The de facto network discovery and port scanner — still the foundation of every external recon engagement in 2026.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Linux (apt)
sudo apt install nmap
macOS (brew)
brew install nmap
Docker
docker run --rm -it instrumentisto/nmap target.com
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Quick top-1000 ports
nmap -T4 -F target.com
All TCP ports + version detect
nmap -p- -sV -T4 --min-rate 1000 target.com
UDP top-100 (slower)
sudo nmap -sU --top-ports 100 -T4 target.com
Vuln scripts (NSE)
nmap --script vuln,vulners -p- target.com
OS + version + scripts + traceroute
sudo nmap -A -T4 target.com
Output to all formats
nmap -oA scan_output -sV target.com
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Timing template:
-T4is the sweet spot for 99% of internet scans.-T0through-T2are for IDS-evasion (and brutally slow).-T5drops too many packets on flaky networks. --min-rate 1000 --max-rate 5000bounds packet rate explicitly — better than-T*alone for predictable timing.--min-parallelism 100on /16 sweeps cuts wall-clock time 5×.-nskips reverse DNS — saves 40-50% on large CIDR scans where DNS is the bottleneck.- For internet-scale (>/16), Masscan first to find live hosts, then Nmap
-sVonly on the hits — ~100× faster overall. - Use
--privileged+ sudo for SYN scan (-sS) instead of full TCP connect (-sT) — half the packets per port.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Default scan is top-1000 TCP only. Always add
-p-when you can afford the time, or you miss services on 8080, 8443, 5985, 27017. --script vulnsends real exploitation probes — not for production environments without explicit scope clearance.-Pn(skip host discovery) is mandatory behind some Cloudflare/AWS WAFs that drop ICMP.- NSE script database staleness:
nmap --script-updatedbafter every install.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Masscan — 10M packets/sec for first-pass discovery. Less accurate but vastly faster.
- Naabu (ProjectDiscovery) — Go-based, JSON output, pipes cleanly into nuclei/httpx.
- RustScan — wraps Nmap with parallel discovery; nice for adaptive scans.
India context and engagement notes
Nmap is the lowest-common-denominator tool every CERT-In empanelled VAPT report references. Indian regulators (RBI ITS, SEBI CSCRF) expect to see Nmap output as evidence of port-level testing. Even when you use faster modern tools, finalise with an Nmap pass for auditor-friendly XML.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.