01.08.2025

How can I scan the network using Nmap?

Nmap is one of the most powerful tools for scanning open ports, analyzing services, and diagnosing a network. It is used by both system administrators for auditing and intruders for intelligence purposes. In this guide, we will look at the basic commands, as well as non-standard and suspicious scanning methods that can be detected by monitoring tools.


Installing Nmap

Debian/Ubuntu:

sudo apt update && sudo apt install nmap

CentOS/RHEL:

sudo yum install nmap

macOS (Homebrew):

brew install nmap

Windows:
Download the installer from the website nmap.org/download.html

Basic TCP scan

Scanning of all TCP ports (1000 popular ports by default):

nmap 192.168.1.1

To scan the entire range of TCP ports (0-65535):

nmap -p- 192.168.1.1

Subnet scan

To scan the entire subnet /24:

nmap 192.168.1.0/24

With the acceleration option:

nmap -T4 192.168.1.0/24

UDP port scanning

UDP ports are less visible, but more difficult to scan:

nmap -sU 192.168.1.1

To speed up, you can limit the range:

nmap -sU -p 53,67,123 192.168.1.1

Aggressive and detailed scanning

To get information about the versions of services, OS, and scripts:

nmap -A 192.168.1.1

This combination includes:

To save the results:

nmap -oN result.txt 192.168.1.1

Active and hidden scanning methods

Some types of scanning are used to bypass intrusion detection systems (IDS) or firewalls. The following are the key techniques:

SYN scan ("half-open")

A fast and frequently used method:

nmap -sS 192.168.1.1

It usually requires root access. Many IDS solutions monitor such connections.

TCP Null Scan

Sending TCP packets without flags — can bypass filters:

nmap -sN 192.168.1.1

Many systems interpret this as an anomaly.

FIN Scan

Closing the connection without installation — works against some OS:

nmap -sF 192.168.1.1

Xmas Scan

Uses "highlighted" TCP flags (FIN, PSH, URG):

nmap -sX 192.168.1.1

It is often used by intruders. Such packets can be tracked using tools like iptables or Snort.

Scanning with source substitution

To hide your identity or bypass filters:

nmap -S -e eth0 192.168.1.1

In combination with the -D (soundboard) option, you can disguise yourself as other addresses.:

nmap -D 192.168.1.5,192.168.1.10,ME 192.168.1.1

ICMP Ping Sweep

To check the availability of hosts:

nmap -sn 192.168.1.0/24

For multiple ICMP types:

nmap -PE -PP -PM 192.168.1.0/24

A large number of such requests may be detected by the monitoring system as suspicious activity.

Packet fragmentation

To bypass filters and firewalls:

nmap -f 192.168.1.1

Divides packages into small parts — it may disrupt the operation of some IDS.

How to track such scans

Nmap is a powerful tool for testing network security. However, its capabilities can be used both for good and for harm. If you are protecting the network, it is important not only to be able to scan, but also to know how to detect potential intelligence from the outside.