Nmap Tutorial for Beginners

Legal and Ethical Notice

Only scan networks and systems you own or have explicit written permission to test. Unauthorised scanning is illegal in most jurisdictions — including under Australia’s Criminal Code Act 1995 (Part 10.7) and equivalent state legislation — and can result in criminal charges. Every command on this page assumes you are working in your own home lab or a practice environment you control.

This rule applies equally to learning, testing, and professional work. Even in a workplace, network scanning typically requires management or legal approval before you run it.

What Is Nmap and Why Does It Matter?

Nmap (Network Mapper) is the industry-standard open-source tool for network discovery and security auditing, created by Gordon Lyon (Fyodor) and first released in 1997. According to the official Nmap.org documentation, it is designed to rapidly scan large networks and single hosts alike using raw IP packets to determine available hosts, services, operating systems, and security posture.

Nmap (Network Mapper) is a free, open-source tool for network discovery and security auditing. It sends specially crafted packets to target hosts and analyses the responses to determine which hosts are alive, which ports are open, what services are running, and what operating systems are in use. Originally released in 1997, Nmap remains the most widely used port scanner in the cybersecurity industry.

If you are completely new to network scanning, think of Nmap as a way to knock on every door in a building and note which ones open, who answers, and what they are doing inside. It is the first tool most penetration testers and SOC analysts reach for when they need to understand a network.

This Nmap tutorial for beginners walks you through everything from basic host discovery to scripted vulnerability checks, using only your home lab as the target.

The first time I ran an Nmap scan, I pointed it at Metasploitable in my home lab and watched the results scroll past — port 21 FTP, port 22 SSH, port 80 HTTP, port 3306 MySQL, and a dozen more. I had read about open ports in my A+ study material, but seeing them listed out with service versions and OS guesses made the concept real in a way that flashcards never could. I remember thinking “so this is what attackers see when they look at a vulnerable system.” That single scan connected months of networking theory to something I could actually touch and explore. If you have not run your first scan yet, you are about to have that same moment.

What Do Real-World Nmap Scenarios Look Like?

Nmap is not just a learning exercise. It is used daily in professional security work across a wide range of scenarios.

Use Case	What Nmap Does	Who Uses It
Network discovery	Identifies live hosts on a subnet	System administrators, SOC analysts
Vulnerability assessment	Detects open ports and outdated services	Penetration testers, security auditors
Security auditing	Verifies firewall rules are working correctly	Network engineers, compliance teams
Compliance checking	Confirms only authorised services are running	GRC analysts, IT managers
Incident response	Maps the network during an active incident to find compromised hosts	Incident responders
Asset inventory	Discovers unknown devices on the network	IT operations

Understanding when and why to use Nmap helps you see the point of learning each command. You are not memorising syntax for an exam — you are building a skill that security professionals rely on every day.

How Does Nmap Work?

Port scanning is the process of sending packets to a range of port numbers on a target host to determine which ports are open and what services are listening. NIST SP 800-115 defines port scanning as a fundamental technique in technical security testing and assessment.

Before you start running commands, it helps to understand what Nmap is actually doing at the network level.

The TCP Three-Way Handshake

Normal TCP connections follow a three-step process:

SYN — Your computer sends a SYN (synchronise) packet to the target, requesting a connection
SYN-ACK — If the port is open, the target responds with a SYN-ACK (synchronise-acknowledge)
ACK — Your computer sends an ACK to complete the connection

Nmap uses variations of this process to determine whether a port is open, closed, or filtered (blocked by a firewall).

Port States

Nmap classifies ports into several states:

Open — A service is actively accepting connections on this port
Closed — The port is accessible but no service is listening
Filtered — Nmap cannot determine whether the port is open because a firewall or network filter is blocking the probe
Unfiltered — The port is accessible but Nmap cannot determine whether it is open or closed
Open|Filtered — Nmap cannot determine whether the port is open or filtered

The Scanning Process

How Nmap Discovers Services

The scanning process from target to results

Host Discovery

Step 1

Ping sweep

ARP scan

Identify live hosts

Port Scanning

Step 2

Check 1000 common ports

Identify open/closed/filtered

TCP or UDP scan

Service Detection

Step 3

Banner grabbing

Version identification

OS fingerprinting

Script Scanning

Step 4

NSE vulnerability scripts

Default safe scripts

Custom scan profiles

Idle

By default, Nmap runs the first two stages. You enable the later stages with specific flags (-sV for service detection, -sC or --script for NSE scripts, -O for OS fingerprinting).

