Mastering Nmap for Real-World Network Scanning

📌 Purpose: This guide explains every important nmap option using its -h output, includes practical usage examples, analysis, and real-world scanning tactics. Designed for cybersecurity students, red teamers, and system admins.

🛠️ Nmap Installation Guide

Before diving in, let’s install Nmap on your system. It’s cross-platform and very easy to set up.

Ubuntu / Debian:

sudo apt update && sudo apt install nmap -y

CentOS / RHEL:

sudo yum install nmap -y

Arch Linux:

sudo pacman -S nmap

macOS (via Homebrew):

brew install nmap

🔹 Windows

Download from official site: https://nmap.org/download.html
Run the installer (includes Zenmap GUI if desired)
Add Nmap to PATH during install for CLI use from Command Prompt or PowerShell

✅ Once installed, test it using:

nmap --version

📘 Nmap Help Guide: Full Command Overview (`nmap -h`)

Run:

nmap -h

Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude targets from file

HOST DISCOVERY:
  -sL: List Scan - only shows targets
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online
  ...

SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans

PORTS AND ORDER:
  -p <port ranges>: Only scan specified ports
  -F: Fast mode
  ...

VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  ...

SCRIPTING:
  -sC: Use default scripts
  --script=<Lua scripts>
  ...

OS DETECTION:
  -O: Enable OS detection
  ...

TIMING:
  -T<0-5>: Set timing template (higher is faster)
  ...

EVASION:
  -f, -D, -S, -e, --data-length, --spoof-mac, etc.

OUTPUT:
  -oN/-oX/-oG: Output formats
  -v: Increase verbosity
  --reason: Show port state reason
  ...

MISC:
  -A: Aggressive scan (-O -sV -sC -traceroute)
  -6: Enable IPv6 scanning
  -h: Show this help

🧪 Pro Tips: Combine Flags

sudo nmap -sS -sV -O -A -p 1-1000 -T4 -oN result.txt 192.168.1.5

✔️ What this does:

SYN scan
Detects version & OS
Uses default scripts
Full port sweep
Saves to result.txt

🎯 Introduction

In this tutorial, we’ll master Nmap for real-world network scanning scenarios. You’ll learn:

How to discover all devices in a subnet
How to scan open ports & detect service versions
How to fingerprint operating systems
How to identify firewalled ports
How to evade detection using stealth mode
How to detect vulnerabilities using Nmap scripts

This is a hands-on guide with real command outputs, analysis, and practical use cases for both beginners and pros.

🧰 Scenario: Audit Your LAN with Nmap

Let’s assume you are auditing your home or office network. Your IP range is 192.168.1.0/24, and your machine (hostname: rajkumar) is on IP 192.168.1.5.

🔍 Step-by-Step Guide

✅ Step 1: Discover All Devices in the Network

sudo nmap -sn 192.168.1.0/24

🖥️ Output:

Nmap scan report for rajkumar (192.168.1.5)
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.1
Host is up (0.0007s latency).
Nmap scan report for printer.local (192.168.1.100)
Host is up (0.0031s latency).

🔍 Description:

Shows live devices on the subnet
Host rajkumar confirms your machine
Other IPs include the router and a printer

✅ Step 2: Scan for Open Ports

sudo nmap -sS -p 1-1000 192.168.1.5

🖥️ Output:

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp

🔍 Analysis:

22: Secure Shell – remote login access
80: Web server – Apache likely
631: Internet Printing Protocol – CUPS or printer service

✅ Step 3: Detect Services and Their Versions

sudo nmap -sV -p 22,80,631 192.168.1.5

🖥️ Output:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Ubuntu
80/tcp   open  http    Apache httpd 2.4.41
631/tcp  open  ipp     CUPS 2.3.1

🔍 Analysis:

These version details help you check for known vulnerabilities (CVEs)

✅ Step 4: Detect the Operating System

sudo nmap -O 192.168.1.5

🖥️ Output:

OS details: Linux 5.4 - 5.8
Network Distance: 0 hops

🔍 Analysis:

Linux system detected, likely Ubuntu/Debian-based
Local device (same subnet, no hops)

✅ Step 5: Check for Firewall Rules

sudo nmap -sA -p 22,80,631 192.168.1.5

🖥️ Output:

PORT     STATE        SERVICE
22/tcp   unfiltered   ssh
80/tcp   filtered     http
631/tcp  unfiltered   ipp

🔍 Analysis:

Port 80 is filtered – likely blocked by UFW or iptables
Other ports respond normally

✅ Step 6: Evade Firewalls (Stealth Mode)

sudo nmap -sS -T2 -f -D RND:5 192.168.1.5

🔍 Explanation:

-f: Fragment packets to bypass firewalls
-D RND:5: Use 5 random decoys to hide source
-T2: Lower timing for stealth

📌 Tip:

This is very useful during Red Team or pentesting when you’re trying not to get detected by IDS/IPS.

