Ethical Hacking #Nmap#network scanning#beginners

Nmap for Beginners: Essential Flags, Scan Types, and Output

Learn Nmap scanning essentials: SYN scans, UDP scans, service detection, and how to read output files for network reconnaissance.

April 3, 2026 9 min read

Nmap (Network Mapper) is one of the most essential tools in a security professional’s toolkit. Whether you’re a hobbyist learning cybersecurity or a junior penetration tester, understanding Nmap is non-negotiable. This guide will walk you through the fundamentals: how to use it, what the scans do, and how to interpret the results.

What Is Nmap?

Nmap is a free, open-source network scanner that discovers hosts and services on a network by sending packets and analyzing responses. It can identify:

Open, closed, and filtered ports
Running services and their versions
Operating system fingerprints
Firewall behavior
Live hosts on a network

Always remember: only scan networks you own or have explicit written permission to test. Unauthorized network scanning is illegal.

Installing Nmap

On Linux (Debian/Ubuntu):

sudo apt update
sudo apt install nmap

On macOS (Homebrew):

brew install nmap

On Windows: Download the installer from https://nmap.org/download.html

Verify installation:

nmap -version

Basic Nmap Syntax

nmap [scan type] [options] [target]

Examples of targets:

Single host: 192.168.1.1
IP range: 192.168.1.1-50
Subnet: 192.168.1.0/24
Hostname: example.com

Scan Types (The Core Difference)

SYN Scan (-sS) - The Stealthy Standard

The most popular and fastest scan. It completes the TCP three-way handshake but doesn’t fully establish connections, making it less detectable.

nmap -sS 192.168.1.100

What it does: Sends SYN packets, listens for SYN-ACK responses, then resets (doesn’t complete handshake).

TCP Connect Scan (-sT)

Completes the full three-way handshake. Slower but doesn’t require root privileges on Unix systems.

nmap -sT 192.168.1.100

UDP Scan (-sU)

Scans UDP ports instead of TCP. Slower because UDP doesn’t use connection establishment.

nmap -sU 192.168.1.100

Ping Scan (-sn)

Discovers live hosts without port scanning. Useful for network mapping before detailed scans.

nmap -sn 192.168.1.0/24

Critical Flags

Flag	Purpose	Example
`-p`	Port specification	`nmap -p 80,443 192.168.1.1`
`-p-`	All 65535 ports	`nmap -p- 192.168.1.1`
`-sV`	Service version detection	`nmap -sV 192.168.1.1`
`-O`	OS detection	`nmap -O 192.168.1.1`
`-A`	Aggressive (OS, version, script, traceroute)	`nmap -A 192.168.1.1`
`-T4`	Timing template (0-5, faster scans)	`nmap -T4 192.168.1.1`
`-oN`	Output to normal file	`nmap -oN output.txt 192.168.1.1`
`-oX`	Output to XML file	`nmap -oX output.xml 192.168.1.1`

Practical Examples

Quick scan of common ports with version detection:

nmap -sS -sV 192.168.1.100

Scan all ports with OS detection (will take longer):

nmap -p- -O 192.168.1.100

Scan a subnet, find live hosts only:

nmap -sn 192.168.1.0/24

Scan specific ports, save to file:

nmap -p 22,80,443,3306,5432 -sV 192.168.1.100 -oN scan_results.txt

Aggressive scan with script scanning:

nmap -A -sS 192.168.1.100 -oX results.xml

Understanding Nmap Output

When you run a scan, you’ll see output like this:

Nmap scan report for 192.168.1.100
Host is up (0.0024s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.6
443/tcp  open  https   Apache httpd 2.4.6

Key terms:

Open: Service is actively listening and accepting connections.
Closed: Port responds but no service is listening.
Filtered: Firewall is blocking; Nmap can’t determine if open or closed.
Unfiltered: Port responds but Nmap can’t determine if open or closed.

Output Formats

Nmap supports multiple output formats for analysis:

Normal output (human-readable):

nmap 192.168.1.100 -oN results.txt

XML output (for parsing and tools):

nmap 192.168.1.100 -oX results.xml

Grepable output (for command-line processing):

nmap 192.168.1.100 -oG results.gnmap

All formats at once:

nmap 192.168.1.100 -oA results

This creates results.nmap, results.xml, and results.gnmap.

Best Practices for Beginners

Start with simple scans: Begin with -sS -sV before moving to aggressive flags.
Use appropriate timing: -T3 or -T4 balances speed and accuracy. Avoid -T5 which can produce false positives.
Save all results: Always export with -oX for archiving and later review.
Understand your target: Know whether it’s a test lab or production network.
Check for IDS/IPS: If your host times out or behaves strangely, you may have triggered detection.

Next Steps

Once comfortable with basic scanning, explore:

NSE scripts (-sC) for vulnerability detection
Nmap Scripting Engine for custom logic
Output parsing with tools like searchsploit and metasploit

Nmap is your reconnaissance foundation. Master it, and you’ll have a skill that applies to every network you legitimately test.

Happy scanning — ethically!

#ports #ethical hacking #reconnaissance #beginners #network scanning #Nmap

// related articles

ethical-hacking Masscan Tutorial: Fast Network Scanning for Pentesters 7 min read ethical-hacking Recon-ng OSINT Framework Tutorial for Beginners 7 min read ethical-hacking How to Build a Home Hacking Lab with VirtualBox (Free Setup) 12 min read