Nmap is the single most important tool in any network security professional’s toolkit. This tutorial covers everything from basic discovery to the Nmap Scripting Engine (NSE) and firewall evasion.

Why Nmap Still Matters in 2026

Despite an explosion of newer scanners (Masscan, Naabu, Rustscan), Nmap remains canonical because of three things: accurate service detection, the NSE library, and decades of edge-case handling. Most production “fast scanners” pipe their output back into Nmap for verification.

Host Discovery

# Ping sweep — ICMP echo, TCP SYN 443, TCP ACK 80, ICMP timestamp
nmap -sn 10.10.10.0/24

# Skip discovery entirely (when ICMP/ARP is filtered)
nmap -Pn 10.10.10.50

# Use specific probes
nmap -PS22,80,443 -PA80 -PE 10.10.10.0/24

Port Scanning Techniques

# SYN scan — fast, requires root (default with sudo)
nmap -sS target

# TCP connect scan — works without root, noisier
nmap -sT target

# UDP scan — slow, lossy, but essential for DNS/SNMP/NTP
nmap -sU --top-ports 50 target

# Top 1000 ports (default)
nmap target

# All 65535 TCP ports
nmap -p- target

# Specific ports
nmap -p 22,80,443,8080-8090 target
Two-phase scanning On real engagements, run two passes: a fast nmap -p- --min-rate 5000 target to enumerate every open port, then a slow nmap -sC -sV -p <found_ports> target for accurate version detection. This is dramatically faster than -sC -sV -p- on slow links.

Service & Version Detection

# Service version detection
nmap -sV target

# Default NSE scripts + version detection (aggressive)
nmap -sC -sV target

# Even more aggressive — adds OS, traceroute, default scripts
nmap -A target

Nmap Scripting Engine (NSE)

NSE turns Nmap from a port scanner into a vulnerability scanner. Scripts live in /usr/share/nmap/scripts/.

# Run all "vuln" category scripts on detected services
nmap -sV --script vuln target

# SMB enumeration
nmap -p 445 --script smb-os-discovery,smb-enum-shares,smb-enum-users target

# HTTP enumeration
nmap -p 80,443 --script "http-* and not http-slowloris" target

# SSL/TLS auditing
nmap -p 443 --script ssl-enum-ciphers,ssl-cert,ssl-heartbleed target

Firewall & IDS Evasion

# Decoy scan — randomize source IPs alongside yours
nmap -D RND:10 target

# Fragment packets to evade pattern-matching IDS
nmap -f -f target

# Slow timing to dodge rate-based alerts
nmap -T2 --max-rate 50 target

# Spoof source port (some firewalls trust 53 or 80)
nmap --source-port 53 target

# Idle/Zombie scan — attribute scan to a third host
nmap -sI zombie_host target
Evasion has limits Modern NDR/EDR platforms correlate by behavior, not packet shape. Fragment-only evasions stopped working in 2010. The most reliable evasion remains: scan slowly from a clean IP.

Output Formats

nmap -oA project_alpha target          # All formats: .nmap .gnmap .xml
nmap -oX project_alpha.xml target      # XML for parsers (Metasploit db_import)
nmap -oG project_alpha.gnmap target    # Greppable

Combine with cat *.gnmap | awk '/Ports:/{print $2}' to feed downstream tooling.

Real-World Workflow

A typical external assessment flow:

# 1. Discover live hosts in scope
nmap -sn -iL scope.txt -oA discovery

# 2. Fast TCP sweep
nmap -p- --min-rate 5000 -iL live_hosts.txt -oA fast_tcp

# 3. Targeted UDP
nmap -sU --top-ports 100 -iL live_hosts.txt -oA udp

# 4. Service detection on confirmed open ports
nmap -sC -sV -p <ports> -iL live_hosts.txt -oA services

# 5. Vuln scripts
nmap -sV --script "vuln and safe" -p <ports> -iL live_hosts.txt -oA vuln

References