Nmap is the first tool most of us learn and the last one we stop using. The trouble is that many people memorize a single command, nmap -A, and never learn what it does or why it is often the wrong choice. Understanding how Nmap works under the hood makes you faster, quieter, and far more accurate. This is the deep dive I wish I had read early.
Host Discovery Comes First
Before scanning ports, Nmap decides which hosts are alive. On a local network it uses ARP, which is fast and reliable. Across a router it falls back to ICMP echo, timestamp probes, and TCP pings to common ports. When you already know a host is up, skip discovery entirely:
nmap -Pn 10.10.10.10
-Pn treats the target as online and goes straight to scanning. This matters when a firewall drops pings, which would otherwise make Nmap declare a live host dead and skip it.
How the Scan Types Actually Differ
The default for a privileged user is the SYN scan, -sS. It sends a SYN, watches for SYN/ACK, then tears the handshake down before it completes. It is fast and relatively quiet because the connection never fully opens.
nmap -sS -p- 10.10.10.10
Without root privileges, Nmap uses a full TCP connect scan, -sT, which completes the handshake and is louder. For UDP services, which are easy to forget and often vulnerable, use -sU. UDP scanning is slow because closed ports may simply not answer, so scope it to the ports you care about rather than scanning all of them.
Service, Version, and OS Detection
An open port is only half the story. Version detection probes the service to learn what is really listening:
nmap -sV --version-intensity 7 -p 22,80,443 10.10.10.10
This is where real findings start, because a version string like an outdated web server or SSH daemon points straight at known vulnerabilities. Add -O for OS fingerprinting when you need it, though it is less reliable through firewalls.
Tuning Speed Without Wrecking Accuracy
Timing templates from -T0 to -T5 trade stealth for speed. -T4 is a sensible default on a healthy network. For large scopes, raising the packet rate often beats the timing template:
nmap -p- --min-rate 5000 -T4 10.10.10.0/24
The pattern I use everywhere is two passes: a fast wide scan to find open ports, then a slow detailed scan against only those ports. It is dramatically faster than one heavy scan across all 65535 ports.
The Scripting Engine Is the Real Power
The Nmap Scripting Engine (NSE) turns Nmap from a port scanner into a reconnaissance platform. Scripts are grouped into categories such as default, safe, vuln, and auth.
# Safe default scripts plus version detection
nmap -sC -sV 10.10.10.10
# Hunt for known vulnerabilities on web services
nmap --script vuln -p 80,443 10.10.10.10
# Enumerate SMB shares and users
nmap --script "smb-enum-shares,smb-enum-users" -p 445 10.10.10.10
Be deliberate with categories. The vuln and intrusive scripts are noisy and can disrupt fragile services, so on a real engagement know what a script does before you run it.
Save Output You Can Actually Use
Always write results to a file, and prefer the “grepable” or all formats so you can feed them into other tools:
nmap -sCV -p- -oA scan-results 10.10.10.10
-oA writes normal, XML, and grepable output at once. The XML feeds nicely into reporting tools, and the grepable output makes it trivial to extract just the open ports for the next stage.
A Note from the Other Side
Everything above is just as useful defensively. Scanning your own ranges with Nmap is one of the cheapest ways to find the forgotten service, the shadow host, or the management port that should never have been exposed. The attacker is going to run these scans. Run them first.
Key Takeaways
- Use
-Pnwhen discovery is blocked, or you will miss live hosts. - Two pass scanning, fast then detailed, beats one heavy scan.
- Version detection is where vulnerabilities reveal themselves.
- Learn NSE categories and run intrusive scripts only when you understand them.
- Always save output with
-oAso the data flows into the next step.
Nmap rewards understanding over memorization. Learn what each flag costs and you will scan faster and find more.
// Discussion