Nmap is one of the most powerful tools for scanning open ports, analyzing services, and diagnosing a network. It is used by both system administrators for auditing and intruders for intelligence purposes. In this guide, we will look at the basic commands, as well as non-standard and suspicious scanning methods that can be detected by monitoring tools.
Installing Nmap
Debian/Ubuntu:
sudo apt update && sudo apt install nmapCentOS/RHEL:
sudo yum install nmapmacOS (Homebrew):
brew install nmapWindows:
Download the installer from the website nmap.org/download.html
Basic TCP scan
Scanning of all TCP ports (1000 popular ports by default):
nmap 192.168.1.1To scan the entire range of TCP ports (0-65535):
nmap -p- 192.168.1.1Subnet scan
To scan the entire subnet /24:
nmap 192.168.1.0/24With the acceleration option:
nmap -T4 192.168.1.0/24UDP port scanning
UDP ports are less visible, but more difficult to scan:
nmap -sU 192.168.1.1To speed up, you can limit the range:
nmap -sU -p 53,67,123 192.168.1.1Aggressive and detailed scanning
To get information about the versions of services, OS, and scripts:
nmap -A 192.168.1.1This combination includes:
- OS detection
- Version detection
- Script scanning
- Traceroute
To save the results:
nmap -oN result.txt 192.168.1.1Active and hidden scanning methods
Some types of scanning are used to bypass intrusion detection systems (IDS) or firewalls. The following are the key techniques:
SYN scan ("half-open")
A fast and frequently used method:
nmap -sS 192.168.1.1It usually requires root access. Many IDS solutions monitor such connections.
TCP Null Scan
Sending TCP packets without flags — can bypass filters:
nmap -sN 192.168.1.1Many systems interpret this as an anomaly.
FIN Scan
Closing the connection without installation — works against some OS:
nmap -sF 192.168.1.1Xmas Scan
Uses "highlighted" TCP flags (FIN, PSH, URG):
nmap -sX 192.168.1.1It is often used by intruders. Such packets can be tracked using tools like iptables or Snort.
Scanning with source substitution
To hide your identity or bypass filters:
nmap -S -e eth0 192.168.1.1 In combination with the -D (soundboard) option, you can disguise yourself as other addresses.:
nmap -D 192.168.1.5,192.168.1.10,ME 192.168.1.1ICMP Ping Sweep
To check the availability of hosts:
nmap -sn 192.168.1.0/24For multiple ICMP types:
nmap -PE -PP -PM 192.168.1.0/24- -PE: Echo request
- -PP: Timestamp
- -PM: Netmask
A large number of such requests may be detected by the monitoring system as suspicious activity.
Packet fragmentation
To bypass filters and firewalls:
nmap -f 192.168.1.1Divides packages into small parts — it may disrupt the operation of some IDS.
How to track such scans
- Use Snort or Suricata for detecting unusual TCP flags.
- iptables or firewalld logs allow you to track SYN floods and strange connections.
- For UDP, it is better to use system counters, as responses are rare.
Nmap is a powerful tool for testing network security. However, its capabilities can be used both for good and for harm. If you are protecting the network, it is important not only to be able to scan, but also to know how to detect potential intelligence from the outside.
