Nmap (Network Mapper) is an open-source utility for network discovery, port scanning, service version detection, operating system fingerprinting, and scripted vulnerability checks. It is the longest-standing and most widely used tool in its category, deployed in virtually every penetration test, network audit, and security operations team.
Core capabilities
Host discovery identifies live hosts on a network using ICMP, ARP, TCP, or UDP probes.
Port scanning determines which TCP and UDP ports are open, filtered, or closed on each target, using techniques tailored to the situation: full TCP connect, half-open SYN, FIN scans, idle scans, UDP probes, and others.
Service detection connects to open ports and identifies the software version running, which is critical for matching findings to known CVEs.
OS fingerprinting infers the target operating system from low-level protocol behaviour.
Nmap Scripting Engine (NSE) runs scripts written in Lua against discovered hosts and services. Scripts cover everything from quick banner grabs to specific CVE checks and brute-force authentication tests.
Common commands
nmap -sn 10.0.0.0/24 ping-sweep style host discovery without port scanning.
nmap -sV -sC -p- target.tld full TCP port range with service detection and the default script set.
nmap --script vuln target.tld runs the vulnerability script category against the target.
nmap -sU --top-ports 100 target.tld UDP scan of the most common ports.
Use in penetration testing
Nmap is the first tool a tester runs on most engagements. The output drives the entire enumeration phase: which services are exposed, what versions, where to focus deeper testing. The Nmap Scripting Engine often surfaces specific findings (anonymous FTP, exposed SMB shares, weak SSL ciphers, known CVE indicators) without further tooling.
Considerations
Default Nmap scans are noisy and easily detected by network monitoring. Stealthier options exist (slower timing, fragmented packets, decoys) but realistic detection assumptions matter more: in 2026 every well-monitored network sees a Nmap scan as routine reconnaissance activity. Testers usually optimise for completeness and accuracy rather than evasion.
Related terms
See also: port scanning, ping sweep, ARP scan, and Kali Linux.
Leave a Reply