- by x32x01 ||
Nmap (Network Mapper) is the go-to open-source tool for network discovery and security auditing. Use it to find live hosts, open ports, running services, OS details, and basic vulnerabilities. Below are the most useful commands and quick explanations for day-to-day recon and triage.
Basic host discovery
Find live hosts quickly on a network.
Use
Common port scans
Identify open TCP/UDP ports.
OS and version detection
Get OS fingerprints and deeper service info.
NSE (Nmap Scripting Engine) - quick checks
Nmap ships with scripts for discovery and vulnerability checks.
Use scripts to gather app-specific details - but run safely and with permission.
Scan timing & stealth tips
Control scan speed and stealthiness.
Lower
Output formats & reporting
Save results for later analysis.
XML is handy for automated parsing;
Quick service checks & banner grabbing
Grab application banners for simple fingerprinting.
Combine with
Examples for common workflows
Troubleshooting & tips
Where to go next
Basic host discovery 
Find live hosts quickly on a network. Bash:
# Ping scan (fast host discovery)
nmap -sn 192.168.1.0/24
# ARP-based discovery (local LAN, more reliable)
sudo nmap -sn --arp 192.168.1.0/24-sn when you only need which IPs are up (no port scan).Common port scans 
Identify open TCP/UDP ports. Bash:
# Top ports + service detection
nmap -sS -sV -p 1-1000 10.0.0.5
# Full TCP port scan (slow)
nmap -p- -T4 10.0.0.5
# UDP scan (requires root; slow)
sudo nmap -sU -p 53,123,161 10.0.0.5-sS = SYN (stealth) scan, -sV = service/version detection, -T4 = faster timing.OS and version detection 
Get OS fingerprints and deeper service info. Bash:
sudo nmap -O -sV 192.168.1.10
# or with aggressive options
sudo nmap -A -T4 192.168.1.10-O attempts OS detection. -A bundles OS, version, script scans, and traceroute.NSE (Nmap Scripting Engine) - quick checks 
Nmap ships with scripts for discovery and vulnerability checks. Bash:
# List available scripts
ls /usr/share/nmap/scripts | grep smb
# Run a script (example: HTTP vulns)
nmap --script http-enum -p 80,443 target.com
# Run multiple script categories (default or vuln)
nmap --script "default or safe" -p 80 target.comScan timing & stealth tips 
Control scan speed and stealthiness. Bash:
# Slow / stealthy
nmap -sS -T2 target
# Faster / noisy
nmap -sS -T5 targetT values reduce detection risk but increase scan time. Always match the timing to your authorization and impact tolerance.Output formats & reporting 
Save results for later analysis. Bash:
# Normal + grepable + XML outputs
nmap -oN out.txt -oG out.gnmap -oX out.xml target-oG is grep-friendly.Quick service checks & banner grabbing 
Grab application banners for simple fingerprinting. Bash:
# Basic banner grab
nc -vz 192.168.1.5 22 80 443
# Nmap banner/version probe
nmap -sV --version-all 192.168.1.5 -p 22,80,443-sV to improve version detection quality.Examples for common workflows 
- Network sweep + top ports + save results
Bash:
nmap -sS -p 22,80,443 -T4 -oN sweep.txt 192.168.1.0/24- Deep scan a single host (OS + scripts + all TCP ports)
Bash:
sudo nmap -A -p- -T4 -oN deep-host.txt 10.0.0.42Troubleshooting & tips 
- If results look inconsistent, retry with elevated privileges (
sudo) - some scans need raw sockets. - Use
-Pnto skip host discovery when ICMP is blocked:nmap -Pn target. - Combine tools: Masscan (fast port discovery) + Nmap (detailed follow-up).
Where to go next 
- Learn NSE scripting to automate checks relevant to your environment.
- Integrate Nmap output into SIEMs or reporting pipelines (XML → Elastic/Graylog).
- Build a small lab (VMs + vulnerable targets) and practice safe scanning and remediation workflows.
Last edited: