Nmap — The Network Mapper for Security Scanning and Discovery

Introduction

Nmap (Network Mapper) is an open-source tool for network exploration and security auditing. It discovers hosts on a network, identifies open ports and running services, detects operating systems, and finds potential vulnerabilities. Nmap has been the standard network scanning tool since 1997 and remains essential for both system administrators and security professionals.

What Nmap Does

• Discovers live hosts on a network using ICMP, TCP, and ARP probing techniques
• Scans TCP and UDP ports to identify open, closed, and filtered services
• Fingerprints operating systems and service versions from network responses
• Runs NSE (Nmap Scripting Engine) scripts for vulnerability detection and enumeration
• Outputs results in XML, JSON, and grepable formats for integration with other tools

Architecture Overview

Nmap is written in C and C++ with a Lua-based scripting engine (NSE). It sends crafted packets at the raw socket level and analyzes responses to determine host state, port status, and service identity. The OS detection engine matches response patterns against a database of known TCP/IP stack implementations. NSE extends functionality with over 600 scripts covering everything from brute-force testing to vulnerability checks.

Self-Hosting & Configuration

• Install via package managers on Linux, macOS, and Windows
• Run with sudo for SYN scans and OS detection (requires raw socket access)
• Use -iL targets.txt to scan hosts from a file for large-scale assessments
• Configure timing templates (-T0 to -T5) to balance speed and stealth
• Save and compare scan results with ndiff for change detection over time

Key Features

• NSE scripting engine with 600+ scripts for vulnerability scanning and enumeration
• OS detection using TCP/IP stack fingerprinting against a curated signature database
• Service version probing that identifies exact software versions on open ports
• IPv6 scanning support for modern network environments
• Zenmap GUI for visual network topology mapping and scan management

Comparison with Similar Tools

• Masscan — faster raw port scanner; Nmap adds OS detection, version probing, and scripting
• Zmap — designed for internet-wide scans; Nmap is better suited for targeted assessments
• Rustscan — fast Rust port scanner that feeds results to Nmap; complementary rather than a replacement
• Angry IP Scanner — simple GUI scanner; Nmap provides deeper analysis and scriptable automation

FAQ

Q: Is scanning networks with Nmap legal? A: Scanning your own networks is legal. Scanning networks you do not own without permission may violate local laws. Always get authorization first.

Q: What is the difference between -sS and -sT scans? A: -sS (SYN scan) sends half-open connections and is faster and stealthier but requires root. -sT uses full TCP connections and works without privileges.

Q: How do I scan for specific vulnerabilities? A: Use NSE scripts: nmap --script vuln target runs all vulnerability detection scripts against the target.

Q: Can Nmap scan UDP services? A: Yes. Use -sU for UDP scanning, though it is slower than TCP scanning due to the connectionless nature of UDP.

Sources

• https://github.com/nmap/nmap
• https://nmap.org/book/man.html