Information Gatheringport scanningnetwork explorationsecurity auditingos detectionversion detectiontraceroute

Nmap

Nmap is a utility for network exploration and security auditing that supports host discovery, port scanning, version detection, and OS fingerprinting. It includes related tools like ncat, nping, ndiff, and zenmap for enhanced network analysis capabilities.

Description

Nmap performs ping scanning to determine live hosts, multiple port scanning techniques, version detection to identify service protocols and application versions, and TCP/IP fingerprinting for remote host OS identification. It supports flexible target specification, decoy scanning, sunRPC scanning, and works across Unix, Windows, and handheld devices in both GUI and command-line modes.

Use cases include network mapping, vulnerability assessment through service enumeration, and firewall evasion testing. The suite extends functionality with ncat for socket manipulation, nping for packet crafting and traceroute, ndiff for comparing scan results, and zenmap as a graphical frontend.

Nmap is essential for penetration testing, security audits, and reconnaissance phases of engagements, providing comprehensive visibility into network topology and services.

How It Works

Nmap uses techniques like SYN stealth scans (-sS), UDP scans (-sU), TCP connect scans (-sT), and ping scans (-sn) to discover hosts and open ports. It employs NSE scripts for vulnerability detection, version probing via banner grabbing and protocol matching (-sV), OS detection through TCP/IP stack fingerprinting (-O), and traceroute via packet TTL manipulation (-A). Related tools operate on raw sockets: nping crafts custom TCP/UDP/ICMP/ARP packets, ncat handles socket I/O with exec and proxy support, ndiff parses XML outputs for delta comparison.

Installation

bash

sudo apt install nmap

Flags

-vIncrease verbosity level

-AEnable OS detection, version detection, script scanning, and traceroute

-sVProbe open ports to determine service/version info

-sLList Scan - simply list targets to scan

-snPing Scan - disable port scan

-PnTreat all hosts as online -- skip host discovery

-OEnable OS detection

-sCequivalent to --script=default

-FFast mode - Scan fewer ports than the default scan

-pOnly scan specified ports

Examples

Scan in verbose mode, enable OS detection, version detection, script scanning, and traceroute with version detection against the target IP

nmap -v -A -sV 192.168.1.1

Using TCP mode to probe port 22 using the SYN flag with a TTL of 2 on the remote host

nping --tcp -p 22 --flags syn --ttl 2 192.168.1.1

Compare yesterday’s port scan with the scan from today

ndiff yesterday.xml today.xml

Be verbose, running /bin/bash on connect, only allowing 1 IP address, listen on TCP port 4444, and keep the listener open on disconnect

ncat -v --exec "/bin/bash" --allow 192.168.1.123 -l 4444 --keep-open

Fast verbose XML output scan used in ndiff comparison example

nmap -v -F -oX yesterday.xml 192.168.1.1

Ping scan multiple networks from nmap help examples

nmap -v -sn 192.168.0.0/16 10.0.0.0/8

Randomize 10000 targets, skip host discovery, scan port 80 from nmap help examples

nmap -v -iR 10000 -Pn -p 80

Updated 2026-04-16kali.org ↗