top of page
Search

Using Nmap in Security Testing

  • Writer: Joseph Rapley
    Joseph Rapley
  • Jun 3
  • 7 min read

Nmap (short for Network Mapper) is one of the first tools I reach for during a penetration test. It gives me a quick and clear snapshot of the hosts on a network and the services they’re running. This early visibility helps shape the rest of the engagement. While automated tools like Nessus perform deeper vulnerability scans, I’m already looking over what Nmap has uncovered and planning my next move.


Below is a quick overview of how I use Nmap in practice, the common options that I would use, and how to utilise bash loops to automate scanning of multiple subnets.


Nmap Basic Background

Nmap is an open-source network discovery and security auditing tool. It’s widely used in security testing, system administration, and incident response to identify devices on a network, determine what services they’re offering, what operating systems they’re running, and more.


It works by sending crafted packets to target hosts and analysing the responses. The results help identify open ports, running services, and potential entry points into a system.


TCP 3-Way Handshake

To understand how Nmap works, it helps to first understand the TCP 3-way handshake. This is the standard process for establishing a connection between two systems over TCP:

  1. SYN – The client sends a synchronisation packet to start the conversation.

  2. SYN-ACK – The server responds with a synchronisation-acknowledgement.

  3. ACK – The client sends back an acknowledgement, and the connection is established.


This is how most reliable communication starts between two systems. Nmap takes advantage of this process to check which ports are open without always completing the handshake, this speeds things up and can go unnoticed by some systems.


How Nmap Uses SYN Scans to Operate at Speed

The default and most common scan type in Nmap is the SYN scan, also known as a "half-open scan". Instead of completing the full handshake, Nmap sends the initial SYN and waits for the SYN-ACK response. If it receives one, the port is marked as open. But instead of completing the connection, Nmap sends a RST (reset), dropping the connection before it finishes.


This is faster than a full TCP connect scan and also a bit stealthier — it’s less likely to be logged by the target system.


Required Privileges for SYN Scans

Because SYN scans rely on crafting raw packets, they need root (or administrator) privileges. On Unix-like systems, that means you’ll need to run Nmap with sudo for this type of scan to work. Without elevated privileges, Nmap will fall back to a full TCP connect scan, which is slower and more likely to be logged.


Default Nmap Scan

If you run 

nmap target.com 

without any flags, Nmap does a basic scan of the most common 1,000 TCP ports using a SYN scan (if you have the right privileges). It is equivalent to doing

nmap -T3 --top-ports 1000 -sS

It gives a quick overview, showing which ports are open and what basic service might be running on each.


This is useful as a starting point, but for proper security testing I usually add a few extra options to pull out more detail or scan more aggressively.


Common Scan Techniques

Here are some of the Nmap flags I regularly use during engagements:

-T4

This sets the timing template to “aggressive”, which speeds up the scan by reducing wait times and speeding up retries. T4 is usually a good balance between speed and reliability on a stable network.


Use with care on slower or fragile systems — it can cause issues or alert monitoring tools.


--min-rate

This sets a minimum number of packets per second. For example, --min-rate 1000 tells Nmap to send at least 1,000 packets per second. This forces the scan to move faster, which can be useful on large networks or when you’re short on time.


This flag helps control how fast the scan runs, and can be used alongside -T4 for more aggressive timing.


-vv

This increases the verbosity level. You’ll get more real-time updates as Nmap runs, which is useful for seeing progress and understanding what’s happening under the hood.

I often run with -vv just so I can keep an eye on what Nmap is doing, especially during long scans. If you want to change the verbosity of the Nmap output while the scan is running you can press v to increase, and V to decrease.


-sV

This enables version detection, allowing Nmap to probe open ports to determine what service is running and which version. For example, instead of just showing "http" on port 80, it might reveal "Apache httpd 2.4.41". This is useful for identifying outdated software or specific versions known to have vulnerabilities.


It adds time to the scan but gives essential context during vulnerability analysis.


-Pn

By default, Nmap pings targets before scanning to check if they’re “up”. The -Pn flag tells Nmap to skip host discovery and treat all targets as online. This is essential when scanning networks that block ICMP (ping) or use firewalls that drop ping replies. It ensures you don't miss live hosts just because they don't respond to pings.


Use with caution as scanning large networks with -Pn can take longer since Nmap will try to scan all hosts specified.


