Network Mapping & Port Scanning with NMAP

Network Mapping & Port Scanning with NMAP

Photo by DeepMind on Unsplash

If we are to defend, we first need to know what to defend. Asset Management often relies on Network Mapping to identify which systems are live on a network.

Asset management and knowing what you expose on the network, including which services are hosted is very important for anyone looking to defend their network.

Nmap — The Network Mapper

Nmap has for a long time been considered as the standard port scanner for both network engineers and security professionals. We can use it to discover assets to attack or defend.

Network Mapping

One way to identify hosts which are active on the network is to send a ping, i.e. ICMP Echo Request, to all IP Addresses in the network. This is often referred to as a Ping Sweep.

This approach is not very good in discovering assets. It is likely that systems on the network will ignore incoming pings, perhaps due to a Firewall blocking them or because of a Host-Based Firewall. A host-based firewall is simply a firewall which is implemented on the system instead of on the network.

A better approach involves sending a different kinds of packets to a system to try ask for any kind of answer to determine if system is alive or not. For example Nmap will send the following packets to the system to try cause a response:

  • ICMP Echo Request
  • TCP SYN packet to port 443
  • TCP ACK packet to port 80
  • ICMP Timestamp request

Based on the TCP specifications, that is the rules of communications, a system should always engage in a three-way handshake before starting to communicate. Nmap seems to be intentionally breaking the rules with the packets above. Can you spot which packet is not behaving as systems would expect?

Sending a TCP ACK packet to port 80 is not conforming to the rules of the TCP standard. Nmap does this specifically to try cause the target system to make a reply. In order to send packets which are not following the rules, Nmap must run with the highest level of privileges, e.g. root or local administrator. Most port scanners will be more accurate because of this.

Disabling the Network Mapping can be done with Nmap with the -Pn flag. Nmap will now consider all IP/systems to be up and go directly to port scanning.

Try this at home now if you would like to. Careful, if you are at a corporate environment, always get permission before you start running scanners as you do not want to violate any rules of your workspace. To try Nmap now, follow these simple steps:

  • Go download Nmap at Make sure you download the version that matches your operating system
  • Install Nmap and launch the tool from a command line terminal
  • Find your local IP address and subnet
  • Run Nmap to scan it to see what kinds of systems it can discover: nmap -vv IP/netmask

We are adding two -v flag to tell Nmap we want verbose output, that makes the scan more fun to watch while it completes.

ARP Scan

The ARP protocol is contained within a LAN, but if the hosts you need to discover is on the LAN we could use this protocol to try reveal systems on the network. By simply iterating over all available IP addresses on the LAN network with the ARP protocol, we are trying to force systems to reply.

The scan looks like this:

Eve: Please Provide Mac Address of system
Eve: Please Provide Mac Address of system
Eve: Please Provide Mac Address of system
Eve: Please Provide Mac Address of system
Eve: Please Provide Mac Address of system–254
Default Gateway: is me and my MAC Address is AA:BB:CC:12:34:56
Bob: is me and my MAC Address is: BB:CC:DD:12:34:56
Alice: is me and my MAC Address is: CC:DD:EE:12:34:56

Note: ARP Scanning is a simple and effective way to find hosts on the LAN, but not outside of the LAN.

Port Scanning

Port Scanning is done to try determine which services we can connect to. Each listening service provides attack surface which could potentially be abused by attackers. As such it is important to learn which ports are open.

Attackers are interested in knowing which applications are listening on the network. These applications represent opportunities for attackers. There might be vulnerabilities enabling them to attack successfully the organization.

Port Scanning works by sending packets to an application and looking for any replies. This is exceptionally easy for TCP, as if a TCP service is available it will always reply with a SYN/ACK packet. For UDP however it is more difficult. In order to detect if the service is available or not, in most cases the attacker must send specific input which forces the application to reply. Most applications hosted in UDP will not reply unless the Clients sends exactly the input required to engage in communications.

TCP Port Scanning

TCP is an easy protocol to scan because the TCP standard dictates that systems should reply with a SYN/ACK when receiving a SYN. We can send a SYN packet to all 65536 ports and record all SYN/ACK’s coming back and conclude the ports which are opened based on the reply of a SYN/ACK. When no reply is received, we can assume the port is closed or filtered by for example a Firewall.

With the SYN/ACK on port 445 we have identified the port is open.

