Back to Blog

Nmap: The Ultimate Network Scanning & Reconnaissance Guide for OSINT

Notion
10 min read
Kali-ToolTutorialCybersecurityLinuxSecurity

What is Nmap?

Nmap (Network Mapper) is a free, open-source tool for network discovery and security auditing. Created by Gordon "Fyodor" Lyon, it's arguably the most widely used network scanning tool in the world. Nmap uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they're running, what type of firewalls are in use, and dozens of other characteristics.

In the context of OSINT and penetration testing, Nmap is typically the first tool you reach for during the reconnaissance phase. It maps the attack surface by identifying open ports, running services, and potential vulnerabilities — all from a single command-line interface.

Legal Notice: Only scan networks and systems you own or have explicit written permission to test. Unauthorized scanning is illegal under the CFAA and similar laws worldwide. For practice, use scanme.nmap.org (Nmap's official authorized test target) or set up your own lab.

Installation

On Kali Linux (Pre-installed)

Nmap comes pre-installed on Kali Linux. Verify with:

nmap --version

Expected Output:

Nmap version 7.94SVN ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.4.6 openssl-3.0.13 libssh2-1.11.0 libz-1.3 libpcre-8.39 nmap-libpcap-1.10.4 nmap-libpcre-7.6 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Install on Debian/Ubuntu

sudo apt update && sudo apt install nmap

Install on macOS

brew install nmap

Install on Windows

Download the installer from nmap.org/download. The Windows version includes Zenmap (GUI frontend).

Core Concepts

Port States in Nmap:

  • open — An application is actively accepting connections on this port
  • closed — The port is accessible but no application is listening
  • filtered — A firewall or filter is blocking the probe; Nmap can't determine if the port is open
  • unfiltered — The port is accessible, but Nmap can't determine open/closed
  • open|filtered — Nmap can't determine whether the port is open or filtered
  • closed|filtered — Nmap can't determine whether the port is closed or filtered Scan Phases:
  1. Host Discovery — Which hosts are alive?
  2. Port Scanning — Which ports are open?
  3. Service/Version Detection — What's running on those ports?
  4. OS Detection — What operating system is the host running?
  5. Script Scanning — Run NSE scripts for deeper enumeration

Host Discovery (Is the Target Alive?)

Basic Ping Scan (No Port Scan)

nmap -sn 192.168.1.0/24

Expected Output:

Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for router.local (192.168.1.1)
Host is up (0.0031s latency).
MAC Address: A4:08:F5:12:34:56 (TP-Link Technologies)
Nmap scan report for desktop.local (192.168.1.10)
Host is up (0.0045s latency).
MAC Address: 00:1A:2B:3C:4D:5E (Intel Corporate)
Nmap scan report for kali.local (192.168.1.50)
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.54 seconds

The -sn flag tells Nmap to skip port scanning and only check if hosts are alive.

ARP Scan (Local Network Only)

nmap -PR -sn 192.168.1.0/24

ARP scans are faster and more reliable on local networks because ARP requests can't be blocked by firewalls.

TCP SYN Ping

nmap -PS22,80,443 -sn scanme.nmap.org

Expected Output:

Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.071s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Sends TCP SYN packets to ports 22, 80, and 443 to check if the host responds.

ICMP Echo Ping

nmap -PE -sn scanme.nmap.org

Disable Ping (Assume Host is Up)

nmap -Pn scanme.nmap.org

Useful when the target blocks ping. Nmap skips host discovery and goes straight to port scanning.

Port Scanning Techniques

Basic TCP Connect Scan

nmap -sT scanme.nmap.org

Expected Output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-03-06 11:49 PST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.071s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
9929/tcp  open     nping-echo
31337/tcp open     Elite
 
Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

SYN Stealth Scan (Default, requires root)

sudo nmap -sS scanme.nmap.org

The SYN scan never completes the TCP handshake — it sends SYN, receives SYN/ACK (port open) or RST (closed), then sends RST. This is faster and stealthier than a full connect scan.

Scan Specific Ports

nmap -p 22,80,443,8080 scanme.nmap.org

Scan a Port Range

nmap -p 1-1000 scanme.nmap.org

Scan ALL 65535 Ports

nmap -p- scanme.nmap.org

This takes longer but finds services running on non-standard ports.

Scan Top N Ports

nmap --top-ports 100 scanme.nmap.org

UDP Scan

sudo nmap -sU --top-ports 20 scanme.nmap.org

Expected Output:

Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.071s latency).
 
PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
111/udp   open|filtered rpcbind
123/udp   open          ntp
135/udp   open|filtered msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   open|filtered route
631/udp   open|filtered ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike

UDP scans are slow because UDP is connectionless — Nmap must wait for timeout on each port.

Combined TCP + UDP Scan

sudo nmap -sS -sU -p T:22,80,443,U:53,161 scanme.nmap.org

Service and Version Detection

Detect Service Versions

nmap -sV scanme.nmap.org

Expected Output:

Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.071s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT      STATE    SERVICE      VERSION
22/tcp    open     ssh          OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
25/tcp    filtered smtp
80/tcp    open     http         Apache httpd 2.4.7 ((Ubuntu))
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
9929/tcp  open     nping-echo   Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds

This reveals exact software versions — critical for finding known CVEs.

Increase Version Detection Intensity

nmap -sV --version-intensity 9 scanme.nmap.org

Scale is 0-9. Higher values try more probes but take longer.

