blog Which DNS Servers Offer the Best Balance of Speed, Security, and Privacy? - Netlas Blog theHarvester: a Classic Open Source Intelligence Tool - Netlas Blog - Netlas Blog Top 15 OSINT Tools for Expert Intelligence Gathering - Netlas Blog A Deep Dive into the Open Web Application Security Project Top 10 Vulnerabilities - Netlas Blog Using Subfinder with Netlas Module - Netlas Blog Netlas Chrome and Firefox Extensions - Netlas Blog Netlas vs Censys: Platforms Comparison - Netlas Blog OSINT in Cybersecurity: Exploring Its Spectrum and Tech - Netlas Blog Best Honeypots for Detecting Network Threats - Netlas Blog Using Maltego with Netlas Module - Netlas Blog Using theHarvester with Netlas - Netlas Blog Using TLDFinder with Netlas - Netlas Blog Netlas vs Fofa: Platforms Comparison - Netlas Blog Netlas vs Shodan: Platforms Comparison - Netlas Blog Google Dorking in Cybersecurity - Netlas Blog 7 Tools for Web Penetration Testing - Netlas Blog Using DNS History in Cybersecurity - Netlas Blog Mastering Online Camera Searches - Netlas Blog Best Attack Surface Visualization Tools - Netlas Blog Complete Guide on Attack Surface Discovery - Netlas Blog How to find unprotected databases with Netlas.io: Chapter 2 - Netlas Blog
Nmap Cheat Sheet: Top 10 Scan Techiques - Netlas Blog
Arthur Kotylevskiy · 2025-03-24 · via Mapping the <mark>Internet</mark> on Netlas: Comprehensive Internet-Wide Scanning & OSINT Platform

Nmap is a widely used open-source tool in cybersecurity, known for its powerful network scanning and analysis capabilities. It’s free, supports a wide range of scan techniques, and is versatile enough for many use cases.

That said, if you don’t use it every day, you probably forget most of the options — I certainly do. I tend to remember just a few basic flags and end up checking the man page every time I need something more advanced. So, I’ve put together this cheat sheet of the most commonly used commands. Hopefully, it helps you find the right option faster — or even discover something new.

Additional options for controlling scan scope, speed, and output are covered in the sections below. A short FAQ is included at the end of this post for readers new to Nmap or unfamiliar with its basics.

TOP 10 Most Practical Nmap Scanning Methods

OptionNameDescription
-snPing ScanDiscovers live hosts without performing a port scan.
-sTTCP Connect ScanFull TCP handshake — used when SYN scan is unavailable (e.g., non-root).
-sSSYN ScanStealthy TCP scan that sends SYN packets without completing connections.
-sUUDP ScanSends UDP packets to identify open UDP ports.
-sAACK ScanSends ACK packets to detect firewall rules and filtering behavior.
-sVVersion DetectionAttempts to determine service versions on open ports.
-OOS DetectionTries to identify the target’s operating system based on network behavior.
-sCDefault Script ScanRuns a default set of NSE scripts for extended service enumeration.
-DDecoy ScanSends packets from decoy IPs to mask the real source of the scan.
-sIIdle ScanStealthy scan using a zombie host to hide the scanner’s IP.

I skip1 several rarely used or situational scan techniques to maintain clarity and focus on the most practical methods.

Let’s take a closer look at how to use these methods effectively in practice.

Most Nmap scan methods — especially those that send raw packets — require root privileges to work properly. Only a few methods, such as TCP Connect Scan, and Version Detection, can be performed without elevated access.

0. Default Scan

If you run nmap with no scan options, just a target, Nmap performs the default scan, which includes the following:

  • Host Discovery: Uses ICMP and TCP probes to check if the host is up.
  • DNS Resolution: Performs forward or reverse DNS lookup, depending on whether a hostname or IP address is provided.
  • Scan Type: TCP Connect (-sT) if not run as root, or SYN Scan (-sS) if run as root.
  • Port Range: Scans the 1,000 most common TCP ports, as defined in the nmap-services database2.

