Nmap for Penetration Testing

Nmap, short for Network Mapper, is a network scanning tool used to discover hosts, identify open ports, enumerate services, detect operating systems, and check for known vulnerabilities.

From a penetration testing perspective, Nmap helps answer a few important questions:

1. What hosts are online?
2. What ports are open?
3. What services are running?
4. What versions are exposed?
5. Is traffic being filtered?
6. What should be investigated next?

Nmap is not a magic vulnerability detector. It gives you leads. An open port, a service banner, or an operating system guess can point you toward deeper enumeration, but those results still need to be validated with additional testing, research, and context.

Warning: Only scan systems you own or have explicit permission to test. Even basic scanning can trigger alerts, create noisy logs, or violate rules if it is done outside an authorized lab or engagement.

Confirm Your Network

Before scanning, confirm what network you are connected to so you do not accidentally scan out-of-scope systems.

Useful commands:

ip addr

This shows your IP address and network interface information.

ip route

This shows your default gateway and routing table.

Example local network:

192.168.1.0/24

The /24 means the network covers:

192.168.1.1 through 192.168.1.254

Understanding your network range matters because scanning outside an authorized lab or engagement can violate scope.

Host Discovery

Before scanning ports, first identify which hosts are alive. This keeps the rest of your scanning focused and avoids wasting time on inactive addresses.

ARP Scan

ARP discovery is useful on a local network.

sudo nmap -PR -sn TARGET_SUBNET

Example:

sudo nmap -PR -sn 192.168.1.0/24

Options:

• -PR use ARP requests
• -sn host discovery only; skip port scanning

ARP is fast on a local subnet because devices normally use ARP to find each other. This is often one of the best first steps in a home lab or local VM lab.

Save Discovered IPs

After finding live hosts, save them to a file:

nano targets.txt

Example:

192.168.1.7
192.168.1.9
192.168.1.13
192.168.1.14
192.168.1.254

This lets you run later scans against known live systems instead of repeatedly scanning the whole subnet.

ICMP Ping Scan

An ICMP ping scan can be useful when scanning a host outside the local network:

sudo nmap -PE -sn scanme.nmap.org

Options:

• -PE sends an ICMP Echo Request, similar to a normal ping
• -sn host discovery only

Limitation:

Firewalls may block ICMP. If a host does not respond, it does not always mean the host is offline.

TCP ACK Discovery Scan

TCP-based discovery can help when ICMP is blocked.

sudo nmap -PA80 -sn scanme.nmap.org

Option:

• -PA80 sends a TCP ACK packet to port 80

If the host replies with a TCP reset packet, Nmap can determine that the host is alive.

This matters because some networks block ping but still respond to certain TCP packets.

If you know a host is in scope but it does not respond to discovery probes, you can use -Pn to tell Nmap to treat it as online:

nmap -Pn TARGET_IP

Use this carefully. Against large ranges, -Pn can make scans much slower because Nmap attempts to scan every target.

Common Nmap Port States

Nmap reports port states that help you interpret scan results.

State: open
Meaning: The port is accepting connections. This is a lead for further enumeration.

State: closed
Meaning: The host is reachable, but nothing is listening on that port.

State: filtered
Meaning: Nmap cannot determine whether the port is open because something, usually a firewall, is blocking probes.

State: unfiltered
Meaning: The port is reachable, but Nmap cannot tell whether it is open or closed. May require another scan type.

State: open|filtered
Meaning: Nmap cannot determine whether the port is open or filtered. Common with UDP scans.

State: closed|filtered
Meaning: Nmap cannot determine whether the port is closed or filtered.

The key idea is simple: an open port is not automatically a vulnerability. It means there is a service worth identifying and reviewing.

Basic TCP Port Scanning

A basic Nmap scan against one host looks like this:

nmap TARGET_IP

Example:

nmap 192.168.1.7

By default, Nmap scans the top 1,000 most common TCP ports.

Example output:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

This indicates SSH and HTTP are open.

From a penetration-testing perspective, that gives you direction:

• SSH may need version checks, configuration review, or credential policy testing if allowed.
• HTTP may lead to web enumeration, directory discovery, technology fingerprinting, or manual browsing.

Do not assume either service is vulnerable. Treat open services as leads for further enumeration.

Scan a List of Hosts

Once live hosts are saved in targets.txt, scan the list:

nmap -iL targets.txt

Option:

• -iL read targets from a file

This is cleaner and more focused than scanning the whole subnet after discovery.

To save the scan results, you can use -oA:

nmap -iL targets.txt -oA basic-scan

Option:

• -oA save results in multiple output formats using the same filename prefix

This creates files that can be reviewed later without rerunning the scan.

Scan Specific Ports

Sometimes you do not need to scan everything. You may want to quickly check whether certain services are exposed.

Scan for SSH:

nmap -p 22 -iL targets.txt

Scan for HTTP:

nmap -p 80 -iL targets.txt

Scan multiple ports:

nmap -p 21,22,23,80 -iL targets.txt

Option:

• -p specify the port or ports to scan

Use case:

This helps quickly determine which machines expose specific services.

A machine with FTP, Telnet, and HTTP open may deserve closer review, especially if the services are outdated, unauthenticated, or misconfigured. Open services do not prove a vulnerability by themselves. They tell you where to look next.

