Nmap Explained — Port Scanning, Service Detection, and OS Fingerprinting thumbnail

Nmap Explained — Port Scanning, Service Detection, and OS Fingerprinting

⏱ approx. 19 min views 459 likes 0 LOG_DATE:2026-05-17
TOC

Nmap (Network Mapper) is an open-source scanning tool for discovering hosts and services on a network. Since Gordon Lyon (handle Fyodor) released it in 1997, it has become the de-facto standard tool for penetration testing, vulnerability assessment, and network administration. Given an IP range, Nmap sends packets and infers from the response patterns "which hosts are alive", "which ports are open", "what service is running, on what version", and "what OS is it".

01

What Nmap does — four core functions #

Nmap's functionality breaks down cleanly into four parts.

  1. Host Discovery — Combines ICMP / ARP / TCP probes to enumerate which hosts in a given range are alive. -sn runs only host discovery, skipping the port scan
  2. Port Scanning — Sends probes to TCP / UDP ports and decides open / closed / filtered from the response pattern
  3. Service / Version Detection (-sV) — For ports it found open, sends probes from the built-in nmap-service-probes database and matches response strings to estimate the service name and version
  4. OS Fingerprinting (-O) — Treats TCP/IP stack implementation quirks (TCP option ordering, default TTL, Window Size, IP ID behavior) as fingerprints and probabilistically matches the nearest OS in nmap-os-db

On top of these is the NSE (Nmap Scripting Engine), where Lua scripts add vulnerability checks, brute-force attacks, additional information gathering, and other custom tasks. Categories like --script vuln let you run several scripts at once.

02

Legal and ethical considerations #

Precisely because Nmap is powerful, using it the wrong way can result in criminal charges. Japan's Unauthorised Computer Access Act and the equivalent laws in other countries don't ban port scanning outright, but scanning a network you don't have permission to scan can be interpreted as "preparation for attack" and prosecuted. Fines, prison, and a criminal record are all on the table.

▸ Acceptable targets for Nmap
  • Networks you own or operate — Your home LAN, VPSes you pay for, isolated learning labs
  • Targets where you have explicit written permission — Penetration-test contracts, vulnerability-assessment contracts, red-team exercises. The scope and time window must be in writing
  • Legitimate learning platforms — Hack The Box, TryHackMe, VulnHub, OverTheWire, and similar where the operator has authorised scanning

"I just wanted to try a quick test" is the kind of move that turns into the most expensive mistake of someone's life. There are well-known arrests and lawsuits both in Japan and abroad — curiosity alone is not a defense for scanning someone else's network.

03

History — from Phrack 51 to NSE #

1997 — Published in Phrack issue 51
Gordon Lyon (Fyodor) published "The Art of Port Scanning" in Phrack Magazine and released the first Nmap simultaneously. Scanners like strobe / netcat / queso already existed, but Nmap stood out by integrating multiple scan techniques into one tool and emitting results quickly and flexibly.
1998 — OS fingerprinting in Nmap 2.0
Implements OS detection by matching TCP/IP stack behaviour against a fingerprint database. Nmap evolves from "port scanner" into "network-asset survey tool".
2006 — NSE arrives in Nmap 4.21
An embedded Lua interpreter. Users can now write scripts for vulnerability checks, service-specific information gathering, brute force, and more — a plugin architecture that detonated the ecosystem.
Related tools
The GUI Zenmap, the netcat-successor Ncat, the port-testing / packet-crafting Nping, and the diff tool Ndiff. All sit on a shared foundation of Npcap / WinPcap (Windows) or libpcap (Unix family).
04

Host discovery #

Before running a port scan, Nmap first decides "is this host alive?" for the targets it was given (IP / CIDR / hostname). By default it sends a combination of ICMP Echo / TCP SYN to 443 / TCP ACK to 80 / ICMP Timestamp.

Option Behavior
-sn Host discovery only, no port scan (formerly -sP, Ping Scan)
-Pn Skip host discovery and treat every target as alive for the port scan (for ICMP-blocked environments)
-PS<port> / -PA<port> TCP SYN / ACK to a chosen port for response (often works through FWs)
-PE / -PP / -PM ICMP Echo / Timestamp / Address Mask
-PR Force ARP (within a local LAN Nmap chooses ARP automatically)
▸ On a LAN, ARP is fastest and most reliable

Inside a local LAN Nmap automatically uses ARP. It's faster and more reliable than ICMP, and still works when ICMP is filtered. -PR forces it explicitly.