So running Nmap with no options is roughly equivalent to:

nmap -sT -T3 [target]   # if run as user or
nmap -sS -T3 [target]   # if run as root

1. Ping Scan

To check which hosts are online without scanning their ports — ideal for network inventory or reachability checks.

Before scanning ports, Nmap typically performs host discovery — a ping sweep to identify which targets are online. By default, it sends a combination of ICMP echo, TCP SYN (to port 443), and TCP ACK (to port 80) probes. You can limit the scan to this phase only by using the -sn option.

You can customize the probes Nmap uses by explicitly setting them with these options:

  • -PE — ICMP Echo Request
  • -PP — ICMP Timestamp Request
  • -PM — ICMP Netmask Request
  • -PS — TCP SYN to specific ports
  • -PA — TCP ACK to specific ports
  • -PU — UDP packets to specific ports

Examples:

  • Use the default probe set to check which hosts are online:

  • Send only TCP SYN probes to ports 22 and 80:

    nmap -sn -PS22,80 192.168.1.0/24
  • Skip host discovery and assume all hosts are online:

2. TCP Connect Scan

To confirm if a service fully accepts TCP connections by completing the full three-way handshake — more accurate in detecting responsive services.

This method performs a full three-way TCP handshake with each target port by calling the operating system’s standard connect() system call. It sends a SYN, waits for a SYN-ACK, and responds with an ACK, thereby fully establishing the connection. If the handshake completes, the port is marked open. If a RST is received instead, the port is considered closed.

Because it uses the OS networking stack, -sT does not require root privileges. However, it is more easily detected and logged by firewalls and intrusion detection systems (IDS), since it completes real TCP sessions. It’s also generally slower and less stealthy than a SYN scan (-sS).

Example:

This runs a TCP Connect scan on the target, testing each port by completing an actual connection.

3. SYN Scan

To quickly and stealthily identify open TCP ports by sending SYN packets without completing full connections.

SYN Scan, also known as half-open scan, is Nmap’s default and most commonly used scanning technique. It sends a TCP SYN packet to each target port and analyzes the response:

  • If a SYN-ACK is received, the port is open.
  • If a RST is received, the port is closed.
  • If no response or an ICMP error is returned, the port is likely filtered.

Unlike -sT, SYN scan does not complete the TCP handshake — after receiving SYN-ACK, it immediately sends a RST to tear down the connection. This makes it stealthier, faster, and harder to detect by standard logging tools, though many IDS/IPS systems still flag it today.

Example:

Performs a SYN scan, testing which ports respond with SYN-ACK and appear open.

4. UDP Scan

To detect open UDP ports by sending UDP packets and analyzing the presence or absence of ICMP errors.

UDP scan sends empty UDP packets to target ports and interprets responses to determine port state. If an ICMP Port Unreachable (Type 3, Code 3) message is received, the port is considered closed. If there’s no response, the port is marked as open|filtered, meaning it could be open, silently dropped, or blocked by a firewall. Some ports may return application-layer replies (like DNS or SNMP), confirming they are open.

UDP scanning is slower and less reliable than TCP scanning because of the lack of acknowledgments in the protocol and widespread rate-limiting of ICMP responses. However, it’s a good way to discover UDP services.

Example:

Performs a basic UDP scan across the default top 1,000 ports.

5. ACK Scan

To probe firewall behavior by checking whether ACK packets are filtered or pass through to the target.

ACK scan is used primarily for firewall rule analysis, not port discovery. It sends TCP packets with only the ACK flag set. Because these packets do not initiate a connection, they don’t elicit the usual SYN-ACK or RST responses. Instead:

  • If a RST is returned, the port is unfiltered — the packet was allowed through.
  • If there is no response, or an ICMP unreachable error, the port is likely filtered by a firewall.