UDP Port Scanning

With UDP it is harder to determine if a port is up or not. For UDP ports the scanner can not rely on a SYN/ACK. In fact, the scanner must almost always rely on making the service listening cause some sort of reply.

With so many ports potentially open and different services only replying to the correct kind of data, it becomes time consuming and hard to scan all ports in a reasonable time.

Consider the following conversation where Eve tries to figure out if a UPD port is open:

Eve need to talk the correct protocol, and make sure the packets reach their destination, e.g. no packet loss. Otherwise Eve might not discover the port is open.

Because of this UDP scanning can be very time consuming if we want to scan all ports.

Useful Nmap Scan Types and Options

There are many scanners out there, however in this section we focus on how to utilize Nmap to the full potential.

Nmap can be told to scan the most common ports with the argument — top-ports.

nmap — top-ports 100

The scanner can try determine versions of the application listening behind a port. This is called service scanning and can be enabled with the -sV flag.

nmap -sV

Nmap has many built-in scripts designed to target a specific service and interact with it. Scripts can do all sorts of things like pull out information from the service or try to exploit it. We can enable the script scanner with the -sC flag. This enables only safe checks, as such no denial of service or exploitation attempts.

nmap -sC

Operating System detection can be done with the scanner, allowing it to try determine which operating system is running. It uses many different parameters to try measure and estimate the likelihood of what operating system it is. This can be enabled with the -O argument.

nmap -O

The aggressive mode of Nmap enables many flags at once. The scanner will do version and OS detection, enable the script scanner and scan the top 1000 most common ports. It can be enabled wit the -A option.

nmap -A

Nmap can also scan IPv6 across all of the above flags. It is enabled by adding the -6 flag.

nmap -6

Note: The best way to understand is to practice and get hands on experience. Go ahead and download Nmap and try these different scans against systems in your own environment!

Nmap Timing options

Scanning can be done with different speeds. Slower speeds have a less likelihood to be detected by IDS systems, while a fast scan might overwhelm the system. Nmap supports the following options:

  • T0 — Paranoid. This option is for attackers whom do not want to be detected. IDS systems can correlate multiple requests within a certain timespan. The paranoid option will try to circumvent this by only sending very few packets per second.
  • T1 — Sneaky. Faster but designed to evade IDS systems.
  • T2 — Polite. Slow scan doing its best job not to crash a system.
  • T3 — Normal. It’s simply the default.
  • T4 — Aggressive. Fast scan which gives results fast. Most systems can cope with this.
  • T5 — Insane. We are sending at full capacity and performance.


Nmap has a built-in GUI (“Graphical User Interface”) a long side with other tools too. The GUI can be useful to visualize networks and browse open ports across different hosts. The GUI looks like this:


Let’s look at some Nmap commands. If you don’t have Nmap installed, you can get it from here.

Basic scans

Scanning the list of active devices on a network is the first step in network mapping. There are two types of scans you can use for that:

  • Ping scan — Scans the list of devices up and running on a given subnet.
> nmap -sp
  • Scan a single host — Scans a single host for 1000 well-known ports. These ports are the ones used by popular services like SQL, SNTP, apache, and others.
> nmap

Stealth scan

Stealth scanning is performed by sending an SYN packet and analyzing the response. If SYN/ACK is received, it means the port is open, and you can open a TCP connection.

However, a stealth scan never completes the 3-way handshake, which makes it hard for the target to determine the scanning system.

> nmap -sS

You can use the ‘-sS’ command to perform a stealth scan. Remember, stealth scanning is slower and not as aggressive as the other types of scanning, so you might have to wait a while to get a response.

Version scanning

Finding application versions is a crucial part in penetration testing.

It makes your life easier since you can find an existing vulnerability from the Common Vulnerabilities and Exploits (CVE) database for a particular version of the service. You can then use it to attack a machine using an exploitation tool like Metasploit.

> nmap -sV

To do a version scan, use the ‘-sV’ command. Nmap will provide a list of services with its versions. Do keep in mind that version scans are not always 100% accurate, but it does take you one step closer to successfully getting into a system.

OS Scanning

In addition to the services and their versions, Nmap can provide information about the underlying operating system using TCP/IP fingerprinting. Nmap will also try to find the system uptime during an OS scan.

> nmap -sV

You can use the additional flags like osscan-limit to limit the search to a few expected targets. Nmap will display the confidence percentage for each OS guess.

