Module 1 · Nmap — Network Discovery and Port Scanning

Last updated: April 29, 2026

Nmap is the first tool every security practitioner reaches for. Pen-tester? You’re using nmap. Defender auditing your attack surface? Nmap. Discovered a new subnet you need to profile? Nmap. This module takes you from “I’ve typed nmap once” to “I can scan intelligently, interpret results, and avoid triggering every IDS in the building.”

What nmap actually does

Nmap (Network Mapper) is a network discovery and security auditing tool. At its core it answers three questions:

• What hosts are alive on this network?
• What services are those hosts exposing?
• What versions / OS are they running?

Everything else (scripting, traceroute, OS fingerprinting, vulnerability checks) builds on these three.

Your first scan

# Discover live hosts on your LAN (no port scan)
nmap -sn 192.168.1.0/24

# Scan top 1000 TCP ports on a host
nmap 192.168.1.10

# Full TCP port range + service detection + default scripts
nmap -sV -sC -p- 192.168.1.10

# Fast scan (only top 100 ports)
nmap -F 192.168.1.10

# UDP scan (slower, but catches services like DNS/SNMP/NTP)
nmap -sU -p 53,123,161 192.168.1.10

Essential scan types

Port specification

# Specific ports
nmap -p 22,80,443 target

# Port range
nmap -p 1-1000 target

# All ports (1-65535)
nmap -p- target

# Top N ports
nmap --top-ports 100 target

# UDP + TCP on same run
nmap -sS -sU -p T:80,443,U:53,161 target

Full port range -p- is essential on any serious audit. Services rarely live only on the top 1000 ports; pentests regularly find management UIs on 8443, 9200, 6379, 11211, 27017.

NSE — Nmap Scripting Engine

NSE scripts extend nmap into light vulnerability detection, brute-forcing, and information gathering. Scripts live in categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.

# Run all default scripts (safe)
nmap -sC target

# Run vulnerability scripts
nmap --script vuln target

# Run a specific script
nmap --script http-enum -p 80,443 target

# Brute-force SSH credentials (intrusive!)
nmap --script ssh-brute -p 22 target

# Enumerate SMB shares + users
nmap --script smb-enum-shares,smb-enum-users -p 445 target

# Check for TLS vulnerabilities
nmap --script ssl-enum-ciphers,ssl-poodle,ssl-heartbleed -p 443 target

Timing and stealth

Nmap’s -T flags set timing templates from paranoid to insane:

• -T0 Paranoid — 5 min between probes. For evading IDS
• -T1 Sneaky — 15 sec
• -T2 Polite — 0.4 sec
• -T3 Normal — default
• -T4 Aggressive — faster, common on reliable LANs
• -T5 Insane — fastest, accuracy suffers

For evasion: also use --data-length, --randomize-hosts, --spoof-mac, -D (decoys), -f (fragment packets). These are detectable but slow down automated signatures.

Output formats

# Save in all formats: text, XML, grepable
nmap -sV -oA scan-results target

# Pipe to parser
nmap -sV -oX - target | xsltproc nmap.xsl - > report.html

Always save XML output — it’s parseable by reporting tools, BloodHound-style ingestion, and other downstream analysis.

Common pentest patterns

• Initial reconnaissance: nmap -sV -sC -p- -T4 -oA init target-range
• UDP discovery: nmap -sU --top-ports 50 -T4 target
• Vulnerability pass: nmap --script vuln -p 80,443,8080,8443 target
• SMB/AD enumeration: nmap --script smb-os-discovery,smb-enum-shares,smb-enum-users -p 445 target
• Web discovery: nmap --script http-title,http-headers,http-robots.txt,http-enum -p 80,443 target

Quick reference summary

• Nmap does host discovery, port scanning, service/version detection, OS fingerprinting, scripting
• Default scan: top 1000 TCP ports with -sV -sC; full audit requires -p-
• Time your scans: -T4 for LANs, -T2/T1 when IDS is in play
• Always include UDP (-sU) on critical hosts — DNS/SNMP/NTP often miss in pure TCP scans
• NSE scripts: -sC for defaults, --script vuln for known CVEs
• Output: -oA saves all formats; XML is most useful downstream
• Legal: only scan networks you own or have written authorisation for

Real-World Case Study: WannaCry & the Nmap-shaped attack

The story. 12 May 2017. Within 24 hours, WannaCry ransomware infected 230,000 systems across 150 countries — UK National Health Service, Telefónica, FedEx, Renault, Russian Railways, Indian state police networks. Total damages estimated at $4 billion. The malware self-propagated using SMBv1 (MS17-010, “EternalBlue”) — a vulnerability for which Microsoft had released a patch two months earlier.

The technical chain — and where Nmap fits in.

1. Initial infection — phishing or direct internet exposure of port 445.
2. SMB scanning — the worm scans the local /16 subnet for hosts listening on port 445. This is exactly what nmap -p 445 192.168.0.0/16 does.
3. Vulnerability check — for each responding host, the worm probes the EternalBlue handshake. Same logic as nmap --script smb-vuln-ms17-010.
4. Exploit + propagate — vulnerable host gets infected, repeats step 2 from a new vantage point.

The defender’s question. If WannaCry could find every SMB-listening, unpatched Windows host on your network in 60 seconds — could you?

The right Nmap commands to be running monthly.

# Find every SMB-exposed host
nmap -p 445 --open -oG smb-exposed.txt 10.0.0.0/8

# Test each for MS17-010 (EternalBlue)
nmap -p 445 --script smb-vuln-ms17-010 -iL smb-exposed.txt

# Find every legacy SMBv1 (should be zero in 2026)
nmap -p 445 --script smb-protocols -iL smb-exposed.txt | grep SMBv1

The takeaway. WannaCry didn’t use anything attackers don’t have. It used Nmap, with a payload. Defenders who Nmap their own networks first set the floor for what attackers can find. Run external + internal Nmap scans monthly, diff against last month, investigate the new exposures.