This scan is useful for mapping out firewall rules and understanding whether traffic to a port is being silently dropped or explicitly rejected.

Example:

Scans the target using ACK probes to analyze firewall filtering behavior.

6. Version Detection

To identify the software and version running on open ports by analyzing responses to probe messages.

This method connects to open ports and interacts with the running services to determine their type and version. Nmap sends a set of predefined probes and compares the responses against its internal nmap-service-probes database3.

By default, Nmap uses --version-intensity 9, which means it tries all available probes to maximize detection accuracy. This produces thorough results but can increase scan duration and network noise. You can reduce the intensity to speed up scans or be less intrusive:

  • --version-intensity 0: Fastest — only tries the most likely probes.
  • --version-intensity 1–8: Adds more probes progressively.
  • --version-intensity 9: Default — tries all probes for maximum accuracy.

Example:

nmap -sV --version-intensity 5 192.168.1.1

Use lower values if you want quicker scans or are working in stealth-sensitive environments.

7. OS Detection

To determine the target system’s operating system based on TCP/IP stack fingerprinting.

OS Detection uses TCP/IP stack fingerprinting to identify the target’s operating system. Nmap sends a series of crafted TCP, UDP, and ICMP probes to the target and observes subtle differences in how the system responds — such as TTL values, TCP window sizes, TCP options, ICMP codes, and fragmentation behavior. These response patterns are compared against Nmap’s internal fingerprint database, nmap-os-db4, to find the closest match.

This method works best when multiple open and closed ports are available, as it needs diverse response contexts for reliable fingerprinting.

Use the --osscan-guess option to instruct Nmap to make an educated guess about the OS even when confidence is low or when multiple matches exist. This is useful in uncertain situations where you’d still like to get the most probable OS information.

Example:

nmap -O --osscan-guess 192.168.1.1

8. Default Script Scan

To perform basic reconnaissance using standard Nmap scripts for service info, SSL details, DNS lookups, and more.

The Default Script Scan uses Nmap’s Scripting Engine (NSE) to run a curated set of scripts classified as safe and default. These scripts are designed to extract additional information from services running on open ports — such as banner data, SSL/TLS certificate details, HTTP headers, DNS info, and basic vulnerabilities.

Recommended Reading

How to Detect CVEs Using Nmap Vulnerability Scan Scripts

NSE scripts behave similarly to plugins. When you use -sC, Nmap automatically selects and executes scripts from the default category, which strikes a balance between useful information and safe execution.

Example:

This command performs a standard port scan and then runs all scripts from the default category on any discovered services.

Combining with Version Detection

You can combine this with -sV to improve detection results and feed richer input to some scripts.

The Nmap Scripting Engine (NSE) is a powerful framework that allows users to extend Nmap’s functionality with custom scripts written in Lua. These scripts can perform a wide range of tasks — from service detection and brute-force attacks to vulnerability scanning and CVE checks. NSE is frequently used to detect known vulnerabilities in services.

9. Decoy Scan

To hide the source of a scan by mixing the attacker’s IP with several decoy addresses.

Decoy scan uses spoofed IP addresses to hide the true source of a scan, making it harder for intrusion detection systems (IDS) and firewalls to identify the attacker. Nmap sends packets that appear to come from multiple IP addresses, only one of which is the actual scanner. This technique is useful for evasion, especially when scanning monitored or sensitive networks. You can provide a list of decoy IPs manually, using ME to indicate your real IP.

Example:

nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1

This command sends packets that appear to originate from three sources — 10.0.0.1, 10.0.0.2, and your actual host — making it difficult to determine which IP is performing the scan.

10. Idle Scan

To conduct a completely stealthy port scan by using a third-party zombie host to interact with the target.

Idle scan is an advanced and stealthy scanning technique that allows you to probe a target without revealing your own IP address. It leverages a third-party machine, known as a zombie, to send packets on your behalf. The technique exploits predictable IP identification (IPID) sequence numbers in the zombie’s IP stack.

