Nmap Scans for Cyber Security and Penetration Testing
Last Updated :
23 Jul, 2025
Nmap stands for Network Mapper is arguably one of the most popular s open source security tools employed for network mapping applications. As one of the primary utilities of the cybersecurity domain, recon helps the users to scan the hosts and services in the computer network. Nmap uses the concept whereby it sends packets to a target and tries to analyze the response as a way of dealing with the target network. This article will not only discuss various fundamental techniques of Nmap Scanning and the general guidelines for conducting network vulnerability scans, but this article will also explain to you how actually to use Nmap quite efficiently.
What is Nmap?
Nmap stands for Network Mapper which is a free Open source command-line tool. Nmap is an information-gathering tool used for recon reconnaissance. It scans hosts and services on a computer network which means that it sends packets and analyzes the response. Listed below are the most useful Scans which you can run with the help of Nmap tools.
How to Use Nmap
Using Nmap is straightforward. Below are some basic steps and commands to get started with Nmap:
1. Install Nmap: Nmap is available for various operating systems, including Linux, Windows, and macOS. You can download it from the official Nmap website.
2. Basic Syntax: The basic syntax for running aIt Nmap scan is:
nmap [Scan Type] [Options] {Target}
- Scan Type: Specifies the type of scan (e.g., TCP, SYN).
- Options: Additional options such as port range or timing options.
- Target: The IP address or domain name of the target.
Nmap Scanning Techniques
1. TCP Scan/TCP Connect Scan:
nmap -sT 192.168.1.12 --top-ports 50
Here:
- -sT is used for TCP Scan.
- --top-ports is used to give top ports which are used to give the number of ports. Here we give 50 which means the top 50 ports which are most used in TCP.
- 192.168.1.12 is the Destination IP. You can also give the Destination URL.
This scan is used to scan the TCP ports. It completes the 3-way handshake process which means the host tries to make a connection with the target before any communication happens between the systems.
3-way handshake process if the Destination port is Open.Using this command your system sends a SYN packet and the Destination responds with SYN and ACK packets which means the port is listening and your system sends an ACK packet to complete the connection.
If the port is Closed then the Destination Respond with RST/ACK packets.
3-way handshake if the Destination port is close
In the above image, you can see the result of the TCP scan you can see the port number and state of the ports and services on these ports.
2. SYN Scan/Stealth Scan/Half Open Scan:
nmap -sS 192.168.1.12 --top-ports 50
Here: -sS is used for SYN Scan.
SYN Scan is the same as TCP Scan but it does not complete the 3-way handshake process.
In this scan, Source sends the SYN packet and the destination responds with SYN/ACK packets but the source interrupts the 3-way handshake by sending the RST packet. Because of the interruption Destination or host does not keep a record of the Source system.
3. UDP Scan:
nmap -sU 192.168.1.12 --top-ports 50
Here: -sU is used to activate the UDP Scan. It generally sends the empty UDP packets and it takes more time than TCP Scan.
4. Ping Scan/NO PORT Scan:
nmap -sn 192.168.1.0/24
Here: -sn and -sP both are used for Ping Scan.
Only print the available host that responds to the host Discovery probes within the network. The above command does not tell anything about the ports of the system. you can also use it to check for a single IP to check that the host is up or not.
Different States of the Port Scan Results and their Meaning
There are mainly 4 types of State in the port scan results.
1. Open: A port is Open means that a service is listening to the port, for example, a MySQL service running at port 3306 as you can see in the TCP Scan result image.
2. Closed: This means the service is not listening at that port.
3. Filtered: Port is filtered by a security system like Firewall and whether the port is open or closed is not determined. If the host sends an Unusual response then also the port is filtered. Like in the above image of the UDP Scan Result when the host sends a response like ICMP Unreachable then the port is considered as filtered.
4. Open | Filtered: No answer is given by the host so the port may be filtered by a firewall. But in some cases like the above result of the UDP Scan image, the host does not send an ACK packet like in TCP Scan so due to the lack of response means the port may be open.
Best Practices for Network Vulnerability Discovery
- Use Multiple Scan Types: There are types of scans: TCP, SYN, UDP, etc. The use of combined types is more informative about the network.
- Timing and Performance: You may also apply timing options such as, -T0 to -T5 in order to regulate the rate of your scans. Low scan speeds are virtually undetectable but on the other hand, they take more time than any other scan.
- Regular Scanning: It is helpful to constantly ‘ping’ your network in order to discover new opportunities for attacks and check if all the countermeasures are still suitable.
- Safe Scanning: With -sV option the Nessus will scan for services and their versions without actually probing. It is always helpful to seek consent before trying to scan a network, which you do not own.
- Save Results: The -oN, -oX, or -oG options can be used in order to save your results so that you can analyze them later.
Conclusion
Net work mapping is an essential tool for the network administrator and information security professionals. As you become familiar with the various scanning types, you stand to benefit a lot in as much as your network is concerned from the insight gotten on its security status. Nmap should be used freely and cautiously in order to point out vulnerabilities so that our network will be safe.
Similar Reads
Cyber Security - Types of Enumeration Enumeration is fundamentally checking. An attacker sets up a functioning associated with the objective host. The weaknesses are then tallied and evaluated. It is done mostly to look for assaults and dangers to the objective framework. Enumeration is utilized to gather usernames, hostname, IP address
15+ min read
Reconnaissance - Penetration Testing Prerequisites :Ethical Hacking | FootprintingPenetration Testing - Software Testing Penetration Testing (or Pen Testing)It refers to process of testing an organization's security posture using similar techniques and tools to that of an attacker but with the knowledge and approval of the organization
6 min read
How to start nmap and run a simple scan ? Nmap is a free and open-source utility which is used to scan networks and security auditing. Nmap can discover hosts and services on a computer network by sending packets and analyzing the responses. The utility is available on almost every os, it is available for windows, linux and mac. Download Nm
3 min read
Evil-winrm Tool For Penetration Testing This program is available on all Microsoft Windows servers (usually port 5985) that have this feature enabled. Of course, only if you have the credentials and permissions to use it. Therefore, it could be used during the post-exploitation hacking/penetration testing phase. The purpose of this progra
2 min read
Cyber Security Interview Questions with Answers (2025) Cybersecurity is the act of protecting computer systems, networks, programs, and data from digital attacks, unauthorized access, damage, or theft. Cybersecurity is a critical aspect of modern technology, with its importance growing as digital systems become increasingly integrated into our daily liv
15+ min read
Differences between Penetration Testing and Vulnerability Assessments 1. Penetration Testing : Penetration testing is done for finding vulnerabilities, malicious content, flaws, and risks. It is done to build up the organization's security system to defend the IT infrastructure. Penetration testing is also known as pen testing. It is an official procedure that can be
2 min read