-n

This disables DNS resolution. Normally, Nmap will try to resolve hostnames for IPs, which can slow things down — especially if DNS is misconfigured or slow to respond. The -n flag tells Nmap to skip reverse DNS lookups, speeding up the scan.


I often use -n during early recon when I only care about IPs and not hostnames.


-O

The -O flag enables operating system detection. Nmap uses TCP/IP fingerprinting to guess the target system’s OS. It compares how the host responds to various probes and matches the result against a database of known operating system fingerprints.


It’s not always 100% accurate, but it often gives a good idea — especially useful when targeting legacy systems or identifying out-of-date devices.


This option usually needs root privileges, just like -sS.


-sC

This flag tells Nmap to run a selection of default NSE (Nmap Scripting Engine) scripts. These scripts check for common vulnerabilities, misconfigurations, and useful info like SSL certificate details or HTTP headers.

Think of -sC as a lightweight vulnerability check — it doesn’t go as deep as a tool like Nessus, but it can still uncover issues like open SMB shares, exposed databases, or weak SSH settings.


-A

This flag is a good one to use when scanning single hosts, but I all too often see it being used without proper understanding of what it does. The -A flag enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute all in one. It pulls in a lot of detail, which is great, but it also slows down the scan. I tend to use -A when I’ve narrowed things down to a few hosts and want deeper insight.


On large networks, it’s often best to scan broadly first, then run -A selectively on interesting targets.


-oA <filename>

This tells Nmap to save the output in multiple formats: normal, XML, and grepable. For example: -oA network-scan creates three files: network-scan.nmap, network-scan.xml, and network-scan.gnmap.


.nmap is the same output that you see on the screen, just dumped to a text file.


.xml is in a structured format which can be used to import scan information in to other applications. It can also be used by Nmap to resume an interrupted scan using the --resume flag


.gnmap is in a format that makes the data easily grepable and also able to be run through other commands such as cut, sort, etc. I use this heavily during internal engagements to created curated lists of IP addresses based on their open ports.


This is helpful for later analysis, reporting, or parsing with scripts and other tools.


Utilising Bash For-Loops to Perform Multiple Nmap Scans

When dealing with a list of subnets or targets, it’s handy to automate your scans with a bash loop. During internal engagements we're often given a list of various subnets that are in scope for review. Such as:

192.168.10.0/24
192.168.15.0/24
192.168.20.0/24

You can use the -iL flag in Nmap to import a list of targets from a file. This works well, and the targets in the file can be in multiple forms such as:

192.168.10.0/24
192.168.20.1
dc01.example.com

Use Nmap like below to scan targets from this file

nmap -iL targets.txt

Nmap will include all hosts in the subnet, the single IP address, and the hostname as targets of a single scan.


Where for loops come in handy is when you have a requirement to scan multiple subnets and want to separate information and separate the scan tasks. If Nmap freezes or gets stuck (as it sometimes likes to do), then using for loops means you don't need to worry about losing hours of scan results. When using for loops to iterate through a target file, Nmap will perform a scan on the first target, and once complete will start a new scan on the next target, rather than including all targets in a single scan.


The following for loop is excellent for performing quick reconnaissance of multiple subnets and outputting scan data to a different set of output files for each subnet.

for network in $(cat targets.txt); do nmap -T4 -oA $network/24 -sV -vv -n $network; done

You can expand on this by changing the Nmap flags or adding logic to handle errors, slow hosts, or different types of scans.


A limitation of using for loops in this fashion is that if you have a subnet in CIDR notation e.g. 10.10.10.0/24, when Nmap attempts to create the output file it will read the network address as a folder, due to the forward slash being present. You can see that I use the $network variable for both the target, and the output file name, and that I specify the netmask in CIDR notation format in the Nmap command. If the subnets you are scanning have different netmasks, this will not work.


This approach saves a lot of time, especially on large assessments where targets are spread across many networks.


Final Thoughts

Nmap is far more than just a port scanner, it’s a key part of the early discovery phase in any security engagement. It gives a fast, accurate picture of what’s on the network, helping you prioritise your time and focus.


While tools like Nessus and OpenVAS dig deep and take time, Nmap lets you act fast and smart. Used well, it can save hours of manual effort, highlight unusual configurations, and set the foundation for a well-executed penetration test.


If you also want some tips on how Nmap can benefit network troubleshooting, check out our post at https://www.cyberoptic.co.nz/post/how-to-use-nmap-for-network-troubleshooting-a-guide-for-it-support-consultants

 
 
bottom of page