Nmap for Sysadmins: Network Scanning and Security Audit Guide (2026)

Nmap (Network Mapper) has been the essential network discovery and security auditing tool for over 25 years. It ships with 600+ NSE (Nmap Scripting Engine) scripts that turn it from a simple port scanner into a full vulnerability assessment platform. This guide moves beyond the basics and focuses on the commands that actually matter for day-to-day sysadmin and security work.

Legal reminder: Only scan networks and systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions and violates the terms of service of cloud providers.

What Nmap does

Nmap performs four main functions, and understanding them helps you choose the right flags:

Host discovery: Which IPs on a subnet are alive?
Port scanning: Which TCP/UDP ports are open on a host?
Service and version detection: What software is listening on each port, and which version?
OS detection: What operating system is running on the target?
Scripting engine (NSE): Run Lua scripts to perform targeted checks — from banner grabbing to CVE detection.

Install Nmap

# Debian/Ubuntu
sudo apt install nmap

# RHEL/Fedora/CentOS
sudo dnf install nmap

# macOS
brew install nmap

# Windows: download the installer from https://nmap.org/download.html
# The Windows installer includes Npcap, the required packet capture driver

Check your version after installing:

nmap --version
# Nmap 7.95 ( https://nmap.org )

Basic scans: the building blocks

Ping sweep — discover live hosts

Before scanning ports, find out which hosts are up:

sudo nmap -sn 192.168.1.0/24

-sn means "no port scan" — just host discovery. Nmap sends ICMP echo, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests. Any response means the host is alive.

Sample output:

Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0045s latency).
Nmap scan report for 192.168.1.25
Host is up (0.0089s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.21 seconds

SYN scan — the default stealth scan

sudo nmap -sS 192.168.1.10

SYN scan (also called "half-open" scan) sends a SYN packet and waits for SYN-ACK (open) or RST (closed). It never completes the TCP handshake, so the connection does not appear in application logs. This is the default when running as root.

Requires root/Administrator because it constructs raw packets directly.

Service version detection

sudo nmap -sV 192.168.1.10

With -sV, Nmap probes each open port with protocol-specific payloads to determine the service and version:

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 9.6p1 Ubuntu 6ubuntu0.4
80/tcp  open  http     nginx 1.24.0
443/tcp open  ssl/http nginx 1.24.0
3306/tcp open mysql   MySQL 8.0.37

This is how you discover that a server is running a vulnerable version of OpenSSH or an outdated MySQL.

OS detection

sudo nmap -O 192.168.1.10

Nmap analyzes TCP/IP stack fingerprints (TTL, window size, TCP options order) to guess the operating system:

OS details: Linux 5.15 - 6.1

OS detection requires at least one open and one closed port to work reliably, and it requires root privileges. Results are probabilistic — treat them as educated guesses, not facts.

Port specification

Nmap gives you fine control over which ports to scan:

# Specific ports
nmap -p 22,80,443 target

# Port range
nmap -p 1-1000 target

# All 65535 ports (slow but thorough)
nmap -p- target

# Top N most common ports (fast reconnaissance)
nmap --top-ports 100 target

# Combine service detection with specific ports
sudo nmap -sV -p 22,80,443,8080,8443,3306,5432,6379 target

The --top-ports flag uses Nmap's built-in frequency database to pick the ports most commonly found open in the real world. --top-ports 100 catches the vast majority of services without scanning all 65535 ports.

Timing templates: speed vs stealth

Nmap has six timing templates, from -T0 (slowest) to -T5 (fastest):

Template	Name	Use case
`-T0`	Paranoid	IDS evasion — one probe every 5 minutes
`-T1`	Sneaky	Slow IDS evasion — one probe every 15 seconds
`-T2`	Polite	Avoids bandwidth saturation
`-T3`	Normal	Default, balanced
`-T4`	Aggressive	Fast scans on reliable networks
`-T5`	Insane	Maximum speed, drops reliability

For everyday sysadmin use, -T4 is the right choice. It is significantly faster than the default without sacrificing reliability on a modern LAN.

sudo nmap -sV -T4 192.168.1.0/24

For authorized external penetration tests where you want to reduce IDS alerts, start with -T2 and increase from there.

Output formats

Always save your scan results. Nmap supports four output formats:

# Human-readable text
nmap -oN scan_results.txt target

# XML (machine-parseable, used by tools like Metasploit and Greenbone)
nmap -oX scan_results.xml target

# Grepable format (one host per line)
nmap -oG scan_results.gnmap target

# All three formats simultaneously (recommended for important scans)
nmap -oA scan_basename target
# Creates: scan_basename.nmap, scan_basename.xml, scan_basename.gnmap

Using -oA is a good habit. You can grep the .gnmap file for quick answers, parse the .xml for automation, and read the .nmap for the human report.

# Find all hosts with port 22 open from a grepable scan
grep "22/open" scan_basename.gnmap | awk '{print $2}'

NSE Scripts: the real power

The Nmap Scripting Engine (NSE) is what separates Nmap from simple port scanners. Scripts are written in Lua, ship with Nmap, and are located in /usr/share/nmap/scripts/ on Linux.

Run the default safe scripts

sudo nmap -sC target
# Equivalent to: sudo nmap --script default target

Default scripts include SSH host key fingerprinting, HTTP title grabbing, SSL certificate details, and dozens of other safe, informational checks.

Vulnerability scan

sudo nmap --script vuln target

This runs all scripts tagged vuln — checks for known CVEs, misconfigurations, and exploitable services. It is more aggressive and should only be run against systems you own.

