July 14, 2026
The Complete Nmap Guide: From Beginner to Network Scanning Pro
Introduction

By Zeeshan Haider
5 min read
Introduction
Network Mapper (Nmap) is a powerful open-source network scanning and security auditing tool widely used by system administrators, cybersecurity professionals, and penetration testers. It is designed to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap can identify live hosts, detect open ports, determine operating systems, perform service and version detection, and assess potential vulnerabilities through its Nmap Scripting Engine (NSE).
Due to its flexibility, speed, and extensive feature set, Nmap has become one of the most essential tools for network reconnaissance, vulnerability assessment, and security testing.
Setting up the Nmap
Kali Linux already have nmap installed you can see it using the — version nmap command as shown below.
If you don't have nmap you can install it using the following command as shown below.
sudo apt install nmapsudo apt install nmap
Now everything is done so we will try to discover all the devices on the same network using the following command.
Ping Scan
Ping scan means scanning the host quickly without checking for the open ports as shown below.
SYN Scan
This scan is also called as the half scan because it finds for the open ports without making the TCP handshake, as shown below.
UDP Scan
Used to scan the open UDP ports as shown below.
Service Version Detection Scan
This kind of scan is used to detect the versions of the services on the
Operating System Detection
We can also detect the OS of the target using the following command.
Aggressive Scan
Used to find the results of many flags combined like tracert etc as shown below.
Scanning for the Open Ports on a Web
To scan that which ports are open on a web server we just type as nmap web url without http://
As shown below.
We can also try to find the service version for this open port as shown below.
Can also use some other flags based on out needs.
Nmap Scripting Engine
The Nmap Scripting Engine (NSE) is a powerful feature of Nmap that allows you to run scripts to perform tasks beyond simple port scanning.
Instead of only answering:
"Which ports are open?"
NSE can answer questions like:
- What software version is running?
- Is the server vulnerable to a known issue?
- What users or shares are available?
- What SSL/TLS configuration is being used?
- What information can be gathered from a web application?
How NSE works
NSE scripts are written in the Lua programming language and are included with Nmap. When you run a script, Nmap executes it against the target service.
We can find these scripts in the /usr/share/nmap/scripts folder in Kali as shown below.
There are a lot of scripts so we cannot elaborate on each but I have elaborated the most important scripts and that are given below.
Important Scripts
HTTP Scripts
http-enum
Discovers common web directories and applications.
http-title
Retrieves the HTML title of the website.
http-headers
Shows HTTP response headers.
http-methods
Lists supported HTTP methods.
nmap --script http-methods targetnmap --script http-methods targethttp-security-headers
Checks important security headers.
nmap --script http-security-headers targetnmap --script http-security-headers targethttp-robots.txt
Downloads robots.txt.
nmap --script http-robots.txt targetnmap --script http-robots.txt targethttp-vhosts
Attempts to discover virtual hosts.
nmap --script http-vhosts targetnmap --script http-vhosts targetUseful when multiple websites share one server.
http-wordpress-enum
Enumerates WordPress information.
nmap --script http-wordpress-enum targetnmap --script http-wordpress-enum targetCan reveal:
- plugins
- themes
- WordPress version
http-git
Looks for exposed Git repositories.
nmap --script http-git targetnmap --script http-git targetOutput:
/.git/config accessible/.git/config accessibleThis can expose source code.
http-webdav-scan
Checks for WebDAV support.
nmap --script http-webdav-scan targetnmap --script http-webdav-scan targetOutput:
WebDAV enabled
PUT allowed
PROPFIND allowedWebDAV enabled
PUT allowed
PROPFIND allowedCan indicate file upload opportunities.