Step-by-Step: Essential Nmap Commands

These commands all target 192.168.56.101, which is a Metasploitable VM in a home lab environment. Replace the IP address with your own target. Never scan systems you do not own or have permission to test.

1. Host Discovery — Find Live Hosts

nmap -sn 192.168.56.0/24

The -sn flag tells Nmap to skip port scanning and only check which hosts are alive on the subnet. This is useful when you want to see what devices are on your network before scanning individual machines. On a local network, Nmap uses ARP requests for this, which are fast and reliable.

Expected output:

Nmap scan report for 192.168.56.1
Host is up (0.00032s latency).
Nmap scan report for 192.168.56.101
Host is up (0.00089s latency).
Nmap scan report for 192.168.56.102
Host is up (0.0012s latency).

2. Basic Port Scan — Scan the 1000 Most Common Ports

nmap 192.168.56.101

With no flags, Nmap scans the 1000 most commonly used ports using a SYN scan (if you have root/sudo access) or a TCP connect scan (if you do not). This is the command you will run most often.

3. Service Version Detection

nmap -sV 192.168.56.101

The -sV flag tells Nmap to probe open ports and attempt to identify the service name and version number. Instead of just seeing “port 22 open,” you will see “OpenSSH 4.7p1 Debian 8ubuntu1.” Version information is critical for identifying vulnerable software.

4. OS Detection — Fingerprint the Operating System

sudo nmap -O 192.168.56.101

The -O flag enables OS fingerprinting. Nmap analyses characteristics of the target’s network stack — such as TCP window sizes, TTL values, and option ordering — to guess the operating system. This requires root privileges because it uses raw sockets.

5. Aggressive Scan — Combines Multiple Detection Methods

sudo nmap -A 192.168.56.101

The -A flag enables OS detection, version detection, script scanning, and traceroute all at once. It is the most thorough single-command scan. Use it when you want maximum information about a target in your lab. It is slower and noisier than individual scans, so in professional settings you would typically run targeted scans instead.

6. Scan Specific Ports

nmap -p 80,443,22,3306 192.168.56.101

The -p flag lets you specify exactly which ports to check. This is faster than a full scan and useful when you are looking for specific services. You can also use ranges: -p 1-1000 or -p 80-90.

7. Scan All 65,535 Ports

nmap -p- 192.168.56.101

The -p- shorthand scans every possible port (1 through 65,535). This is thorough but slow — it can take several minutes per host depending on network conditions. Use it when you need to ensure nothing is hiding on an unusual port.

8. Default NSE Scripts — Run Safe Vulnerability Checks

nmap -sC 192.168.56.101

The -sC flag runs Nmap’s default set of NSE (Nmap Scripting Engine) scripts. These scripts are categorised as “safe” and perform checks like banner grabbing, DNS enumeration, and SSL certificate inspection. They add valuable context to your scan without performing anything destructive.

9. Save Output in All Formats

nmap -sV -oA scan_results 192.168.56.101

The -oA flag saves output in three formats simultaneously: normal text (.nmap), XML (.xml), and grepable (.gnmap). Always save your scan results. The XML format is particularly useful because other tools (like Metasploit and vulnerability scanners) can import it.

Combining Flags

In practice, you will often combine several flags. A common combination for a thorough lab scan is:

sudo nmap -sV -sC -O -oA full_scan 192.168.56.101

This runs version detection, default scripts, and OS fingerprinting, then saves the results. It is the command you will use most often when you want a complete picture of a target.

Scan Types Comparison

The two most common scan types are the SYN scan and the TCP connect scan. Understanding the difference matters for both practical use and certification exams.

TCP SYN Scan vs TCP Connect Scan

SYN Scan (-sS)

Half-open, fast, and stealthy

Sends SYN, reads response, never completes handshake
Faster — less overhead per port
Stealthier — may avoid some basic logging
Requires root/sudo access (raw sockets)

Connect Scan (-sT)

Full handshake, no root needed

Completes the full TCP three-way handshake
Slower — more overhead per port
More visible — logged by most systems
No root needed — uses standard OS connect() call

Verdict: Use SYN scan (default with sudo) in your lab. Use Connect scan when you do not have root access or need to test through certain proxies.

Use case

In your home lab, both work fine. On the Security+ exam, know the difference between the two.