The scan works as follows:

  1. Nmap first checks the zombie’s IPID behavior to ensure it’s incremental and predictable.
  2. Nmap then sends a spoofed SYN packet to the target, pretending it came from the zombie.
  3. If the target port is open, it replies to the zombie with a SYN-ACK, prompting the zombie to send back an RST — increasing its IPID by 1.
  4. If the port is closed, the target replies with a RST directly to the zombie — but the zombie does not respond, so its IPID remains unchanged.
  5. Nmap probes the zombie before and after to detect these IPID changes and infer the target port’s status.

Since the target believes the zombie is initiating the connection, the actual scanner’s IP never appears in any traffic reaching the target — making this one of the most covert methods available. However, it requires finding a suitable zombie: an idle host with no firewall and a globally incrementing IPID counter, which is rare on modern systems.

Example:

nmap -sI 192.168.1.50 192.168.1.1

This command scans 192.168.1.1 using 192.168.1.50 as the zombie. If the zombie meets the requirements, the scan can be conducted with complete anonymity from the scanner’s perspective.

    sequenceDiagram
	    participant Scanner
	    participant Zombie as Zombie<br>192.168.1.50
	    participant Target as Target<br>192.168.1.1
	
	    Scanner->>Zombie: Probe for IPID
	    Zombie-->>Scanner: Baseline IPID
	
	    Scanner->>Target: SYN spoofed from Zombie
	
	    alt Port opened
	          Target->>Zombie: SYN-ACK
	          Zombie-->>Target: RST, IPID incremented
	    else Port closed
	          Target->>Zombie: RST
	    end
	
	    Scanner->>Zombie: Probe IPID again
	    Zombie-->>Scanner: Return updated IPID
	
	    alt IPID incremented
	        Scanner->>Scanner: OPENED
	    else IPID not changed
	        Scanner->>Scanner: CLOSED / FILTERED
	    end
  1. Zombie selection is critical — Nmap will abort if the chosen zombie is not idle or does not have predictable IPID behavior.
  2. Idle scan only works on IPv4 (not IPv6).

Scan Configuration Options

Now that we’ve covered the main scanning methods, let’s explore the range of options Nmap provides to control how a scan is performed, what it targets, and how the results are displayed.

Defining Scan Scope

This performs a basic port scan on a single IP:

To scan multiple hosts, list the target IPs separated by spaces:

nmap 192.168.1.1 192.168.1.2

Scanning a Range of IPs

Excluding Specific Hosts

To exclude certain hosts from a scan, use the --exclude or --excludefile option.

nmap 192.168.1.0/24 --exclude 192.168.1.10,192.168.1.20

This command will run a basic scan of the subnet while excluding two IPs.

In practice, target lists are often stored in a file. Just format it with one IP address or hostname per line, and use the -iL option to scan it:

Specifying Ports

By default, Nmap scans the top 1000 most commonly used TCP ports. To narrow or customize the scan scope, use the -p option to specify exactly which ports to scan. You can list individual ports, ranges, or combinations.

nmap -p 22,80,443 192.168.1.1
nmap -p 1-1024 192.168.1.1
nmap -p U:53,T:80 192.168.1.1   # Scan UDP port 53 and TCP port 80

Controlling Scan Speed

Nmap provides detailed options for controlling scan speed, packet rate, and parallelism. These parameters help balance performance, accuracy, stealth, and network impact — especially useful when scanning large networks or working in sensitive environments.

To perform a scan with different timing profiles:

nmap -T1 192.168.1.0/24   # Slow, stealthy scan
nmap -T4 192.168.1.0/24   # Fast, noisy scan

By default, Nmap uses the -T3 timing template, which offers a moderate balance between speed and accuracy.