✅ Step 7: Scan for Vulnerabilities

sudo nmap --script vuln -p 22,80 192.168.1.5

🖥️ Output:

22/tcp open  ssh
|_ SSH supports version 1 (insecure)

80/tcp open  http
| http-vuln-cve2017-5638:
|   VULNERABLE:
|   Apache Struts Remote Code Execution
|_  Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-5638

🔍 Analysis:

SSHv1 support is a known security risk
Apache CVE-2017-5638 is critical — immediate patch needed!

📋 Summary Table

Goal	Command	Purpose
Discover devices	`nmap -sn`	Ping sweep
Scan open ports	`nmap -sS -p`	Find services
Version detection	`nmap -sV`	Service version check
OS detection	`nmap -O`	OS fingerprinting
Firewall detection	`nmap -sA`	Identify filtered ports
Stealth scan	`nmap -sS -f -D`	Evade IDS/IPS
Vulnerability scan	`nmap --script vuln`	CVE detection using NSE scripts

🛡️ Real-World Use Case Summary

In this scenario, using just Nmap:

You identified hosts on your LAN
Detected running services and versions
Verified your machine rajkumar is secure
Found a vulnerability in Apache that needs patching
Learned stealth scanning techniques for offensive/defensive audits

📚 Additional Resources

🗣️ Final Thoughts

Nmap is more than a simple port scanner — it’s an intelligent reconnaissance framework for security engineers and ethical hackers. Master these commands and integrate them into your daily audits to stay one step ahead of attackers.

✅ Try these scans on your own network and share what you discover! 💬 Got stuck? Drop your error or result in the comments — I’d love to help!

🛠️ Nmap Installation Guide#

Ubuntu / Debian:#

CentOS / RHEL:#

Arch Linux:#

macOS (via Homebrew):#

🔹 Windows#

📘 Nmap Help Guide: Full Command Overview (nmap -h)#

🧪 Pro Tips: Combine Flags#

🎯 Introduction#

🧰 Scenario: Audit Your LAN with Nmap#

🔍 Step-by-Step Guide#

✅ Step 1: Discover All Devices in the Network#

🖥️ Output:#

🔍 Description:#

✅ Step 2: Scan for Open Ports#

🖥️ Output:#

🔍 Analysis:#

✅ Step 3: Detect Services and Their Versions#

🖥️ Output:#

🔍 Analysis:#

✅ Step 4: Detect the Operating System#

🖥️ Output:#

🔍 Analysis:#

✅ Step 5: Check for Firewall Rules#

🖥️ Output:#

🔍 Analysis:#

✅ Step 6: Evade Firewalls (Stealth Mode)#

🔍 Explanation:#

📌 Tip:#

✅ Step 7: Scan for Vulnerabilities#

🖥️ Output:#

🔍 Analysis:#

📋 Summary Table#

🛡️ Real-World Use Case Summary#

📚 Additional Resources#

🗣️ Final Thoughts#

🛠️ Nmap Installation Guide

Ubuntu / Debian:

CentOS / RHEL:

Arch Linux:

macOS (via Homebrew):

🔹 Windows

📘 Nmap Help Guide: Full Command Overview (`nmap -h`)

🧪 Pro Tips: Combine Flags

🎯 Introduction

🧰 Scenario: Audit Your LAN with Nmap

🔍 Step-by-Step Guide

✅ Step 1: Discover All Devices in the Network

🖥️ Output:

🔍 Description:

✅ Step 2: Scan for Open Ports

🖥️ Output:

🔍 Analysis:

✅ Step 3: Detect Services and Their Versions

🖥️ Output:

🔍 Analysis:

✅ Step 4: Detect the Operating System

🖥️ Output:

🔍 Analysis:

✅ Step 5: Check for Firewall Rules

🖥️ Output:

🔍 Analysis:

✅ Step 6: Evade Firewalls (Stealth Mode)

🔍 Explanation:

📌 Tip:

✅ Step 7: Scan for Vulnerabilities

🖥️ Output:

🔍 Analysis:

📋 Summary Table

🛡️ Real-World Use Case Summary

📚 Additional Resources

🗣️ Final Thoughts