Other Scan Types Worth Knowing

Scan Type	Flag	What It Does
UDP scan	`-sU`	Scans UDP ports (slower than TCP scans, but catches services like DNS, SNMP, DHCP)
ACK scan	`-sA`	Determines whether ports are filtered by a firewall (does not detect open ports)
FIN scan	`-sF`	Sends FIN packets to bypass some firewalls that only block SYN packets
Idle scan	`-sI`	Uses a “zombie” host to scan — extremely stealthy but complex to set up

For beginners, focus on SYN and connect scans. The others become relevant as you advance into penetration testing.

What Does Nmap Look Like in Practice?

Scanning an intentionally vulnerable target is the safest way to build real Nmap proficiency. The Metasploitable VM, maintained by Rapid7, is the most widely used practice target in cybersecurity training and is recommended by CompTIA PenTest+ study materials.

This walkthrough shows a complete scan against a Metasploitable VM — the intentionally vulnerable Linux image commonly used in home labs.

Step 1: Confirm the Target Is Alive

nmap -sn 192.168.56.101

Output:

Nmap scan report for 192.168.56.101
Host is up (0.00067s latency).

Step 2: Run a Service and Version Scan

sudo nmap -sV -sC 192.168.56.101

Sample output (abbreviated):

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1

Step 3: Reading the Results

Each line tells you something important:

PORT — The port number and protocol (tcp/udp)
STATE — Whether the port is open, closed, or filtered
SERVICE — What type of service Nmap believes is running
VERSION — The specific software and version detected

In this example, several findings are immediately notable:

vsftpd 2.3.4 on port 21 — This specific version has a well-known backdoor vulnerability
Telnet on port 23 — Telnet transmits credentials in cleartext and should never be exposed
OpenSSH 4.7p1 — An outdated SSH version with known vulnerabilities
MySQL and PostgreSQL — Databases exposed on the network without apparent access controls

In a real security assessment, each of these findings would go into a report with a risk rating and remediation recommendation. In your lab, they are learning opportunities — you can research each vulnerability and understand why it matters.

Step 4: Save Your Results

sudo nmap -sV -sC -oA metasploitable_scan 192.168.56.101

This creates three files: metasploitable_scan.nmap, metasploitable_scan.xml, and metasploitable_scan.gnmap. Keep these for your records — reviewing old scans is a good way to reinforce what you have learned.

What Are the Limitations of Nmap?

Nmap is a network scanner, not a vulnerability scanner. As the official Nmap.org documentation notes, Nmap identifies open ports and services but does not perform the deep vulnerability validation that dedicated tools like Nessus or OpenVAS provide.

Nmap is powerful, but it has boundaries. Understanding what Nmap cannot do is just as important as knowing what it can.

Nmap is not a vulnerability scanner. It identifies open ports and services, but it does not test for specific vulnerabilities the way tools like Nessus, OpenVAS, or Qualys do. When Nmap finds vsftpd 2.3.4, it reports the version — it does not automatically confirm the backdoor vulnerability exists. You need additional tools or manual testing for that.

Speed vs completeness is a constant trade-off. A full port scan (-p-) with version detection (-sV) and scripts (-sC) can take 10-30 minutes per host. In a professional engagement with hundreds of hosts, you need to balance thoroughness with time constraints. Experienced testers start with quick scans and then deep-dive on interesting hosts.

Firewalls and IDS/IPS can affect results. Modern firewalls may drop packets silently, causing Nmap to report ports as “filtered” rather than “open” or “closed.” Intrusion detection systems may alert on scanning activity, and intrusion prevention systems may block your scans entirely. In a lab environment this is not an issue, but it matters in professional assessments.

Legal considerations are non-negotiable. Scanning systems without authorisation is a criminal offence in most countries. In Australia, the Criminal Code Act 1995 and various state cybercrime legislation cover unauthorised access to computer systems. Even well-intentioned scanning without permission can result in prosecution. Always have written authorisation before scanning any system you do not own.

UDP scanning is inherently unreliable. Unlike TCP, UDP has no handshake mechanism, so Nmap must rely on ICMP error messages and application-layer responses. UDP scans are much slower and less accurate than TCP scans. Important services like DNS (port 53), SNMP (port 161), and DHCP (port 67/68) use UDP, so do not skip it entirely — just know that the results may be incomplete.

What Interview Questions Should You Expect About Nmap?

