Ultimate Nmap Guide 2026 | Complete Network Scanning Tutorial

⚡ Introduction

Nmap (Network Mapper) is the world’s most powerful open-source network discovery and security auditing tool.

Whether you’re a beginner pentester, network admin, bug bounty hunter, or red teamer, mastering Nmap is non-negotiable.

This is the most complete Nmap guide in one place — covering everything from basic commands to advanced NSE scripting, firewall evasion, and real-world workflows.

Based on Nmap 7.98 (August 2025).

⚠️ Legal & Ethical Warning

Only scan networks you own or have explicit written permission. Unauthorized scanning is illegal.

🔍 What is Nmap?

Nmap sends specially crafted packets to targets and analyzes responses to discover:

• Live hosts
• Open / closed / filtered ports
• Running services + versions
• Operating systems
• Firewalls / filters
• Vulnerabilities (via NSE)

It runs on Linux, Windows, macOS, and more.

Created by Gordon “Fyodor” Lyon (1997) — still actively maintained.

⚙️ Installation (Nmap 7.98)

Linux (Debian/Ubuntu)

sudo apt update
sudo apt install nmap -y

Linux (Fedora/RHEL)

sudo dnf install nmap

Windows

• Download from https://nmap.org/download.html
• Run installer (includes Zenmap + Npcap)
• Add to PATH

macOS

brew install nmap

Verify installation

nmap --version

🧠 Basic Command Syntax

nmap [Scan Type] [Options] [Target]

Target examples:

• Copy

  192.168.1.1

• Copy

  example.com

• Copy

  192.168.1.1-100

• Copy

  192.168.1.0/24

• Copy

  192.168.1.1,10.0.0.1

📡 Host Discovery (Ping Sweep)

nmap -sn 192.168.1.0/24
nmap -sn -PE -PS22,80,443 target

Key options:

• Copy

  -sn

  → Ping only
• Copy

  -Pn

  → Skip discovery
• Copy

  -PS / -PA / -PU / -PE

  → Probes

🚪 Port Scanning Types

• TCP SYN (-sS) → Fast, stealthy, requires root
• TCP Connect (-sT) → Medium speed, no root needed
• UDP (-sU) → Slow, used for DNS/SNMP
• ACK (-sA) → Firewall rule mapping
• NULL (-sN) → Stealth scan
• FIN (-sF) → Similar to NULL
• Xmas (-sX) → Advanced stealth
• Idle (-sI) → Extreme stealth (zombie scan)

Example:

nmap -sS -p 1-1000 192.168.1.1
nmap -sU -p 53,161,162 target

Port states:

• Open
• Closed
• Filtered
• Unfiltered
• Open|Filtered

🔎 Service Version Detection

nmap -sV target
nmap -sV --version-intensity 9 target

🖥️ OS Detection & Fingerprinting

nmap -O target
nmap -A target

🧩 Nmap Scripting Engine (NSE)

nmap -sC target
nmap --script vuln target
nmap --script http-title,ssl-cert target

Popular scripts:

• Copy

  vulners

  → CVE detection
• Copy

  http-enum

  → Directory brute force
• Copy

  ssh-brute

  → Password guessing
• Copy

  smb-vuln-ms17-010

  → EternalBlue check

Combined:

nmap -sV -sC -O target

⚡ Timing, Performance & Evasion

Timing:

• Copy

  -T0

  → Paranoid
• Copy

  -T3

  → Default
• Copy

  -T5

  → Fastest

Evasion:

nmap -f --mtu 24 -D RND:10 target
nmap --data-length 50 --badsum target
nmap --randomize-hosts --spoof-mac 0 target

Speed optimization:

nmap -T4 --min-rate 10000 --max-retries 0 target

💾 Output Formats

nmap -oN scan.txt target
nmap -oX scan.xml target
nmap -oG scan.grep target
nmap -oA scan_all target

🖥️ Zenmap (GUI)

Zenmap allows you to:

• Save scan profiles
• Visualize networks
• Compare results

🚀 Aggressive Scan (-A)

nmap -A -T4 -v target

Includes:

• OS detection
• Version detection
• Script scanning
• Traceroute

🔥 Real-World Examples

Network sweep:

nmap -sn -T4 192.168.1.0/24

Web server audit:

nmap -sV -sC --script vuln -p 80,443 example.com

Find vulnerabilities:

nmap --script vulners -sV target

Idle scan:

nmap -sI zombie_ip target

✅ Best Practices & Troubleshooting

✔️ Do:

• Use
  Copy

  -v

  or
  Copy

  -vv

  to increase verbosity
• Start with
  Copy

  -sn

  to discover live hosts
• Always save results using
  Copy

  -oA

• Keep Nmap scripts updated

nmap --script-updatedb

❌ Don’t:

• Never scan networks without permission
• Avoid using
  Copy

  -T5

  on large networks (can overwhelm systems)
• Do not rely heavily on UDP scans unless necessary

⚠️ Common Errors:

• Permission denied → Run with
  Copy

  sudo

• No route to host → Use
  Copy

  -Pn

• Slow scans → Increase speed using
  Copy

  -T4

  or
  Copy

  --min-rate

🧠 Conclusion

You now have a complete understanding of Nmap — from basic host discovery to advanced evasion techniques and scripting.

Nmap is the foundation of every:

• Pentest
• Red team engagement
• Network audit

Practice regularly using:

• TryHackMe
• HackTheBox
• Your own lab

👉 This guide is your Nmap reference for life.

📚 Resources

• Official Documentation
  https://nmap.org/book/man.html

• NSE Script Database
  https://nmap.org/nsedoc/

• Download Nmap
  https://nmap.org/download.html

Mohammed Ahmed
Computer Engineer | Founder of CyberTrick.org
mohammed@cybertrick.org