SSL Scripts
ssl-cert
Retrieves certificate details.
nmap --script ssl-cert -p443 targetnmap --script ssl-cert -p443 targetOutput:
Common Name: example.com
Issuer:
Let's Encrypt
Expires:
2026-05-01Common Name: example.com
Issuer:
Let's Encrypt
Expires:
2026-05-01Useful for certificate inspection.
ssl-enum-ciphers
Lists accepted SSL/TLS ciphers.
nmap --script ssl-enum-ciphers -p443 targetnmap --script ssl-enum-ciphers -p443 targetOutput:
TLSv1.2
ECDHE_RSA_AES_256_GCM_SHA384
TLSv1.3
TLS_AES_256_GCM_SHA384TLSv1.2
ECDHE_RSA_AES_256_GCM_SHA384
TLSv1.3
TLS_AES_256_GCM_SHA384Helps identify weak encryption.
ssl-heartbleed
Checks for the famous Heartbleed vulnerability.
nmap --script ssl-heartbleed targetnmap --script ssl-heartbleed targetOutput:
NOT VULNERABLENOT VULNERABLEor
VULNERABLEVULNERABLESMB Scripts
smb-os-discovery
Attempts to identify the operating system.
nmap --script smb-os-discovery targetnmap --script smb-os-discovery targetOutput:
Windows Server 2019
Computer Name: FILESERVER
Domain: CORPWindows Server 2019
Computer Name: FILESERVER
Domain: CORPVery useful in internal networks.
smb-enum-shares
Lists accessible SMB shares.
nmap --script smb-enum-shares targetnmap --script smb-enum-shares targetOutput:
IPC$
ADMIN$
Public
HR
FinanceIPC$
ADMIN$
Public
HR
Financesmb-enum-users
Enumerates usernames.
nmap --script smb-enum-users targetnmap --script smb-enum-users targetOutput:
Administrator
John
Sarah
GuestAdministrator
John
Sarah
GuestUseful for later authentication testing.
smb-vuln-ms17–010
Checks for EternalBlue vulnerability.
nmap --script smb-vuln-ms17-010 targetnmap --script smb-vuln-ms17-010 targetOutput:
VULNERABLE:
MS17-010VULNERABLE:
MS17-010or
NOT VULNERABLENOT VULNERABLESSH Scripts
ssh-hostkey
Retrieves SSH host keys.
nmap --script ssh-hostkey targetnmap --script ssh-hostkey targetOutput:
RSA Key:
SHA256:abc123...
ED25519 Key:
SHA256:def456...RSA Key:
SHA256:abc123...
ED25519 Key:
SHA256:def456...Useful for fingerprinting servers.
ssh-auth-methods
Shows allowed authentication mechanisms.
nmap --script ssh-auth-methods targetnmap --script ssh-auth-methods targetOutput:
Supported authentication:
password
publickey
keyboard-interactiveSupported authentication:
password
publickey
keyboard-interactiveCan indicate whether password login is enabled.
Vulnerability Database
vulners
Matches service versions against known CVEs.
nmap -sV --script vulners targetnmap -sV --script vulners targetExample:
Apache 2.4.49
CVE-2021-41773
CVE-2021-42013
Severity: 9.8Apache 2.4.49
CVE-2021-41773
CVE-2021-42013
Severity: 9.8or
OpenSSH 7.2
CVE-2016-10009OpenSSH 7.2
CVE-2016-10009his script is extremely popular because it automatically correlates detected software versions with publicly known vulnerabilities.
Quick Summary
MAC Address Spoofing
MAC address spoofing in Nmap means telling Nmap to send packets using a fake source MAC address instead of your network card's real hardware address.
For example if we want to have a random MAC address while scanning the target as shown below.
If we want a MAC that has a specific starting like 00:11 as shown below.
If we want a MAC of a specific vendor like Cisco let's see.
Similarly we can do many more things with it.
Output Commands
If we want to save the output of the command to a file then we write the -o along with the type of file like:
- -oX gives XML file
- -oN gives normal .txt output
- -oG gives the greppable file
- -oA gives all format files
Timing
We can specify that how much would a scan will take time by specifying like T0, T1, T2 etc.
Now as the value with T increases the scan becomes faster but misses details so T0 takes too much time while T5 is abrupt but advantage of slow scan is that it gives more details and cannot be detected by the intrusion detection systems.
One result is shown below.