Open Port ~/ security / news / blog

Nmap for Penetration Testing

article

Warning: Only scan systems you own or have explicit permission to test. Even basic scans can trigger alerts or create noisy logs outside a lab or approved assessment.

Nmap, short for Network Mapper, is an open-source network scanning tool used to discover hosts, find open ports, and gather details about exposed services. Penetration testers often use it early in an assessment because it helps turn an unknown target or network range into a clearer map of what is reachable.

With Nmap, you can start answering questions like:

  • What hosts are online?
  • What ports are open?
  • What services and versions are running?
  • Is traffic being filtered?
  • What deserves closer review?

Confirm the Network Range

Before running Nmap, it helps to understand the network range you are working with.

ip addr

This shows your IP address and network interface information.

ip route

This shows your default gateway and routing table.

Find Live Hosts

Start by finding which systems are online. Once you know what is responding, you can focus the rest of your scans on those hosts.

ARP Scan

On a local network, ARP discovery is usually one of the fastest ways to find live hosts.

sudo nmap -PR -sn 192.168.1.0/24

The -PR option uses ARP requests, while -sn performs host discovery only and skips port scanning.

Save Discovered IPs

After finding live hosts, save them to a file:

nano targets.txt
192.168.1.7
192.168.1.9
192.168.1.13
192.168.1.14
192.168.1.254

This gives you a focused target list for the next round of scans.

ICMP Ping Scan

An ICMP ping scan can be useful when checking whether a remote host responds to ping-style probes.

sudo nmap -PE -sn scanme.nmap.org

The -PE option sends an ICMP Echo Request, similar to a normal ping, while -sn keeps the scan focused on host discovery.

No response does not always mean the host is offline. A firewall may be blocking ICMP.

TCP ACK Discovery Scan

If ICMP is blocked, TCP-based discovery may still get a response.

sudo nmap -PA80 -sn scanme.nmap.org

The -PA80 option sends a TCP ACK packet to port 80.

If the host replies with a TCP reset packet, Nmap can determine that the host is alive. This is useful because some networks block ping but still respond to certain TCP packets.

If you know a host is in scope but it does not respond to discovery probes, you can use -Pn to tell Nmap to treat it as online:

nmap -Pn 192.168.1.7

Use -Pn carefully. Against large ranges, it can make scans much slower because Nmap attempts to scan every target.

Nmap Port States

Once you begin scanning ports, Nmap reports states that help you interpret the results.

StateMeaning
openThe port is accepting connections.
closedThe host is reachable, but nothing is listening on that port.
filteredNmap cannot determine whether the port is open because something, usually a firewall, is blocking probes.
unfilteredThe port is reachable, but Nmap cannot tell whether it is open or closed.
open|filteredNmap cannot determine whether the port is open or filtered. Common with UDP scans.
closed|filteredNmap cannot determine whether the port is closed or filtered.

Find Open TCP Ports

After finding live hosts, the next question is: what TCP ports are open?

A basic Nmap scan against one host looks like this:

nmap 192.168.1.7

By default, Nmap scans the top 1,000 most common TCP ports.

Example output:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

This tells you SSH and HTTP are open. The next step is to identify what versions are running and what each service exposes.

Scan a List of Hosts

Once live hosts are saved in targets.txt, scan the list:

nmap -iL targets.txt

The -iL flag points Nmap to a target list. This is cleaner than scanning the whole subnet every time, and lets you reuse the same target set across multiple scans.

To save the results, use -oA:

nmap -iL targets.txt -oA basic-scan

Saving results makes it easier to review findings later without rerunning the scan.

Scan Specific Ports

Targeted port scans are useful when you want to check for specific services, such as SSH, HTTP, FTP, or Telnet.

Scan for SSH:

nmap -p 22 -iL targets.txt

Scan for HTTP:

nmap -p 80 -iL targets.txt

Scan multiple ports:

nmap -p 21,22,23,80 -iL targets.txt

The -p option specifies the port or ports to scan.