Light Version Detection

nmap -sV --version-light scanme.nmap.org

OS Detection

Detect Operating System

sudo nmap -O scanme.nmap.org

Expected Output:

Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.071s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
9929/tcp  open     nping-echo
31337/tcp open     Elite
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 10 hops
 
OS detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 8.42 seconds

Aggressive OS Guessing

sudo nmap -O --osscan-guess scanme.nmap.org

Nmap Scripting Engine (NSE)

NSE is one of Nmap's most powerful features. It has 600+ scripts organized into categories.

Run Default Scripts

nmap -sC scanme.nmap.org

Expected Output (relevant portion):

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey:
|   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
|   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:07:3d:5d (ED25519)
80/tcp open  http
|_http-title: Go ahead and ScanMe!
| http-headers:
|   Date: Fri, 06 Mar 2026 19:49:22 GMT
|   Server: Apache/2.4.7 (Ubuntu)
|_  Content-Type: text/html

Run Specific Script

nmap --script http-title scanme.nmap.org

Run Script Category

nmap --script vuln scanme.nmap.org

Common NSE Categories:

  • auth — Authentication-related scripts
  • broadcast — Discover hosts via broadcast
  • brute — Brute-force credential attacks
  • default — Default scripts (same as -sC)
  • discovery — Service and host discovery
  • dos — Denial of service detection
  • exploit — Active exploitation
  • external — Third-party service queries
  • fuzzer — Fuzzing scripts
  • intrusive — Scripts that may crash or disrupt services
  • malware — Malware detection
  • safe — Scripts unlikely to crash services
  • version — Version detection enhancement
  • vuln — Vulnerability detection

Useful OSINT NSE Scripts

HTTP enumeration:

nmap --script http-enum -p 80,443 target.com

DNS brute force:

nmap --script dns-brute target.com

Expected Output:

Host script results:
| dns-brute:
|   DNS Brute-force hostnames:
|     www.target.com - 93.184.216.34
|     mail.target.com - 93.184.216.35
|     ftp.target.com - 93.184.216.36
|     dev.target.com - 93.184.216.37
|_    staging.target.com - 93.184.216.38

SSL certificate info:

nmap --script ssl-cert -p 443 example.com

WHOIS lookup:

nmap --script whois-domain target.com

SMB vulnerability check:

nmap --script smb-vuln* -p 445 target

List All Available Scripts

ls /usr/share/nmap/scripts/ | wc -l
ls /usr/share/nmap/scripts/ | grep http | head -20

Output Formats

Normal Output to File

nmap -oN scan_results.txt scanme.nmap.org

XML Output (Best for Parsing)

nmap -oX scan_results.xml scanme.nmap.org

Grepable Output

nmap -oG scan_results.gnmap scanme.nmap.org

Example Grepable Line:

Host: 45.33.32.156 (scanme.nmap.org) Ports: 22/open/tcp//ssh//OpenSSH 6.6.1p1/, 80/open/tcp//http//Apache httpd 2.4.7/

All Formats at Once

nmap -oA scan_results scanme.nmap.org

Creates scan_results.nmap, scan_results.xml, and scan_results.gnmap.

Speed & Timing Templates

nmap -T4 -F scanme.nmap.org

-F scans only the top 100 ports for extra speed.

Evasion Techniques

Fragment Packets

sudo nmap -f scanme.nmap.org

Decoy Scan

sudo nmap -D RND:5 scanme.nmap.org

Generates 5 random decoy IPs that appear to also be scanning the target.

Spoof Source Port

sudo nmap --source-port 53 scanme.nmap.org

Some firewalls allow traffic from port 53 (DNS) through.

Idle/Zombie Scan

sudo nmap -sI zombie_host:port target

The ultimate stealth scan — uses a third-party "zombie" host so your IP never appears in the target's logs.

Real-World OSINT Workflow

Step 1: Quick Discovery

nmap -sn -T4 192.168.1.0/24 -oG hosts_alive.gnmap

Step 2: Fast Port Scan on Live Hosts

nmap -sS -T4 --top-ports 1000 -iL live_hosts.txt -oA quick_scan

Step 3: Deep Scan on Interesting Hosts

nmap -sV -sC -O -p- -T4 target_ip -oA deep_scan

Step 4: Vulnerability Assessment

nmap --script vuln -p 22,80,443,3306,8080 target_ip -oA vuln_scan

Step 5: Parse Results

# Extract open ports from grepable output
grep 'open' quick_scan.gnmap | awk '{print $2}' | sort -u
 
# Find all hosts with port 80 open
grep '80/open' quick_scan.gnmap | awk '{print $2}'
 
# Convert XML to HTML report
xsltproc deep_scan.xml -o report.html

Useful Flag Reference

Summary

Nmap is the foundational reconnaissance tool for any security professional. Its combination of host discovery, port scanning, service detection, OS fingerprinting, and scriptable enumeration makes it indispensable for OSINT work. Master the basics first (SYN scan, version detection, default scripts), then explore NSE scripting for targeted enumeration.

Key Takeaways:

  • Use -sS for stealthy TCP scanning (requires root)
  • Use -sV -sC for service detection with default scripts
  • Use -O for OS fingerprinting
  • Use -T4 for speed on reliable networks
  • Use -oA to save all output formats
  • Use --script vuln for quick vulnerability assessment
  • Always get authorization before scanning any network you don't own