Beginner to Advanced in NMAP: Complete Guide 2025
Introduction:
Nmap is indeed one of the most flexible tools in our cyber security arsenal in an ever-changing world of cyber security from day to day. It’s an open source tool and has been considered one of the essentials of network scanning, security auditing, and vulnerability testing. This article will walk you through everything: from basic Nmap commands to more complex ones and get you feeling comfortable at any level when using Nmap.
What is Nmap and Why Do We Use It?
Nmap is a free and open-source network scanner that helps us detect hosts, open ports, services, operating systems, and vulnerabilities on networks. It’s invaluable for both penetration testers and network administrators because it provides detailed insights that enhance network security.
Basic Nmap Commands
- Basic TCP Scan
nmap target_ipChecks for open TCP ports on the target, giving us a snapshot of the network’s entry points.
- UDP Scan
nmap -sU target_ipScans for open UDP ports, which are commonly associated with certain vulnerabilities.
- OS Detection
nmap -O target_ipIdentifies the operating system running on the target machine.
- Service Version Detection
nmap -sV target_ipHelps us determine the specific versions of services running on open ports.
- Aggressive Scan
nmap -A target_ipPerforms a comprehensive scan that includes OS detection, version detection, script scanning, and traceroute.
- Ping Scan
nmap -sn target_ip_rangeChecks if devices in a specified IP range are online without scanning open ports.
- Port Range Scan
nmap -p port_range target_ipScans only a specific range of ports on the target system.
- Script Scanning
nmap -sC target_ipRuns default Nmap scripts for common security checks, helpful for quick vulnerability assessments.
- Vulnerability Scan
nmap --script vuln target_ipUtilizes scripts to find potential vulnerabilities on the target system.
- Fast Scan
nmap -F target_ipA quicker scan that checks fewer ports, often used in large networks.
- Traceroute
nmap --traceroute target_ipIdentifies the path packets take from our device to the target.
- Firewall Detection
nmap -sA target_ipDetects firewalls by analyzing open and closed ports.
- IP Protocol Scan
nmap -sO target_ipChecks for supported IP protocols on the target.
- TCP SYN Ping
nmap -PS target_ipSends SYN packets to see if hosts are online without establishing a full connection.
- Idle Scan
nmap -sI zombie_ip target_ipUses a “zombie” host to perform a stealth scan, hiding our IP address from the target.

Advanced Nmap Commands
- Aggressive Service and OS Detection
nmap -A -T4 target_ipIncreases scan speed with aggressive OS and service detection, useful in time-sensitive scenarios.
- UDP Scan with Specific Ports
nmap -sU -p 53,67,161 target_ipScans specific UDP ports like DNS, DHCP, and SNMP.
- Top 1000 Ports Scan
nmap -p 1-1000 target_ipTargets the 1000 most commonly used ports, giving us a broader view of open services.
- Scan for Heartbleed Vulnerability
nmap --script ssl-heartbleed target_ipChecks for the Heartbleed vulnerability in SSL/TLS, crucial for sites with sensitive data.
- Script Category Scan
nmap --script default target_ipExecutes default scripts, a useful command to start vulnerability assessments.
- Custom Script Scan
nmap --script=script_name.nse target_ipRuns specific custom scripts from the Nmap Scripting Engine.
- Scan with a Specific NSE Script Argument
nmap --script script_name.nse --script-args arg=value target_ipProvides arguments to specific scripts, allowing us to customize the scan.
- Exclude Hosts from Scan
nmap target_ip_range --exclude host_to_excludeSkips specific IPs within a scan range.
- IP Range Scan with Output to a File
nmap -oX output_file.xml target_ip_rangeSaves scan results to an XML file for easier parsing.
- Version Detection with Intensity
nmap -sV --version-intensity 5 target_ipIncreases version detection detail, useful for distinguishing between service versions.
- Timing and Packet Tweak
nmap -T4 --ttl 128 target_ipSpeeds up scan timing and adjusts packet TTL, ideal for quicker scans.
- Scan Multiple Targets from a File
nmap -iL target_file.txtLoads target IPs from a file, efficient for scanning large networks.
- Scan for HTTP Vulnerabilities
nmap --script http-vuln* target_ipUses scripts for common HTTP-related vulnerabilities, vital for web server security.
- Scan IPv6 Addresses
nmap -6 target_ipv6Specifically targets IPv6 addresses.
- Scan for SMB Vulnerabilities
nmap --script smb-vuln* target_ipChecks for SMB vulnerabilities, essential for securing Windows networks.
Conclusion
This guide is used to create a foundation on how to use Nmap, from basic commands to more advanced commands. Nmap is certainly one of the tools forming part of our cybersecurity toolbox, and we can use it to determine which ports are open for finding vulnerabilities, assessing what is running on ports as a service, or just find ways into an organization that are not noticed.
Disclaimer
This is an education guide for you to be able to develop hands-on skills in cybersecurity safely and legally. The tool covered here is Nmap. It is meant to use only for ethical and legal purposes. Scanning networks or probing them without authority is illegal and carries dire consequences. Our mission is to empower you as a cybersecurity professional, whether you are preparing for certifications like OSCP or CEH or simply expanding your knowledge. Always use these tools responsibly, ethically, and within the boundaries of the law to make cybersecurity a priority for everyone.
References
- External
- Internal