An open port tells you a service is reachable. The next step is to learn more about that service, such as its version, configuration, and whether it exposes anything useful.

Scan All TCP Ports

The default scan is a good starting point, but it does not check every TCP port.

To scan all TCP ports, use:

nmap -p- 192.168.1.7

The -p- option scans all TCP ports from 1 through 65535.

Because this checks all 65,535 TCP ports, it takes longer than the default scan, but it can reveal services running on ports Nmap would not normally check.

Check Filtering With ACK Scans

When Nmap reports filtered ports, an ACK scan can help show whether a firewall is affecting the scan results.

sudo nmap -sA -iL targets.txt

The -sA option checks whether ports are filtered or unfiltered.

An ACK scan sends packets that look like part of an existing connection. If those packets are blocked or ignored, Nmap can use the response to help identify filtering between you and the target.

Scan UDP Ports

TCP scans do not show the whole picture. Some important services use UDP, including DNS, DHCP, TFTP, NTP, and SNMP.

A beginner-friendly UDP scan is:

sudo nmap -sU --top-ports 20 192.168.1.7

The -sU option runs a UDP scan, and --top-ports 20 scans the 20 most common UDP ports.

Identify Services and Versions

Once you find an open port, the next step is to identify the service and version running on it.

Use:

nmap -sV 192.168.1.7

The -sV option probes open ports to determine service and version information.

Example output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu
80/tcp open  http    Apache httpd 2.4.52

Now you know more than port 80 is open. Nmap believes Apache is running, and it has reported a version.

That can guide your next steps, such as checking whether the version is current and looking for known CVEs.

OS Detection

Nmap can also attempt to identify the target operating system:

sudo nmap -O 192.168.1.7

The -O option enables OS detection.

OS detection works by analyzing how the target responds to probes. It works best when Nmap can find at least one open port and one closed port.

Example output might look like:

OS details: Linux 4.X|5.X

It can help you understand what the target may be running, but it should be treated as an informed guess rather than a confirmed result.

Scan Timing and Behavior

Timing templates control how quickly Nmap sends probes.

-T0
-T1
-T2
-T3
-T4
-T5

Higher numbers scan faster, but faster is not always better. Aggressive timing can be noisier, less reliable, or more likely to miss results on unstable networks.

nmap -T4 192.168.1.7

Use NSE for Deeper Enumeration

Nmap’s Scripting Engine, often called NSE, can automate common checks and collect extra information from exposed services.

Run Nmap’s default scripts with:

nmap -sC 192.168.1.7

The -sC option runs Nmap’s default scripts.

nmap -sC -sV 192.168.1.7

This combines default scripts with service and version detection.

Default scripts can collect useful details from services like HTTP, SMB, SSH, and FTP. This gives you more context before deciding what to investigate next.

Use NSE Vulnerability Scripts

Nmap also includes script categories such as vuln, which attempt to detect known vulnerabilities.

nmap --script vuln 192.168.1.7

Vulnerability scripts can be useful, but they should not be treated as a beginner default. Some are noisy or intrusive, so it is better to identify the exposed service first and then run a specific script that matches what you found.

For example, if SMB is exposed, you could run:

nmap --script smb-os-discovery -p 445 192.168.1.7

This keeps the scan focused and easier to interpret. Vulnerability scanning can point you toward issues worth reviewing, but script results should be treated as leads rather than confirmed findings.

Understand Aggressive Scans

Nmap has an aggressive scan option:

sudo nmap -A 192.168.1.7

-A is convenient because it combines OS detection, version detection, script scanning, and traceroute in one command. It also sends more probes than a basic scan, which can make the scan noisier and the results harder to interpret.

Final Thoughts

Nmap is most useful when you treat it as part of a workflow. Start by confirming your network, then move into host discovery, port scanning, and service identification before deciding what needs a closer look.

It can feel overwhelming at first because there are so many scan types and options, but the workflow becomes easier to follow when you focus on what each scan is trying to answer. Once you understand what the results are showing you, Nmap becomes one of the most useful first steps in a penetration test.

// this article was written with ai assistance.