Nmap is one of the most frequently tested tools in cybersecurity interviews. CompTIA Security+ (SY0-701) Objective 4.1 and CompTIA PenTest+ (PT0-002) Objective 2.1 both cover network scanning and reconnaissance tools including Nmap.

Nmap comes up frequently in cybersecurity interviews, especially for SOC analyst and junior penetration testing roles. Here are questions you should be prepared to answer.

”How would you scan a network to identify live hosts?”

Strong answer: “I would use nmap -sn followed by the subnet range, such as nmap -sn 192.168.1.0/24. This performs a ping sweep without port scanning, which is fast and gives me a list of active hosts. On a local network, Nmap uses ARP requests, which are more reliable than ICMP pings because they cannot be blocked by host firewalls."

"What is the difference between a SYN scan and a connect scan?”

Strong answer: “A SYN scan sends a SYN packet and reads the response without completing the three-way handshake — it is faster and stealthier but requires root privileges. A connect scan completes the full handshake using the operating system’s connect() call — it is slower and more visible in logs but does not require elevated permissions. SYN scan is the default when you run Nmap with sudo."

"How do you interpret a port shown as ‘filtered’?”

Strong answer: “A filtered port means Nmap did not receive a response — the probe was likely dropped by a firewall or network filter. It does not mean the port is closed; a service could be running behind the firewall. In an assessment, I would note the filtered port, try alternative scan techniques, and check whether the firewall configuration is intentional."

"What would you do after finding an outdated service version?”

Strong answer: “I would research the specific version against vulnerability databases like CVE and NVD to identify known vulnerabilities. I would document the finding with the port, service, version, and any associated CVEs, then include it in my assessment report with a risk rating and remediation recommendation — typically upgrading to the latest supported version."

Strong answer: “I would use -oA to save results in all three formats. The normal text format is human-readable for reports, the XML format can be imported into other security tools like Metasploit or vulnerability management platforms, and the grepable format is useful for scripting and quick searches across large scan sets.”

How Is Nmap Used in Real Security Operations?

Nmap is a daily operational tool in Security Operations Centres worldwide. NIST SP 800-115 recommends network scanning as part of routine security assessment, and the ASD Essential Eight maturity model depends on accurate asset discovery that tools like Nmap provide.

How SOC Analysts Use Nmap

In a Security Operations Centre, Nmap is used for several operational tasks:

Baseline scanning — Teams run regular scans of their network segments to maintain an accurate inventory of hosts and services. Any new port or service that appears between scans triggers investigation. An unexpected SSH service on a workstation, for example, could indicate a compromised machine.

Alert validation — When a SIEM generates an alert about potential malicious activity from an internal host, analysts may scan that host to see what services are running. If the host suddenly has ports open that are not part of its normal profile, that supports the alert.

Firewall rule verification — After a firewall change, analysts scan from outside the firewall to confirm that only intended ports are accessible. This catches misconfigurations before attackers do.

Incident scoping — During an active incident, Nmap helps responders map the affected network segment. Understanding which hosts are alive and what services they expose helps determine the potential blast radius of a compromise.

Australian Context

The Australian Signals Directorate (ASD) publishes the Essential Eight maturity model and the Information Security Manual (ISM), which include controls around network segmentation and asset management. Regular network scanning supports compliance with these frameworks by maintaining visibility of network assets and services.

The Australian Cyber Security Centre (ACSC) provides guidance on vulnerability management that includes network scanning as a foundational activity. Organisations operating under the Security of Critical Infrastructure Act 2018 (SOCI Act) are expected to maintain awareness of their network footprint, which in practice requires tools like Nmap.

For anyone pursuing cybersecurity work in Australia, understanding the legal boundaries of network scanning is essential. Scanning must always be conducted within the scope of your authorisation, and results must be handled in accordance with your organisation’s data handling policies.

Summary and Key Takeaways

Nmap is the industry-standard network scanner — free, open-source, and used by security professionals worldwide for host discovery, port scanning, service detection, and scripted vulnerability checks.
Start with simple scans and add flags as needed. A basic nmap [target] gives you a solid overview. Add -sV for version detection, -sC for scripts, and -O for OS fingerprinting as your confidence grows.
Always save your output with -oA to create reusable, shareable records of every scan.
Nmap identifies open ports and services, not vulnerabilities. Pair it with vulnerability scanners and manual research for a complete assessment.
Legal authorisation is non-negotiable. Only scan systems you own or have explicit written permission to test. In Australia, unauthorised scanning can result in criminal charges under the Criminal Code Act 1995.
SYN scan vs connect scan is a core concept for both practical use and certifications like Security+ and CySA+.
Practice in your home lab. Set up Metasploitable or another intentionally vulnerable VM and scan it repeatedly. Change flags, compare results, and build your confidence with real output.