Timing templates are the most straightforward way to adjust scan speed and aggressiveness:

  • -T0: Paranoid — extremely slow, minimizes detection risk.
  • -T1: Sneaky — very slow and cautious.
  • -T2: Polite — slower than default, reduces network impact.
  • -T3: Normal — default setting, balanced performance.
  • -T4: Aggressive — faster, suitable for stable networks.
  • -T5: Insane — maximum speed, likely to trigger alarms.

Probe Delay

These options introduce or limit delays between probes:

nmap --scan-delay 500ms 192.168.1.1   # Fixed 500ms delay between probes
nmap --max-scan-delay 1s 192.168.1.1   # Cap adaptive delay at 1 second

Packet Rate

Control how many packets Nmap sends per second:

nmap --min-rate 100 192.168.1.1   # Send at least 100 packets per second
nmap --max-rate 50 192.168.1.1    # Send no more than 50 packets per second

Probe Parallelism

Control how many probes are sent simultaneously:

nmap --min-parallelism 10 192.168.1.1
nmap --max-parallelism 50 192.168.1.1

Host Group Size

Adjust how many hosts are scanned in parallel:

nmap --min-hostgroup 20 -iL targets.txt   # Scan at least 20 hosts at a time
nmap --max-hostgroup 100 -iL targets.txt  # Scan no more than 100 hosts at a time

Host Timeout

Abort scanning of any host that takes too long to respond:

nmap --host-timeout 2m 192.168.1.0/24   # Skip hosts that take longer than 2 minutes

This option ensures Nmap doesn’t get stuck on slow or unresponsive hosts, which is especially useful in large network scans. Without --host-timeout, Nmap uses adaptive timing based on network conditions — there is no fixed timeout by default, so scans may take significantly longer on unstable or firewalled hosts.

By default, Nmap scans hosts in the order listed. Use this option to shuffle the order — useful for evasion or load distribution:

nmap --randomize-hosts -iL targets.txt

Controlling Nmap Output

Nmap offers several options to adjust the level of detail in its output and to export scan results in different formats. These options are useful for debugging, scripting, reporting, or simply staying informed during long-running scans.

Verbosity and Debugging

Use -v or -vv to increase the verbosity of output. This provides more information during the scan process, such as probe stages, host discovery, and port analysis progress. Use it when you want more real-time feedback.

nmap -v 192.168.1.1     # Verbose output
nmap -vv 192.168.1.1    # Very verbose output

For even more insight into Nmap’s behavior, use -d, -d2, or higher debug levels. This shows internal logic and probe details — helpful for troubleshooting or understanding how a scan works.

nmap -d2 192.168.1.1    # Detailed debug output

Saving Output to Files

Nmap supports multiple output formats:

nmap -oN results.txt 192.168.1.1   # Saves standard output to results.txt
nmap -oX results.xml 192.168.1.1   # XML format
nmap -oG results.grep 192.168.1.1   # Grep-friendly output
nmap -oA scan 192.168.1.1   # All at once - scan.nmap, scan.xml, and scan.gnmap

Real-Time Scan Statistics

For monitoring long scans or large target lists, use --stats-every to get periodic updates during a scan.

nmap --stats-every 10s -iL targets.txt

Nmap Usage FAQ

If you’re new to Nmap, you’ll find answers to a few frequently asked questions below to help you get started.

What Is Nmap Used For?

Nmap (Network Mapper) is a powerful network scanning tool primarily used for port scanning, host discovery, and vulnerability assessment. Over the years, Nmap has continuously evolved with new features and updates, but its core purpose remains the same — to serve as an essential network scanner.

Key Uses of Nmap:

  • Network Exploration: Identifying live hosts and mapping network topologies.
  • Service Enumeration: Detecting services running on open ports and their versions.
  • Security Auditing: Assessing potential vulnerabilities in your network.

Nmap is widely used by organizations of all sizes, from small businesses to large enterprises, for tasks like semi-automated and manual port audits, host monitoring, penetration testing, and more.

At its core, Nmap works by analyzing IP packets to identify remote hosts, detect operating systems, and uncover running services. It sends specially crafted packets and waits for responses, which it then analyzes. The type of packet sent and the analysis methods depend on the user’s input — specifically, the options chosen when running the scan.