Again, OS detection is not always accurate, but it goes a long way towards helping a pen tester get closer to their target.

Aggressive Scanning

Nmap has an aggressive mode that enables OS detection, version detection, script scanning, and traceroute. You can use the -A argument to perform an aggressive scan.

> nmap -A

Aggressive scans provide far better information than regular scans. However, an aggressive scan also sends out more probes, and it is more likely to be detected during security audits.

Scanning Multiple Hosts

Nmap has the capability of scanning multiple hosts simultaneously. This feature comes in real handy when you are managing vast network infrastructure.

You can scan multiple hosts through numerous approaches:

  • Write all the IP addresses in a single row to scan all of the hosts at the same time.
> nmap
  • Use the asterisk (*) to scan all of the subnets at once.
> nmap 192.164.1.*
  • Add commas to separate the addresses endings instead of typing the entire domains.
> nmap,2,3,4
  • Use a hyphen to specify a range of IP addresses
> nmap–255

Port Scanning

Port scanning is one of the most fundamental features of Nmap. You can scan for ports in several ways.

  • Using the -p param to scan for a single port
> nmap -p 973
  • If you specify the type of port, you can scan for information about a particular type of connection, for example for a TCP connection.
> nmap -p T:7777, 973
  • A range of ports can be scanned by separating them with a hyphen.
> nmap -p 76–973
  • You can also use the -top-ports flag to specify the top n ports to scan.
> nmap --top-ports 10

Scanning from a File

If you want to scan a large list of IP addresses, you can do it by importing a file with the list of IP addresses.

> nmap -iL /input_ips.txt

The above command will produce the scan results of all the given domains in the “input_ips.txt” file. Other than simply scanning the IP addresses, you can use additional options and flags as well.

Verbosity and Exporting Scan Results

Penetration testing can last days or even weeks. Exporting Nmap results can be useful to avoid redundant work and to help with creating final reports. Let’s look at some ways to export Nmap scan results.

Verbose Output

> nmap -v

The verbose output provides additional information about the scan being performed. It is useful to monitor step by step actions Nmap performs on a network, especially if you are an outsider scanning a client’s network.

Normal output

Nmap scans can also be exported to a text file. It will be slightly different from the original command line output, but it will capture all the essential scan results.

> nmap -oN output.txt

XML output

Nmap scans can also be exported to XML. It is also the preferred file format of most pen-testing tools, making it easily parsable when importing scan results.

> nmap -oX output.xml

Multiple Formats

You can also export the scan results in all the available formats at once using the -oA command.

> nmap -oA output

The above command will export the scan result in three files — output.xml, output. Nmap and output.gnmap.

Nmap Help

Nmap has a built-in help command that lists all the flags and options you can use. It is often handy given the number of command-line arguments Nmap comes with.

> nmap -h

Nmap Scripting Engine

Nmap Scripting Engine (NSE) is an incredibly powerful tool that you can use to write scripts and automate numerous networking features.

You can find plenty of scripts distributed across Nmap, or write your own script based on your requirements. You can even modify existing scripts using the Lua programming language.

NSE also has attack scripts that are used in attacking the network and various networking protocols.

Going through the scripting engine in-depth would be out-of-scope for this article, so here is more information about the Nmap scripting engine.


Zenmap is a graphical user interface for Nmap. It is a free and open-source software that helps you get up and running with Nmap.

In addition to providing visual network mappings, Zenmap also allows you to save and search your scans for future use.

Zenmap is great for beginners who want to test the capabilities of Nmap without going through a command-line interface.


Nmap is clearly the “Swiss Army Knife” of networking, thanks to its inventory of versatile commands.

It lets you quickly scan and discover essential information about your network, hosts, ports, firewalls, and operating systems.

Nmap has numerous settings, flags, and preferences that help system administrators analyze a network in detail.


[Cyber Security Network Mapping & Port Scanning
If we are to defend, we first need to know what to defend. Asset Management often relies on Network Mapping to identify…]( "")

[What is Nmap and How to Use it - A Tutorial for the Greatest Scanning Tool of All Time
Nmap is the most famous scanning tool used by penetration testers. In this article, we will look at some core features…]( "")

Wanna Say Hi To Me ? Here is my linkedin .

Did you find this article valuable?

Support Cyber Aeronautycs Ltd. Blog by becoming a sponsor. Any amount is appreciated!