Full Nmap Guide for Beginners

Complete Nmap Deep Dive — From Beginner to Confident User

nmap guide image


Goal: After reading this guide, you should understand what Nmap does, how it works internally, and how to use it confidently for ethical security testing.

1. What Is Nmap?

Nmap (Network Mapper) is a network scanning and reconnaissance tool used to discover hosts, open ports, running services, operating systems, and potential security weaknesses on a network.

Security professionals use Nmap for:

  • Network discovery
  • Security auditing
  • Vulnerability detection
  • Firewall testing
  • Inventory management

Important: Only scan networks you own or have explicit permission to test.

2. How Nmap Works (Core Concepts)

Ports

Every device connected to a network has ports (0–65535). Each open port usually represents a service running.

Common ports:

  • 22 → SSH
  • 80 → HTTP
  • 443 → HTTPS
  • 21 → FTP
  • 3306 → MySQL

States of a Port

  • Open – Service is accepting connections
  • Closed – No service listening
  • Filtered – Firewall blocking detection

Scan Types

Nmap uses different packet techniques to gather information:

  • TCP Connect Scan
  • SYN Scan (Stealth Scan)
  • UDP Scan
  • Ping Scan
  • Aggressive Scan

3. Installing Nmap

Linux (Debian/Ubuntu)

sudo apt install nmap

Arch Linux

sudo pacman -S nmap

Windows

Download the installer from the official Nmap website and follow the setup wizard.

4. Basic Nmap Commands (Foundation)

Scan a Single IP

nmap 192.168.1.1

Scan a Domain

nmap example.com

Scan Multiple Targets

nmap 192.168.1.1 192.168.1.2

Scan an Entire Subnet

nmap 192.168.1.0/24

5. Port Scanning Deep Dive

Scan Specific Ports

nmap -p 22,80,443 192.168.1.1

Scan All Ports

nmap -p- 192.168.1.1

Fast Scan (Top 100 Ports)

nmap -F 192.168.1.1

6. Service and Version Detection

nmap -sV 192.168.1.1

This identifies:

  • Service name
  • Software version
  • Potential outdated services

7. OS Detection

sudo nmap -O 192.168.1.1

This attempts to detect the operating system based on TCP/IP fingerprinting.

8. Aggressive Scan (Power Mode)

sudo nmap -A 192.168.1.1

This enables:

  • OS detection
  • Version detection
  • Script scanning
  • Traceroute

9. Nmap Scripting Engine (NSE)

NSE allows automation of vulnerability checks and deeper analysis.

Run Default Scripts

nmap -sC 192.168.1.1

Run Vulnerability Scripts

nmap --script vuln 192.168.1.1

Scripts categories include:

  • auth
  • brute
  • discovery
  • vuln
  • safe

10. Stealth and Performance Options

SYN Stealth Scan

sudo nmap -sS 192.168.1.1

Adjust Timing

nmap -T4 192.168.1.1

Timing levels range from T0 (slow) to T5 (fast).

11. Saving Output

Normal Output

nmap -oN scan.txt 192.168.1.1

XML Output

nmap -oX scan.xml 192.168.1.1

All Formats

nmap -oA fullscan 192.168.1.1

12. Real-World Workflow Example

  1. Discover hosts → nmap -sn 192.168.1.0/24
  2. Scan open ports → nmap -sS target
  3. Detect services → nmap -sV target
  4. Check vulnerabilities → nmap --script vuln target
  5. Save results → nmap -oA results target

13. Common Mistakes Beginners Make

  • Scanning without permission
  • Ignoring filtered ports
  • Using aggressive timing on production networks
  • Not saving output for documentation

14. Practice Environment Recommendations

  • Use a local lab with virtual machines
  • Install Linux targets intentionally vulnerable for testing
  • Practice inside a private network only

15. Final Thoughts

Nmap is not just a scanner. It is a reconnaissance framework. Mastering it means understanding networking fundamentals, TCP/IP behavior, and service enumeration.

Start simple. Practice consistently. Build a lab. Analyze every result carefully.

Once you can read Nmap output confidently, you are no longer guessing. You are investigating.

Popular Posts