05

Port-scanning techniques #

Nmap supports several scan techniques, differing by TCP flag combinations and protocol selection. Pick by trade-offs in stealth, required privilege, speed, and the question you're asking.

TCP SYN scan (-sS) — the default #

Also called the half-open scan, this is Nmap's default when run with root privileges. A SYN is sent: SYN/ACK back → open, RST → closed, no response (or ICMP Unreachable) → filtered. Because it never completes the 3-way handshake, server-side application logs typically don't record it as a connection — relatively low-profile.

It uses a raw socket internally, so root is required on Linux / macOS; on Windows it goes through Npcap.

TCP Connect scan (-sT) #

Uses the OS's connect() syscall, fully completing the 3-way handshake before tearing down with RST. Doesn't require root, so any user can run it.

The trade-offs: (1) the connection is more likely to be logged by the server application, (2) the full handshake adds overhead and slows things down. It's the fallback when SYN scan isn't available.

UDP scan (-sU) #

Sends protocol-specific payloads (DNS / SNMP / NTP …) to UDP ports and decides state from the response. UDP being connectionless makes the decision harder — a protocol-shaped response means open; ICMP Port Unreachable means closed; no response is open|filtered. It's very slow, so use it only when needed, scoped tightly.

Indispensable for finding services that exist only over UDP — DNS (53/udp), SNMP (161/udp), NTP (123/udp), TFTP (69/udp), and so on.

ACK scan (-sA) #

Sends ACK instead of SYN. It exploits the fact that stateful firewalls may mistake an ACK for "part of an existing session" and let it through. RST back → unfiltered; no response or ICMP unreachable → filtered. It doesn't tell you open vs closed — it's a specialised scan for probing firewall rule sets.

NULL / FIN / Xmas scans (-sN / -sF / -sX) #

These send a packet with no flags / FIN only / FIN+PSH+URG. RFC 793 says open ports should ignore these "invalid" combinations while closed ports should send RST. No response → open|filtered; RST → closed; ICMP Unreachable → filtered.

▸ Windows / Cisco / BSD give unreliable results

Some implementations don't follow the RFC, so NULL / FIN / Xmas scan results on them aren't trustworthy. Works well on Linux / Solaris / UNIX-family stacks. Was used as a technique to slip through older stateless firewalls.

Idle / Zombie scan (-sI) #

An advanced scan that observes a third-party (zombie) host's IP ID values to infer target port states. Your own IP never directly hits the target, so IDS / FW logs contain no trace of you.

Requirement — a zombie host with the old "globally sequential IP ID" implementation. Modern OSes don't behave that way, making suitable zombies hard to find, but it's worth knowing for CTFs / learning.

▸ How to pick a scan type
  • Default is -sS — root required, but the best balance of speed / stealth / compatibility
  • Use -sT only when no root — leaves traces, but it's the fallback when nothing else is available
  • Add -sU when UDP matters-sS -sU runs TCP + UDP at once
  • Use -sA / -sN / -sF / -sX / -sI for specific purposes — investigating FW behavior, validating IDS rules, scanning without leaving traces
06

The six port states #

Nmap classifies into six states based on response patterns.

State Meaning Typical response
open A service is actively listening SYN/ACK returned
closed The port is reachable but no service is listening RST returned
filtered Packets are filtered; state can't be determined No response / ICMP Unreachable
unfiltered Reachable but open vs closed is unknown RST returned (result from ACK scan)
open|filtered Can't decide between open and filtered No response (UDP / NULL / FIN / Xmas)
closed|filtered Can't decide between closed and filtered Idle-scan specific
▸ filtered is the most desirable state from the defender's perspective

It means "the host isn't gone, but the packet is being dropped by a firewall or router on the path". For the attacker filtered looks just like closed and there's nowhere to go — making it the best outcome for the defender.

07

Service / version detection (`-sV`) and OS fingerprinting (`-O`) #

Service / version detection #

After a port is decided open, -sV makes Nmap actually probe to figure out "what service, what version is this?"

