What is Nmap and who uses it?

Nmap (Network Mapper) was written by Gordon Lyon (alias Fyodor) and published in 1997 in Phrack Magazine. Today it's open source under a custom license and actively maintained. The latest stable release is 7.95 (May 2024).

Sysadmins use it to map networks. Penetration testers use it to find attack surfaces. Security teams use it to verify that firewall rules actually work. It appears in nearly every known pen-test framework (Metasploit, Kali Linux, Parrot OS) and is explicitly referenced in NIST SP 800-115 as a recommended scanning tool.

The film The Matrix Reloaded (2003) used a real Nmap scan in a scene to look technically credible. It's the same Nmap you run today.

⚠️ Only scan networks you own or have written permission to scan. Unauthorised scanning of systems you don't own is illegal in most jurisdictions. Scanning your own home network or a test machine you control is fine.

Install Nmap

# Debian / Ubuntu / Raspberry Pi OS
sudo apt install nmap

# macOS (Homebrew)
brew install nmap

# Windows – download from nmap.org/download
# or via Chocolatey:
choco install nmap

The five scans you use most

1. Find all devices on your home network

sudo nmap -sn 192.168.1.0/24

-sn is a ping sweep with no port scanning, just host discovery. Change the subnet to match yours (check with ip route or ipconfig) and you get a list of every device that responds. Useful for finding that old printer that hasn't had a firmware update in three years, or devices you didn't know were on the network.

2. See what's running on a specific machine

sudo nmap -sV -p 1-1024 192.168.1.100

-sV enables service version detection. Nmap sends probes to open ports and tries to match the response against a database of over 11,000 service signatures (nmap-service-probes). You don't just see "port 22 open". You see "OpenSSH 9.2p1 Debian". That tells you whether the version is vulnerable to known CVEs.

3. Scan all 65,535 ports

sudo nmap -p- -T4 192.168.1.100

By default Nmap only scans the 1,000 most common ports. Services running on non-standard ports (SSH on 2222, a web server on 8443) won't show up in a default scan. -p- scans all of them. -T4 is a timing template. Values go from 0 (slow and quiet) to 5 (fast and unreliable on congested networks). T4 is the right call on a local network.

4. OS fingerprinting

sudo nmap -O 192.168.1.100

Nmap analyses TCP/IP response patterns and compares them against a database of known OS fingerprints. It's not perfect, but it gets close for most systems. Requires root because it uses raw IP packets. If Nmap returns "OS details: Linux 5.15 - 6.1", you know which kernel range you're looking at.

5. Aggressive scan (everything at once)

sudo nmap -A -T4 192.168.1.100

-A turns on OS detection, service version detection, script scanning and traceroute. More noisy and slower, but gives you the full picture. Use it on your own infrastructure when you want a complete snapshot.

Nmap Scripting Engine (NSE)

NSE is what makes Nmap more than a scanning tool. It's a Lua-based scripting engine with over 600 included scripts (in /usr/share/nmap/scripts/) that can do everything from DNS enumeration to vulnerability scanning.

Run vulnerability scripts

sudo nmap -sV --script vuln 192.168.1.100

Runs all scripts in the "vuln" category against the found services. Checks for EternalBlue (MS17-010), Heartbleed (CVE-2014-0160), and a range of other known CVEs. Not a replacement for a dedicated vulnerability scanner (Nessus, OpenVAS), but a solid first pass.

HTTP headers and SSL info

# Check HTTP response headers
nmap --script http-headers -p 80,443 192.168.1.100

# SSL/TLS certificate and cipher suites
nmap --script ssl-cert,ssl-enum-ciphers -p 443 192.168.1.100

Save output for later analysis

# Plain text output
nmap -sV 192.168.1.0/24 -oN scan_$(date +%Y%m%d).txt

# XML output (for automated processing)
nmap -sV 192.168.1.0/24 -oX scan_$(date +%Y%m%d).xml

# All formats at once
nmap -sV 192.168.1.0/24 -oA scan_$(date +%Y%m%d)

XML output is useful if you want to parse results automatically, for example to detect changes in open ports over time. This is the foundation for building a simple monitoring tool.

Why Nmap still matters in 2026

Alternatives like Masscan are faster on large networks. Masscan can scan the entire internet in under 6 minutes at 10 Gbps, but it only gives you open ports. No service detection, no scripting, no OS fingerprinting. Nmap and Masscan are often used together: Masscan to find open ports quickly, Nmap to go deeper.

Cloud-based attacks still primarily come through open ports and misconfigured services. Shodan.io continuously crawls the entire internet using techniques similar to Nmap and publishes the results, which means your server has already been scanned, whether you like it or not. The only thing that helps is knowing what's exposed before someone uses it against you.

💡 Homelab tip: Run a weekly Nmap scan against your Pi and save the XML output. A simple script that diffs the new scan against the previous one will tell you if new ports have appeared — for example because Docker exposed something you didn't expect.

Quick reference

Flag What it does
-sSSYN scan (stealth, requires root)
-sTTCP connect scan (no root needed)
-sUUDP scan (slow but necessary)
-sVService/version detection
-OOS fingerprinting
-AAggressive (OS + version + scripts + traceroute)
-p-Scan all 65,535 ports
-snPing sweep, no port scanning
-T0–T5Timing (T4 = fast, T0 = nearly invisible)
-oX file.xmlSave output as XML
--script vulnRun vulnerability scripts

Sources