Back to BlogsEthical Hacking

Nmap Complete Guide — Network Scanning for Hackers

Anuj Singh (Admin) 30 April 2026 1466 views

Nmap — The Hacker's Network Scanner

Nmap (Network Mapper) is the most widely used network scanning tool in the world. It is used by both security professionals and hackers to discover hosts, open ports, running services, and operating systems on a network.

Nmap was created by Gordon Lyon (Fyodor) in 1997 and is still actively developed. It is free, open source, and runs on Linux, Windows, and macOS.

Basic Nmap Scan Types

1. Ping Scan — Find Live Hosts

# Find all devices on a network
nmap -sn 192.168.1.0/24

# Output shows: Host is up (0.00045s latency)

2. TCP SYN Scan (Default — Most Common)

# Fast, stealthy — doesn't complete TCP handshake
nmap -sS 192.168.1.1

# Scan specific ports
nmap -sS -p 22,80,443,3306 192.168.1.1

# Scan all 65535 ports
nmap -sS -p- 192.168.1.1

3. Service Version Detection

# Detect service versions on open ports
nmap -sV 192.168.1.1

# Example output:
# 22/tcp  open  ssh     OpenSSH 8.9 (Ubuntu)
# 80/tcp  open  http    Apache httpd 2.4.52
# 3306/tcp open mysql   MySQL 8.0.32

4. OS Detection

# Detect the target operating system
nmap -O 192.168.1.1

# Aggressive scan: OS + version + scripts + traceroute
nmap -A 192.168.1.1

5. UDP Scan

# Scan UDP services (DNS, SNMP, DHCP)
nmap -sU -p 53,161,123 192.168.1.1

# Note: UDP scans are slower than TCP

Nmap Scripting Engine (NSE)

NSE scripts automate vulnerability detection. Nmap comes with 600+ built-in scripts.

# Run default safe scripts
nmap -sC 192.168.1.1

# Check for specific vulnerabilities
nmap --script vuln 192.168.1.1

# Check for EternalBlue (MS17-010)
nmap --script smb-vuln-ms17-010 192.168.1.1

# Brute-force SSH login
nmap --script ssh-brute -p 22 192.168.1.1

# Check HTTP headers
nmap --script http-headers -p 80 192.168.1.1

# Find all scripts in a category
ls /usr/share/nmap/scripts/ | grep "http"

Output Formats

# Normal output (default)
nmap 192.168.1.1

# XML output (for other tools)
nmap -oX scan.xml 192.168.1.1

# Grepable output
nmap -oG scan.txt 192.168.1.1

# All formats at once
nmap -oA full_scan 192.168.1.1

Evasion Techniques

# Slow scan to avoid IDS/firewall detection
nmap -T0 192.168.1.1   # Paranoid (very slow)
nmap -T1 192.168.1.1   # Sneaky
nmap -T5 192.168.1.1   # Insane (very fast, noisy)

# Spoof source IP (requires root)
nmap -S 10.0.0.100 -e eth0 192.168.1.1

# Fragment packets to bypass firewalls
nmap -f 192.168.1.1

# Use decoy IPs
nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1

Nmap for Bug Bounty

In bug bounty, Nmap helps you find unexpected open ports that shouldn't be public — databases (3306, 5432), admin panels (8080, 8443), and development servers that were accidentally exposed. Each unexpected open port is a potential finding.

🔥 Practice Nmap in our ethical hacking labs →

Want to Learn This Practically?

Subscribe to ONLY4YOU and get hands-on access to 40+ premium courses — Ethical Hacking, Kali Linux, Metasploit, Network Hacking, Bug Bounty & more!

Sign Up & SubscribeRead More Blogs

Continue Learning

← All ArticlesBrowse CoursesAbout ONLY4YOU