What are the basic Nmap functions?

Nmap is primarily employed to scan networks and gather comprehensive details about hosts. It is indispensable for penetration testers and network administrators who need to identify active devices, reveal open ports, detect running services, and deduce operating systems. By leveraging its extensive range of command options, Nmap can perform rapid scans for a quick overview or detailed investigations for deeper security insights.

Key Functions Include:

  • Host Discovery: Locating active devices on a network.
  • Port Enumeration: Identifying open, closed, and filtered ports.
  • Service Detection: Determining what applications and services are running on each port.
  • OS Fingerprinting: Inferring the operating systems in use.
  • Scripted Assessments: Utilizing NSE scripts to automate vulnerability detection and other custom checks.

Is Nmap Free?

Yes, Nmap is free for personal and most commercial uses. It is released as open source under a permissive license, allowing anyone to download, modify, and use it for network mapping and security assessments. However, Nmap uses a dual licensing model — while it’s free under the GPL for general use, a paid commercial license is required for proprietary redistribution or embedding it into closed-source software or commercial products. This model helps support ongoing development while keeping Nmap accessible to the security community.


Yes, Nmap is legal to use — when used responsibly and with proper authorization. The legality depends entirely on your intent and whether you have explicit permission to scan the target systems. Scanning your own infrastructure or systems where you have been clearly authorized is fully legal and a common practice in security assessments.

Important Points to Remember:

  • Always Get Permission: Never scan networks or systems that you don’t own or administer without documented consent.
  • Check Local Laws: Cybersecurity laws vary by country and region. When in doubt, consult legal guidance and obtain written authorization.
  • Act Ethically: Even if scanning is technically possible, ethical use ensures you avoid legal trouble and unintended consequences.

How to install Nmap?

Nmap is available on most platforms and can be easily installed using native package managers. Some Linux distributions, especially those tailored for penetration testing — like Kali Linux, Parrot OS, and BackBox — come with Nmap preinstalled.

Linux

For most general-purpose distributions, Nmap can be installed via the system’s package manager:

  • Debian/Ubuntu
    sudo apt update
    sudo apt install nmap
  • CentOS/RHEL (with EPEL)
    sudo dnf install epel-release
    sudo dnf install nmap
  • Fedora
  • Arch Linux

macOS

On macOS, the easiest way to install Nmap is via Homebrew:

Windows

On Windows, it is recommended to download the official installer from the Nmap download page. It includes the Nmap command-line tool, the Npcap packet capture driver (required for raw packet scanning), and optional components like Zenmap, Ncat, and Ndiff.

While the most common way to use Nmap is through the command-line interface (CLI), a graphical interface is also available. It’s called Zenmap, and it can be installed on most systems using the same method as installing Nmap itself.


Do Firewalls Block Nmap?

Yes — firewalls are designed to filter or block suspicious traffic and can interfere with Nmap scans by dropping probe packets, limiting responses, or making ports appear filtered. This can affect both host discovery and port scanning accuracy.

However, many of Nmap’s options allow users to bypass or analyze firewall behavior. Techniques such as adjusting probe types (-PS, -PA, -PU), using decoy addresses (-D), or tuning timing parameters (-T, --scan-delay) were already covered in earlier sections.

For more advanced evasion, Nmap also supports packet fragmentation (-f) and other stealth techniques.


Are there any easier-to-use Nmap alternatives?

Yes, several tools offer simpler or more user-friendly interfaces than Nmap.

Recommended Reading

Best Nmap Alternatives

For example, Angry IP Scanner and Zenmap provide graphical interfaces, while Masscan and ZMap focus on high-speed scanning. If you’re looking for a web-based, OSINT-friendly solution, try Netlas.

Calendar

Book Your Netlas Demo

Chat with our team to explore how the Netlas platform can support your security research and threat analysis.