News
Happy System Administrator Appreciation Day - to the true heroes of IT!
Serverspace Black Friday
JT
August 1 2025
Updated August 1 2025

How can I scan the network using Nmap?

Linux Security Windows

Nmap is one of the most powerful tools for scanning open ports, analyzing services, and diagnosing a network. It is used by both system administrators for auditing and intruders for intelligence purposes. In this guide, we will look at the basic commands, as well as non-standard and suspicious scanning methods that can be detected by monitoring tools.


Installing Nmap

Debian/Ubuntu:

sudo apt update && sudo apt install nmap

CentOS/RHEL:

sudo yum install nmap

macOS (Homebrew):

brew install nmap

Windows:
Download the installer from the website nmap.org/download.html

Basic TCP scan

Scanning of all TCP ports (1000 popular ports by default):

nmap 192.168.1.1

To scan the entire range of TCP ports (0-65535):

nmap -p- 192.168.1.1

Subnet scan

To scan the entire subnet /24:

nmap 192.168.1.0/24

With the acceleration option:

nmap -T4 192.168.1.0/24

UDP port scanning

UDP ports are less visible, but more difficult to scan:

nmap -sU 192.168.1.1

To speed up, you can limit the range:

nmap -sU -p 53,67,123 192.168.1.1

Aggressive and detailed scanning

To get information about the versions of services, OS, and scripts:

nmap -A 192.168.1.1

This combination includes:

  • OS detection
  • Version detection
  • Script scanning
  • Traceroute

To save the results:

nmap -oN result.txt 192.168.1.1

Active and hidden scanning methods

Some types of scanning are used to bypass intrusion detection systems (IDS) or firewalls. The following are the key techniques:

SYN scan ("half-open")

A fast and frequently used method:

nmap -sS 192.168.1.1

It usually requires root access. Many IDS solutions monitor such connections.

TCP Null Scan

Sending TCP packets without flags — can bypass filters:

nmap -sN 192.168.1.1

Many systems interpret this as an anomaly.

FIN Scan

Closing the connection without installation — works against some OS:

nmap -sF 192.168.1.1

Xmas Scan

Uses "highlighted" TCP flags (FIN, PSH, URG):

nmap -sX 192.168.1.1

It is often used by intruders. Such packets can be tracked using tools like iptables or Snort.

Scanning with source substitution

To hide your identity or bypass filters:

nmap -S -e eth0 192.168.1.1

In combination with the -D (soundboard) option, you can disguise yourself as other addresses.:

nmap -D 192.168.1.5,192.168.1.10,ME 192.168.1.1

ICMP Ping Sweep

To check the availability of hosts:

nmap -sn 192.168.1.0/24

For multiple ICMP types:

nmap -PE -PP -PM 192.168.1.0/24
  • -PE: Echo request
  • -PP: Timestamp
  • -PM: Netmask

A large number of such requests may be detected by the monitoring system as suspicious activity.

Packet fragmentation

To bypass filters and firewalls:

nmap -f 192.168.1.1

Divides packages into small parts — it may disrupt the operation of some IDS.

How to track such scans

  • Use Snort or Suricata for detecting unusual TCP flags.
  • iptables or firewalld logs allow you to track SYN floods and strange connections.
  • For UDP, it is better to use system counters, as responses are rare.

Nmap is a powerful tool for testing network security. However, its capabilities can be used both for good and for harm. If you are protecting the network, it is important not only to be able to scan, but also to know how to detect potential intelligence from the outside.

Vote:
5 out of 5
Аverage rating : 5
Rated by: 1
33145 North Miami, FL 2520 Coral Way apt 2-135
+1 302 425-97-76
700 300
ITGLOBAL.COM CORP
700 300

You might also like...

We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.