The Basic Scan
Just knocks on the top 1,000 most common doors.
nmap 192.168.1.1
Nmap: Network Exploration and Security Auditing
The essential guide to scanning and mapping networks.
SecurityNetworkingSecurityScanning
Learn how to discover hosts and services on a computer network, building a map of things most people can't see.
The Network Mapper
How to see everything connected to a network.
Nmap is a free tool that helps you find computers, phones, and servers on a network. It shows you what doors are open on those devices and what software is running behind them.
The Building Analogy
Imagine an IP address is a large office building. Nmap is a security guard. The guard walks up to the building and knocks on every single door (port) to see if anyone answers.
The Result
After knocking, the guard writes a list. The list says which doors are open, which are locked, and who answered the open doors. This is exactly what Nmap does for computer networks.
What is Nmap actually used for?
1. Finding Lost Devices
You plug a new printer into your network but don't know its address. Nmap can scan the whole network and find it for you.
2. Checking Security
You want to make sure your computer doesn't have open doors that hackers can walk through. Nmap shows you your open doors.
3. Inventory Check
A company needs a list of every computer running in their office. Nmap builds this list automatically.
How to write an Nmap command
Every command is built using three simple parts: The tool, the options (flags), and the target.
nmap
-sV -p 80
192.168.1.1
nmap
This tells the computer to start the Nmap program.
-sV -p 80
The flags. These tell Nmap how to act. Here we ask it to check the version (-sV) and only check door number 80 (-p 80).
192.168.1.1
The target. This is the exact address of the computer you want to check.
The Master Key: `sudo`
You will often see commands start with sudo nmap. Why? Some of Nmap's best tricks (like
silent knocking or guessing the operating system) require deep access to your computer's network
card.
Typing sudo is like pulling out a master key. It tells your computer, "I am the boss,
let Nmap do advanced stuff." If a scan isn't working right, you probably forgot sudo.
Finding the Building First (Ping Sweep)
Before Nmap knocks on 1,000 doors, it checks if the building is even there. If a computer is turned off, there's no point checking its doors. Nmap uses a "Ping Sweep" to shout "Is anyone awake?" to an entire network.
-sn
The "No Port Scan" flag
The -sn flag tells Nmap: "Just tell me which computers are turned on. Don't
bother checking any of their doors." This is incredibly fast. You can find every device
on your home Wi-Fi in less than 3 seconds.
What is a "Port"?
If an IP address is a building, a port is a specific room inside that building. A computer has 65,535 possible ports. Some rooms are used for specific jobs.
Port 80
HTTP (Websites)
Used for normal, unsecure web pages.
Port 443
HTTPS (Secure Web)
Used for secure, locked web pages.
Port 22
SSH (Remote Control)
Used by admins to control a computer from far away.
Port 53
DNS (Address Book)
Translates names like google.com into numbers.
Choosing Which Doors to Check
By default, Nmap only checks the top 1,000 most common doors to save time. But you can tell it exactly which ones you care about.
-p 80,443
A short list. Only check door 80 and door 443. Nothing else.
-p 1-100
A range. Check every single door starting from 1 up to 100.
-p-
All of them. The magic dash tells Nmap to check all 65,535 doors. This takes a long time!
The 3 Answers Nmap Can Get
When Nmap knocks on a port, it usually gets one of three answers back.
Open
The door is open, and a program is actively listening on this port. Anyone can connect to it.
Closed
Nmap knocked, and the computer said "I am here, but there is no program running on this port right now."
Filtered
Nmap knocked, but heard nothing back. A firewall (a security shield) is blocking Nmap's messages from reaching the port.
Two Ways to Talk: TCP vs UDP
Computers send messages in two main ways. Nmap needs to know which way you want to check.
TCP (The Phone Call)
Nmap Flag: -sT or -sS (Default)
TCP is like calling someone on the phone. You dial, they answer "Hello", you say "Hello back", and then you start talking. It guarantees the message arrived. Most of the internet (websites, emails) uses TCP.
UDP (The Postcard)
Nmap Flag: -sU
UDP is like throwing a postcard in a mailbox. You hope it gets there, but you never get a receipt. It's very fast, used for live video games and video calls. Scanning UDP is much slower because Nmap has to wait a long time to see if the postcard was ignored.
Scan Types: How hard should Nmap knock?
Flag: -sT
The "Connect" Scan (Loud)
Nmap walks up, knocks, waits for the door to open, steps inside, says "Hello", and then leaves. It completes a full connection. It is highly accurate, but it is very loud. The computer will write down in its logbook that you visited.
Flag: -sS
The "SYN" Scan (Quiet)
Nmap knocks. As soon as the door starts to open, Nmap runs away before stepping inside. It found out the door was open, but because it didn't complete the greeting, many computers won't write it down in their logbook. This is the default scan.
Finding out what is behind the door
Knowing a port is open is good. Knowing exactly what software is using that port is better.
-sV
The Version flag
When you use -sV, Nmap doesn't just check if the door is open. It yells into the
room and asks, "What is your name and what version are you?"
Without -sV: Port 80 Open (HTTP)
With -sV: Port 80 Open (HTTP - Apache web server version 2.4.41)
With -sV: Port 80 Open (HTTP - Apache web server version 2.4.41)
Guessing the Operating System
-O
The OS flag (Capital letter O)
Every operating system (Windows, Mac, Linux) answers network messages in a slightly different way—like an accent. Nmap can listen to these "accents" and guess what operating system the target is running.