Example findings from --script vuln:

| vuln:
|   CVE-2021-41773:
|     State: VULNERABLE
|       Apache HTTP Server 2.4.49 path traversal and RCE
|   VULNERABLE:
|   Apache mod_cgi Remote Code Execution (CVE-2021-42013)

TLS cipher audit

sudo nmap --script ssl-enum-ciphers -p 443 target

Lists every TLS cipher suite the server accepts, along with a grade (A/B/C/F) for each:

|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - C  ← weak, should be disabled
|     compressors:
|       NULL
|   TLSv1.1: No cipher
|   TLSv1.0: No cipher

This is the fastest way to audit a web server's TLS configuration without installing additional tools.

EternalBlue (WannaCry) detection

sudo nmap --script smb-vuln-ms17-010 -p 445 target

MS17-010 is the SMB vulnerability exploited by WannaCry and NotPetya. Any Windows host that has not applied the March 2017 security patch is vulnerable. This script is safe to run — it does not exploit the host, only checks if it is vulnerable:

| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH

If you find this on your network, patch immediately or disable SMBv1.

Web server headers audit

sudo nmap --script http-headers target

Retrieves the HTTP response headers, revealing server software, security headers presence (or absence), and cookies:

| http-headers:
|   Server: Apache/2.4.52 (Ubuntu)
|   X-Powered-By: PHP/8.1.2
|   Content-Security-Policy: (missing)
|   X-Frame-Options: (missing)
|   Strict-Transport-Security: (missing)

Missing security headers (CSP, HSTS, X-Frame-Options) are quick wins for hardening.

SSH authentication methods

sudo nmap --script ssh-auth-methods -p 22 target

Shows which authentication methods the SSH server accepts:

| ssh-auth-methods:
|   Supported authentication methods:
|     publickey
|     password      ← should be disabled on production servers
|     keyboard-interactive

If password is listed, the server allows password authentication. For production servers, this should be disabled in sshd_config (PasswordAuthentication no).

Scan your entire network for open services

A common sysadmin task: inventory all services exposed on your LAN.

sudo nmap 192.168.1.0/24 -sV --open -T4 -oA network_inventory

--open filters output to only show hosts with at least one open port, cutting through the noise. -sV identifies each service. -oA saves all three output formats.

To extract a clean list of IP:port pairs from the result:

grep "open" network_inventory.gnmap | grep -oP '\d+\.\d+\.\d+\.\d+' > live_hosts.txt

Run this monthly and compare results to detect unauthorized services or newly exposed ports.

Track infrastructure changes with `ndiff`

ndiff is a utility (shipped with Nmap) that compares two XML scan files and reports differences:

# Week 1 baseline
sudo nmap -sV -oX week1.xml 192.168.1.0/24

# Week 2 re-scan
sudo nmap -sV -oX week2.xml 192.168.1.0/24

# Compare
ndiff week1.xml week2.xml

Output highlights what appeared, disappeared, or changed:

+192.168.1.42:
+Host is up.
+8080/tcp open http Apache Tomcat 10.1.18

-192.168.1.15:
-Host is down.

This is how you detect rogue services, decommissioned hosts that are still responding, or version changes after software updates. Automate it in a cron job with the output emailed to your team.

Firewall evasion techniques

These techniques are for authorized penetration testing where you need to test whether your IDS/IPS/firewall is actually blocking scans:

Packet fragmentation — splits TCP headers across multiple packets, which some older firewalls fail to reassemble:

sudo nmap -f target

Decoy scan — makes the scan appear to come from multiple IP addresses simultaneously:

sudo nmap -D RND:10 target
# RND:10 generates 10 random decoy IPs
sudo nmap -D 10.0.0.1,10.0.0.2,ME target
# ME is your real IP mixed in with decoys

Idle/zombie scan — uses a third-party host to send the probes, hiding your IP completely:

sudo nmap -sI zombie_host target

The zombie host must be a lightly trafficked machine with predictable IP ID sequences. This is the most stealthy scan technique Nmap supports.

Slow timing with random order:

sudo nmap -T1 --randomize-hosts -p- 192.168.1.0/24

Never use these techniques without written authorization. Using them against networks you do not own is illegal under the Computer Fraud and Abuse Act (US), Computer Misuse Act (UK), and equivalent laws worldwide.

Putting it together: a practical sysadmin workflow

Here is a complete workflow for a quarterly network audit:

# 1. Discover live hosts
sudo nmap -sn 192.168.0.0/16 -oG live_hosts.gnmap

# 2. Extract live IPs
grep "Up" live_hosts.gnmap | awk '{print $2}' > targets.txt

# 3. Full service scan with default scripts and vulnerability checks
sudo nmap -iL targets.txt -sV -sC --script vuln -T4 -oA quarterly_audit

# 4. Compare with last quarter
ndiff last_quarter.xml quarterly_audit.xml > changes.txt

# 5. TLS audit on all HTTPS services
sudo nmap -iL targets.txt --script ssl-enum-ciphers -p 443,8443 -oN tls_audit.txt

# 6. Check for EternalBlue on all Windows hosts
sudo nmap -iL targets.txt --script smb-vuln-ms17-010 -p 445 -oN smb_audit.txt

This gives you a comprehensive baseline, a change log, and targeted security checks in a single session.

Conclusion

Nmap is one of those tools where 90% of users only use 10% of the functionality. The real power is in NSE scripts: TLS audits, CVE checks, SMB vulnerability detection, and SSH configuration reviews. Combined with ndiff for change tracking, Nmap becomes a lightweight continuous monitoring platform that requires no additional software.

The commands in this guide — --script ssl-enum-ciphers, --script smb-vuln-ms17-010, --script vuln, and -oA with ndiff — are the ones that catch real problems in production networks. Learn them, automate them, and run them regularly.