Wireshark: Network Analysis Guide to inspect the actual packets Nmap sends and receives
Home Lab Setup to build a safe environment for Nmap practice
Networking Basics to understand the protocols and ports that Nmap discovers

Legal reminder: Scanning networks and systems without authorisation is illegal. All commands on this page assume you are working in your own home lab or a practice environment you control. When you move into professional work, always confirm that you have written authorisation before running any scan.

Technical details verified in March 2026 against the official Nmap documentation (nmap.org), CompTIA Security+ SY0-701 exam objectives, and ASD Essential Eight guidance.

Frequently Asked Questions

Is Nmap legal to use?

Yes, Nmap itself is legal to download, install, and use. However, scanning networks or systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions. In Australia, unauthorised scanning can result in criminal charges under the Criminal Code Act 1995. Always scan only systems you own or have written authorisation to test.

Do I need root or sudo to run Nmap?

You can run basic TCP connect scans without root. However, SYN scans, OS fingerprinting, and many advanced features require root (Linux/macOS) or administrator (Windows) privileges because they use raw sockets. Running Nmap with sudo on Linux or macOS gives you access to all scan types.

What is the difference between -sS and -sT?

The -sS flag performs a SYN scan (half-open), which sends a SYN packet and reads the response without completing the TCP handshake. It is faster and stealthier but requires root. The -sT flag performs a TCP connect scan, which completes the full three-way handshake. It is slower and more visible in logs but does not require root.

Why does Nmap show a port as filtered?

A filtered port means Nmap's probe was dropped by a firewall or network filter and no response was received. It does not mean the port is closed — a service could be running behind the firewall. Filtered ports indicate that something is blocking Nmap's access to that port.

How long does a full port scan take?

Scanning all 65,535 ports with -p- typically takes 5 to 30 minutes per host, depending on network speed, firewall behaviour, and scan options. Adding version detection (-sV) and scripts (-sC) increases scan time further. For quick assessments, the default scan of 1000 common ports usually completes in seconds to minutes.

Can Nmap scan UDP ports?

Yes, use the -sU flag for UDP scanning. UDP scans are significantly slower and less reliable than TCP scans because UDP has no handshake mechanism. Nmap relies on ICMP error messages and application responses to determine port status. Important UDP services include DNS (53), SNMP (161), and DHCP (67/68).

What is the Nmap Scripting Engine (NSE)?

NSE is a powerful feature that lets Nmap run Lua scripts during scans. The -sC flag runs the default set of safe scripts, which perform tasks like banner grabbing, SSL certificate inspection, and DNS enumeration. There are hundreds of scripts available for more advanced tasks like vulnerability detection and brute-force testing.

What output format should I save my scans in?

Use the -oA flag to save in all three formats simultaneously: normal text (.nmap), XML (.xml), and grepable (.gnmap). The XML format is particularly valuable because other security tools like Metasploit can import it directly. Always save your scans — you will want to reference them later.

Is Nmap the same as a vulnerability scanner?

No. Nmap identifies open ports, services, and versions, but it does not test for specific vulnerabilities the way dedicated scanners like Nessus, OpenVAS, or Qualys do. Nmap can detect that a service is running an old version, but confirming whether a specific exploit works requires additional tools or manual testing.

What certifications test Nmap knowledge?

CompTIA Security+ (SY0-701) covers port scanning concepts and tools including Nmap. CompTIA CySA+ (CS0-003) tests network reconnaissance and vulnerability scanning. CompTIA PenTest+ (PT0-002) includes hands-on Nmap usage. The OSCP certification from OffSec heavily relies on Nmap for its practical exam.

More resources

Nmap Official Documentation

Complete reference guide covering every scan type, flag, and feature including the NSE script library.

Visit Nmap Cheat Sheet

Quick reference for common Nmap commands, flags, and output options by StationX.

Visit NSE Script Library

Browse all available Nmap Scripting Engine scripts with descriptions, categories, and usage examples.

Visit CompTIA Security+

Official Security+ certification page covering the SY0-701 exam objectives that include network scanning and reconnaissance.

Visit