Nmap: Host Discovery, Ports, Services, OS & Basic Vulnerability Checks
Essential Nmap commands for host discovery, TCP/UDP port scans, service/OS detection, and basic vulnerability checks via NSE.
Host Discovery (no port scan)
- Ping sweep (ICMP/ARP depending on the network)
nmap -sn 192.168.1.0/24 - ARP discovery (recommended on the local VLAN)
nmap -PR -sn 192.168.1.0/24 - List scan (does not send packets; lists IPs only)
nmap -sL 192.168.1.0/24 Note: adjust the IP range (e.g., 192.168.1.0/24) to your VLAN and subnetting.
Port Scanning
- TCP SYN scan (fast, relatively stealthy)
nmap -sS <target IP address> - UDP scan (slower; useful for DNS, SNMP, etc.)
nmap -sU <target IP address> - Specific ports (TCP/UDP)
nmap -p 80,443,8080 <target IP address> - Fast scan (most common ports)
nmap -F <target IP address> Service & Version Detection
- Identify running services and their versions
nmap -sV <target IP address> Operating System Detection
- OS detection (may require elevated privileges)
nmap -O <target IP address> Combined Scans (OS + Services)
- SYN + OS on a network range
nmap -sS -O 192.168.1.0/24 - Aggressive scan (ports + OS + versions + basic scripts)
nmap -A <target IP address> Vulnerability Checks (NSE)
- Run vulnerability detection scripts
nmap --script vuln <target IP address> Executes available NSE scripts in the vuln category to flag known issues (results must be reviewed & validated).
Stealth Scans (basic evasion)
nmap -sN <target IP address> # Null nmap -sF <target IP address> # FIN nmap -sX <target IP address> # Xmas Send atypical packets to try to bypass certain filters. Use with caution and proper authorization.
Important Reminders
- Always adapt IP ranges to your network (
/24,/23, etc.). - Scan only systems for which you have explicit authorization.
- UDP scans and OS detection can be slower and may require elevated privileges.