The Speedometer (Timing Templates)
Sometimes you are in a rush. Sometimes you want to go very slowly so security alarms
don't go off. You can control Nmap's speed from 0 to 5 using the -T flag.
-T0
Paranoid
Extremely slow. Waits 5 minutes between each knock. Good for
hiding.
-T3
Normal
The default speed. A good balance of speed and reliability.
-T4
Aggressive
Fast and loud. Used commonly on fast, modern Wi-Fi networks.
-T5
Insane
As fast as possible. So fast it might accidentally miss open
doors.
Ninja Mode (Decoys)
If you don't want the target computer to know you are the one knocking, you can use decoys.
nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.50
The -D flag tells Nmap to send fake knocks from other IP addresses at the exact same
time you knock. To the target's security guard, it looks like 3 different people knocked at once.
They won't know which one was actually you.
The Advanced Stuff: Nmap Scripts (NSE)
Nmap has mini-programs inside it called scripts. These scripts can do complicated jobs automatically.
-sC
Runs a collection of the most safe and common scripts. It checks for obvious weak spots.
--script vuln
Tells Nmap to run specific scripts that check if the computer has known security holes (vulnerabilities).
Don't like the black screen?
If typing commands into a black terminal window feels intimidating, you can use Zenmap.
Zenmap is the official visual version of Nmap. It has buttons, drop-down menus, and even draws a cool spider-web map of all the devices on your network. It does the exact same thing as the terminal, just with a mouse.
ZENMAP
The graphical front-end for Nmap.
Reading the Results
When Nmap finishes, it prints a report. Here is how to read a basic scan report.
Terminal
$ nmap -sV 192.168.1.50
Starting Nmap 7.93 at 2026-04-14 11:30
Nmap scan report for 192.168.1.50
Host is up (0.0020s latency).
Not shown: 997 closed ports
| PORT | STATE | SERVICE | VERSION |
|---|---|---|---|
| 22/tcp | open | ssh | OpenSSH 8.2p1 |
| 80/tcp | open | http | Apache httpd 2.4.41 |
| 443/tcp | filtered | https |
Nmap done: 1 IP address scanned in 6.42 seconds
Translation: The computer at 192.168.1.50 is turned on. It has 997 doors closed. Door
22 is open running OpenSSH. Door 80 is open running Apache. Door 443 is blocked by a firewall
(filtered).
Saving Your Work
If you scan 500 computers, the results will scroll off your screen faster than you can read them. Always save your output to a file.
-oN results.txt
Normal. Saves the text exactly how it looks on your screen.
-oG results.txt
Greppable. Puts all the data into neat rows so other computer tools can search it easily.
-oA results
All Formats. The best option. Saves a Normal file, a Greppable file, and an XML file all at once.
Common Beginner Mistakes
- Scanning too fast over Wi-Fi: Using
-T5over a weak Wi-Fi signal will drop packets and Nmap will tell you doors are closed when they are actually open. - Forgetting
sudo: Wondering why your OS detection (-O) gave you an error? You forgot to run it as an admin. - Scanning the whole internet: Never type a random IP address you don't own. Always double-check your target address before pressing enter.
Your Quick Cheat Sheet
The "Tell Me Everything" Scan
Checks versions (-sV), runs safe scripts (-sC), and guesses the OS (-O). Also called the Aggressive scan (-A).
nmap -A 192.168.1.1
The Whole Network Scan
Finds every single device turned on in a typical home or small office network.
nmap 192.168.1.0/24
Check a Specific Port
Only knocks on one single door instead of all of them (saves time).
nmap -p 443 192.168.1.1
The Golden Rule of Nmap
Never, ever scan a network or an IP address that you do not own, or do not have written permission to scan.
Using Nmap to check your own home router or your own servers is a great way to learn security. Scanning someone else's server without asking looks like a digital break-in to security teams and is illegal in many places.
More in this series
Master more skills with other tutorials from the Security series.
Web Security
- SQLmap: Database Takeover: Automatic SQL injection and database exploit.
- BeEF: Browser Exploitation Framework: Assessing the security of web browsers.
- Nikto: Comprehensive Web Scanner: Identify server vulnerabilities and misconfigurations.
- DIRB: Web Content Scanner: Analyze web server directories and files.
- Gobuster: URI and DNS Buster: Discover hidden paths and subdomains.
- Burp Suite: Web Security Testing: The standard for web application security.
Networking
- Responder: Network Poisoning: Exploiting Windows network services.
- Ettercap: MITM Attacks: Sniffing and dissecting network traffic.
- Netcat: The Swiss Army Knife: Read and write data across network connections.
- Wireshark: Protocol Analysis: Uncovering the secrets of network traffic.
OSINT
- Maltego: Information Gathering: Visualizing relationships for intelligence gathering.
Wireless
- Kismet: Wireless Discovery: Sniffing and monitoring wireless networks.
- Aircrack-ng: Wireless Security Auditing: Assessing the security of WiFi networks.
Cryptography
- Hashcat: Password Recovery: The world's fastest password cracker.
- John the Ripper: Password Cracking: The fastest way to test password strength.
Forensics
- Autopsy: Digital Forensics: Uncovering digital evidence and recovering files.
Security
- Hydra: Login Cracker: A very fast network logon cracker.
- Metasploit: The Exploitation Framework: Mastering vulnerability assessment and exploitation.
- Nmap: Network Exploration and Security Auditing: The essential guide to scanning and mapping networks.