Quick Overview Nmap (Network Mapper) is the industry-standard, open-source utility for network discovery, security auditing, and penetration testing.
Architecture: Written in C++. Leverages libpcap (raw packet capture), libdnet (low-level network routing/interfaces), and nsock (parallel, asynchronous socket handling).Core Capabilities: Network inventory, shadow IT discovery, lightweight vulnerability assessment, firewall/IDS evasion, and strict security auditing.Target Audience: Pentesters, Red Teams, Blue Teams, DevSecOps, and System Administrators. Grouped Command References 1. Core Scanning & Discovery Command Description Technical Context / Privilege sudo nmap -sS <target>TCP SYN Scan (Stealth) Requires Root. Sends SYN, waits for SYN/ACK (open) or RST (closed). Tears down with RST before 3-way handshake completes to evade application logging.nmap -A <target>Aggressive Scan Enables OS detection (-O), version detection (-sV), default script scanning (-sC), and traceroute. Highly noisy.
2. Enumeration & Fingerprinting Command Description Technical Context / Privilege sudo nmap -O <target>OS Detection Uses TCP/IP stack fingerprinting. Sends up to 13 crafted TCP/UDP/ICMP probes. Analyzes ISN predictability, TCP options, and IP ID sampling. nmap -sV <target>Version Detection Interrogates open ports with protocol-specific probes. Matches responses against nmap-service-probes to determine exact application/version. sudo nmap -sS -sV -O <target>Comprehensive Enum Combines SYN stealth scanning, service versioning, and OS fingerprinting into a single execution.
3. Nmap Scripting Engine (NSE) Command Description Technical Context / Privilege nmap --script vuln <target>Broad Vuln Scan Executes all Lua scripts in the vuln category. Ideal for lightweight vulnerability assessments without a full VM suite. nmap -p 139,445 --script smb-vuln* <target>Targeted Vuln Scan Executes specific script families (e.g., SMB) against targeted ports. Useful for detecting specific CVEs (e.g., MS17-010 EternalBlue). nmap --script safe,discovery <target>Safe Enumeration Runs non-intrusive scripts to map topologies and discover services without crashing targets or triggering alarms.
4. Evasion & Performance Tuning Command Description Technical Context / Privilege nmap -f <target>Packet Fragmentation Splits IP packets into smaller fragments to bypass strict packet filters and legacy Intrusion Detection Systems (IDS). nmap -D 10.0.0.1,ME <target>Decoy Scanning Spoofs source IPs. The target logs scans from the decoy IPs alongside your actual IP (ME), obscuring the true source. nmap -T4 <target>Timing Template Adjusts scan speed. T0 (paranoid/slowest) to T5 (insane/fastest). T4 is the standard recommendation for fast, reliable local network scans.
Advanced Configurations / Tricks TCP SYN Scan Mechanics (-sS) The “Half-Open” Technique: Bypasses the standard TCP handshake.Execution Flow: Attacker [SYN] -> Target | Target [SYN/ACK] -> Attacker | Attacker [RST] -> Target.Advantage: Because the connection is never fully established, most application-level logs (e.g., Apache, IIS) will not record the interaction, providing a layer of stealth. OS Fingerprinting Internals (-O) Database Matching: Compares probe responses against the nmap-os-db database, which contains >2,600 known OS fingerprints.Data Points Analyzed: TCP Initial Sequence Number (ISN) generation patterns, TCP options ordering, IP ID sampling, and TCP window sizes. Nmap Scripting Engine (NSE) Architecture Language: Lua-based framework bridging Nmap’s C++ internals via a dedicated API.Execution: Scripts run in parallel for high performance.Categorization: Scripts are strictly organized. Use --script <category> to target specific operational needs: safe: Won’t affect target stability.intrusive: High risk of crashing the target or generating massive noise.vuln: Checks for specific known vulnerabilities.exploit: Actively attempts to exploit a vulnerability.discovery: Aggressively maps network internals and service registries. References Nmap Official Documentation (nmap.org) TechTarget: Enhance security audits with Nmap and NSE scripts GeeksforGeeks: What Is Nmap? A Comprehensive Guide For Network Mapping LevelBlue: Nmap Mastery: Beyond Basic Port Scans Dev.to: Network Reconnaissance with Nmap 