1. Pick the protocol
Confirm the port is TCP or UDP.
2. Send probes
Send the priority probes for that port number from nmap-service-probes in order.
3. Match the response
Compare the returned banner / HTTP header / custom-protocol response against regular expressions.
4. Extract attributes
Service name, version, product / version / extrainfo / ostype / hostname.

--version-intensity 0..9 adjusts coverage (default 7). -A enables -sV -O --traceroute --script=default all at once.

OS fingerprinting (-O) #

With -O Nmap exercises the target's TCP/IP stack from multiple angles to estimate the OS.

  • TCP ISN (Initial Sequence Number) generation pattern (randomness, periodicity)
  • TCP option order and values (the ordering of MSS / SACK / Timestamp / Window Scale / NOP varies by OS)
  • TCP Window Size initial value
  • IP ID generation method (sequential / random / fixed zero)
  • ICMP message structure
  • TCP/IP edge-case behavior (responses to malformed packets)

It collects these via 16 different probe packets and matches against nmap-os-db. The output looks like "Linux 5.x (confidence 92%)" — a match score is shown.

08

NSE (Nmap Scripting Engine) #

NSE embeds a Lua interpreter into Nmap, letting users extend functionality with scripts. Specified via --script.

Category Description
default (= -sC) A safe, information-rich set of built-in scripts
discovery Additional information gathering about hosts / services
version Assists -sV
vuln Known-vulnerability checks (many CVE-aware scripts)
exploit Actually attempts exploitation (careful)
auth Authentication-related (anonymous FTP, default credentials, etc)
brute Brute force
intrusive May affect the target
safe Explicitly side-effect-free scripts
malware Malware-infection checks
dos DoS testing

A handful of representative scripts:

  • --script vuln — Sweep of known CVEs
  • --script http-enum — Enumerate directories on an HTTP server
  • --script smb-os-discovery — Pull OS info over SMB
  • --script ssl-enum-ciphers — Enumerate SSL/TLS cipher suites
  • --script ssh-hostkey — Fetch the SSH host key

NSE scripts live under /usr/share/nmap/scripts/ (Linux), and you can write your own.

09

Evasion and how Nmap looks from the defender's side #

Nmap has plenty of options for evading IDS / IPS / FW detection. Use them only inside the bounds of legal authorised work.

Option Effect
-T0 ~ -T5 Timing templates. -T0 (paranoid) is extremely slow to stay under IDS thresholds. -T4 (aggressive) is the practical default
-D <decoy1>,<decoy2>,ME Bury your IP among decoys
-f / --mtu Fragment packets to slip past signature inspection
--data-length Add padding to change packet size
--source-port <port> Set the source port (DNS 53, FTP 20 — ports often allowed as exceptions through firewalls)
--randomize-hosts Shuffle scan order across multiple targets
▸ What Nmap looks like from the defender's side
  • Many port connection attempts in a short time (hundreds to thousands from one IP)
  • TCP SYN without following up with ACK (-sS) → not in application logs, but trips SYN-flood detection in stateful FWs and IDSes
  • Unusual TCP flag combinations (-sN / -sF / -sX)
  • Bursts of ICMP / ARP in a short window (host discovery)

Snort / Suricata / Zeek and similar IDSes ship with built-in Nmap signatures.

10

Practical examples — commands for learning environments #

Commands you'll commonly use inside authorised learning environments like HTB / TryHackMe.

Initial recon — knowing nothing about the host
$ sudo nmap -sS -sV -O -A -T4 -p- <target> # -sS SYN scan (default, but explicit) # -sV service / version detection # -O OS fingerprinting # -A bundles -sV -O --traceroute --script=default # -T4 speed-favored timing # -p- all 65535 ports
Quick overview / vulnerability check / UDP / saving results
# quick overview $ sudo nmap -sS --top-ports 1000 -T4 <target> # specific vulnerability checks $ sudo nmap --script vuln -p 80,443 <target> # include UDP $ sudo nmap -sS -sU -p T:80,443,U:53,161 <target> # save results in XML to feed other tools (-oA writes normal/XML/grepable at once) $ sudo nmap -sS -sV -oA scan_results <target> # XML can be imported by Metasploit's db_import, etc.
▸ The standard Nmap workflow

Don't try to do everything in a single command — layer options on as the goal sharpens. Start light, then add more detailed scans as needed — that's the rule for "getting information efficiently without disturbing the target".

𝕏 Post B! Hatena
Terminal Exercise (simulation)
$