Nmap Tutorial for Beginners

What is Nmap Tool in Cyber Security? Types of Nmap Scans, Scanning Methodology

Introduction to Nmap Tool

It is a free-to-use and open-source network scanner. You can use it for security auditing and discovering networks. It can perform detection of operating systems and network ports.

Network admins and security analysts also use Nmap for network inventory, management of service upgrade schedules, checking service uptime, etc.

Using raw IP packets, Nmap finds the availability of hosts on a network, the services provided by the hosts, active OS, types of filters and firewalls, and several more characteristics. 

While it works well for most of computer OS, the official binary packages are meant for Windows, Mac OS, and Linux.

Different Types of Nmap Scans

Below are the primary types of scans that can be performed using Nmap:

  • TCP Scan

This type of scan is meant for checking and completing a three-way handshake at the target system. 

  • UDP Scan

The role of the UDP scan is to test if any UDP ports are active to listen to the requests coming to the target machine. 


SYN Scan is a form of TCP scan. However, it is different from a typical TCP scan, because the SYN packets are created by Nmap itself. Moreover, when a TCP connection is formed, the SYN packet is the first one to be created. 


In order to check if a specific port is filtered or not, the ACK scans are brought into use. It is a handy scan in Nmap when evaluating firewalls along with the set of rules. 


Similar to SYN scan, it is another stealthy scan. The difference is that it sends a TCP PIN packet. 


The NULL scan is used to make the header fields null. 


It is another stealthy scan that is used for the manipulation of PSH, URG, and FIN flags.


The role of RPC Scans is to find the machines responding to RPC or Remote Procedure Call services. With RPC, the commands can be run in a remote manner on specific machines. 


This is considered the stealthiest scan in Nmap. This is because it bounces off the packets from the external hosts.

Nmap Scanning Methodology

After installing Nmap, the scanning process can be started by running some general network scans as we have mentioned below:

The Process to Run Ping Scan

Let’s start with the common Nmap function, which is the identification of active hosts on a network. This is done with a ping scan. It will detect the active IP addresses on the network, without the need for sending packets to the hosts. Use the below command to do so:

# nmap -sp

Once you run this command, you will see a list of the active hosts on the network, along with the assigned IP addresses. 

The Process to Run Host Scan

Another great way for scanning networks is host scan in Nmap. It is different from a ping scan, because the host scan sends the ARP request packets to hosts on the network. This is done in an active manner. 

When you run the host scan, the hosts will respond to the packet. An ARP packet will be shown which includes the status and MAC address of the host. 

Use the below command to run a host scan in Nmap:

# nmap -sp <target IP range>

Once you have run the command, it will show you the information about all the hosts, along with their latency, MAC address, as well as some description. It is a proven way to detect any suspicious hosts that are active on your network.

Introduction to Nmap and Networking

Did you find this article helpful?