Commands

Nmap Tutorial for Beginners: Usage and Top 10 Parameters

Anil K··5 min read
#nmap#network-scanning#port-scanning#reconnaissance#security-testing#nse#sysadmin#commands
Nmap scanning a local subnet from a Linux terminal

Nmap, a free and open-source network scanner, is used to discover hosts, open ports, services, and basic security issues on networks. It helps administrators and security testers in exploring the network's running services, enabling more effective management and security.

What Nmap does

  • Scans one or many IPs to find which hosts are running and listening.
  • Checks which TCP/UDP ports are open and what services/versions run on them.
  • Attempts OS detection and runs scripts to probe for known weaknesses.

Syntax: nmap [options] <target>

Pattern: nmap -sV -p 22,80,443 192.168.1.10

What nmap actually does

Discovers live hosts on a network and maps their IP addresses, which helps build an inventory of devices. It scans TCP and UDP ports to identify open services (such as HTTP, SSH, and DNS) and often their versions. Additionally, it attempts to determine operating systems and device types using TCP/IP fingerprinting, along with basic firewall or filter behaviour. Furthermore, it executes scripts (Nmap Scripting Engine) to detect common vulnerabilities, misconfigurations, and weak services.

Because it supports many scan techniques, timing controls, and scripting, it scales from small home labs to very large enterprise networks.

How nmap fits into security

Network reconnaissance provides a comprehensive overview of the exposed network before an attacker discovers it, serving as the initial step in security assessments. Security auditing ensures the effectiveness of patching and hardening by verifying that only the expected services and ports are accessible. Troubleshooting allows system and network administrators to diagnose connectivity issues, rogue services, or unexpected devices. Regular, authorised scans with Nmap help enforce security policies and mitigate the risk of shadow IT by uncovering unmanaged or unknown systems.

Who nmap is made for

Network and system administrators use Nmap daily to maintain inventories, verify configurations, and troubleshoot network issues. Security engineers and penetration testers rely on it as a fundamental reconnaissance and vulnerability-discovery tool during security testing. Incident responders and SOC analysts employ targeted scans to validate suspected compromised hosts, unusual services, or lateral-movement paths. Students and security enthusiasts learn networking and cybersecurity concepts by experimenting with scans in labs and home networks.

In short, Nmap is designed for anyone responsible for understanding, managing, or testing networks — provided they have explicit permission to scan those systems.

Basic usage patterns

Common ways to use Nmap:

  • Simple scan of a host: 
    nmap 192.168.1.10
  • Scan a whole subnet: 
    nmap 192.168.1.0/24
  • Scan a range of IPs: 
    nmap 192.168.1.10-50

These default scans show live hosts and their most common open ports with basic service names.

Top 10 useful options

Here are 10 very commonly used options, with example commands:

1. -sS — TCP SYN scan (default as root)

  • Purpose: Fast, popular "half-open" scan for TCP ports.
  • Example: 
    nmap -sS 192.168.1.10

2. -sV — service version detection

  • Purpose: Identify service and version on open ports (e.g., Apache httpd 2.x).
  • Example: 
    nmap -sV 192.168.1.10

3. -O — OS detection

  • Purpose: Guess the target's operating system and device type.
  • Example: 
    nmap -O 192.168.1.10

4. -A — aggressive scan

  • Purpose: Enables OS detection, version detection, script scanning, and traceroute in one go.
  • Example: 
    nmap -A 192.168.1.10

5. -p — custom ports

  • Purpose: Scan specific ports or ranges instead of Nmap's default top 1000.
  • Examples: 
    nmap -p- 192.168.1.10           # all 1–65535
nmap -p 1-1024 192.168.1.10
nmap -p 22,80,443 192.168.1.10

6. -T0 to -T5 — timing templates

  • Purpose: Control scan speed and stealth; lower is slower and stealthier.
  • Examples: 
    nmap -T1 192.168.1.10   # slow, stealthier
nmap -T4 192.168.1.10   # fast, common on trusted LANs

7. -sn — ping / host discovery only

  • Purpose: Discover which hosts are up without port scanning.
  • Example: 
    nmap -sn 192.168.1.0/24

8. -sC — default scripts

  • Purpose: Run Nmap's default script set for extra info and basic security checks.
  • Example: 
    nmap -sC -sV 192.168.1.10

9. -oN / -oX / -oG / -oA — output to files

  • Purpose: Save scan results to files for later review or automation.
  • Examples: 
    nmap -oA scan_all 192.168.1.10   # all main formats
nmap -oX scan.xml 192.168.1.10   # XML
nmap -oN scan.txt 192.168.1.10   # normal text

10. --script — NSE scripting

  • Purpose: Run specific script(s) or categories (e.g., vuln, auth, safe).
  • Examples: 
    nmap --script=http-enum -p80 192.168.1.10
nmap --script=vuln 192.168.1.10

A note on permission

Nmap is a legitimate, widely used tool — but port scanning systems you don't own or don't have explicit written permission to test can be illegal in most jurisdictions. Stick to your own networks, lab environments, or targets where scope has been agreed in writing. The official Nmap book is the best next step if you want to go deeper than the flags above.

Found this useful? Give it a like.

Stay in the loop

New articles on AI, Cybersecurity, and PKI — delivered to your inbox.

← Back to Commands