ACK Scan for Filtered Ports

An ACK scan can help identify firewall behavior:

sudo nmap -sA -iL targets.txt

Option:

• -sA checks whether ports are filtered or unfiltered

Important limitation:

This scan does not directly tell you whether a port is open. It helps determine whether traffic is being filtered.

That makes it useful for understanding firewall rules, but it is not a normal service-enumeration scan.

UDP Scanning

UDP is often overlooked, but many important services use it.

A beginner-friendly UDP scan is:

sudo nmap -sU --top-ports 20 TARGET_IP

Options:

• -sU run a UDP scan
• --top-ports 20 scan the 20 most common UDP ports

Common UDP services:

53   DNS
67   DHCP
69   TFTP
123  NTP
161  SNMP

UDP scans can be slow because UDP does not respond the same way TCP does. Many UDP results may come back as:

open|filtered

This means Nmap cannot determine whether the port is open or filtered.

UDP results often need follow-up testing with service-specific tools or manual validation. For example, if Nmap reports possible SNMP exposure, you would investigate that service directly instead of treating the scan result as a confirmed issue.

Service and Version Detection

Finding an open port is useful. Identifying the actual service and version is more useful.

Use:

nmap -sV TARGET_IP

Example:

nmap -sV 192.168.1.7

Option:

• -sV probe open ports to determine service and version information

Example output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu
80/tcp open  http    Apache httpd 2.4.52

This gives you better leads.

Instead of only knowing that port 80 is open, you now know Nmap believes Apache is running. That can guide your next steps:

• Check whether the version is current.
• Look for known CVEs or vendor advisories.
• Review default pages or exposed files.
• Compare the banner with what the system is expected to run.
• Validate the finding manually.

Version detection is helpful, but it is not proof of exploitability. Banners can be hidden, changed, proxied, or misleading.

OS Detection

Nmap can attempt to identify the target operating system:

sudo nmap -O TARGET_IP

Option:

• -O enable OS detection

Example:

sudo nmap -O 192.168.1.7

OS detection works by analyzing how the target responds to probes. It works best when Nmap can find at least one open port and one closed port.

Example output might look like:

OS details: Linux 4.X|5.X

Treat OS detection as an estimate, not proof. It can be useful for building a picture of the target, but it should be validated with other evidence.

Scan Timing and Behavior

Nmap includes timing templates that control how aggressively it sends probes:

-T0
-T1
-T2
-T3
-T4
-T5

Higher numbers scan faster, but faster is not always better. Aggressive timing can be noisier, less reliable, or more likely to miss results on unstable networks.

A common lab scan might use:

nmap -T4 TARGET_IP

Option:

• -T4 use a faster timing template often seen in lab environments

Use timing options carefully. In a real engagement, scan speed should match the rules of engagement, network conditions, and the need for accuracy.

For beginners, it is better to understand what the scan is doing before trying to make it faster.

Nmap Scripting Engine

Nmap includes the Nmap Scripting Engine, often called NSE. NSE scripts can automate common checks, collect service details, and perform deeper enumeration.

Run Nmap’s default scripts with:

nmap -sC TARGET_IP

Option:

• -sC run Nmap’s default scripts

A common enumeration command is:

nmap -sC -sV TARGET_IP

This combines default scripts with service/version detection.

Example:

nmap -sC -sV 192.168.1.7

Default scripts can be very useful in a lab because they often pull extra information from services like HTTP, SMB, SSH, and FTP.

Still, scripts send additional probes. Use them only against authorized targets, and read the output carefully. A script result is a lead, not a final conclusion.

Vulnerability Scanning With NSE

Nmap also includes scripts in categories such as vuln, which attempt to detect known vulnerabilities.

Example:

nmap --script vuln TARGET_IP

This can be useful in an authorized lab, but it should not be treated as a normal beginner default.

Why?

Some vulnerability scripts are noisy. Some perform intrusive checks. Some may behave differently depending on the service, target configuration, or script being used. On fragile systems, certain checks may cause problems.

A more controlled approach is to identify the exposed service first, then run a specific script that matches what you found.

For example, if HTTP is open:

nmap --script http-title -p 80 TARGET_IP

If SMB is open:

nmap --script smb-os-discovery -p 445 TARGET_IP

This keeps the scan focused and easier to interpret.

Vulnerability scanning is not the same as vulnerability confirmation. If a script reports something interesting, validate it with documentation, manual testing, and the rules of your lab or engagement.

Aggressive Scanning

Nmap has an aggressive scan option:

sudo nmap -A TARGET_IP

Option:

• -A enables OS detection, version detection, script scanning, and traceroute

This is convenient, but it is also noisier than a basic scan. It runs several features at once, which can make it harder for beginners to understand which part of the scan produced which result.

A better learning approach is to run the pieces separately first:

nmap -sV TARGET_IP
nmap -sC TARGET_IP
sudo nmap -O TARGET_IP

Once you understand what those options do, -A will make more sense.

Use aggressive scans only in authorized labs or engagements where that behavior is allowed.

Final Thoughts

Nmap is a starting point for understanding what is exposed on a network. It helps you move from basic discovery to deeper enumeration by showing which hosts are online, which ports are open, and which services may need closer review.

The important part is knowing how to interpret what Nmap gives you. An open port is not automatically a vulnerability. A service version is not automatic proof of exploitability. A script result is something to validate, not something to accept blindly.

A good workflow is simple: confirm your scope, discover live hosts, scan for open ports, identify services, and then decide what deserves a closer look. Each scan should answer a specific question and guide your next step.