Knowing how to use nmap is critically important for cybersecurity professionals because it is one of the most powerful and versatile tools for network reconnaissance, security auditing, and vulnerability assessment. Nmap is to cybersecurity what a stethoscope is to a doctor—a diagnostic tool that’s fundamental to identifying issues, assessing risk, and maintaining a secure environment. When focusing on cybersecurity, you’re typically using Nmap for reconnaissance, vulnerability assessment, and service enumeration.
We have previous posts that get you started on nmap if you are new:
- Getting Started with nmap
- Deeper Scanning with nmap
- Even Deeper Scanning with nmap
- Advanced nmap – the nmap Scripting Engine (NSE)
- The nmap GUI – Zenmap
- We even have a nmap Cheat Sheet and a reference to all the nmap NSE scripts and libraries.
But what if your focus is on Cybersecurity? Hackers absolutely use nmap, and it’s one of their most common tools for reconnaissance.
Both Ethical and Malicious Hackers Use nmap
Ethical Hackers (e.g., Penetration Testers, Red Teams)
- Use nmap legally to assess network security.
- Help organizations identify vulnerabilities, misconfigurations, and exposed services.
- Perform reconnaissance in a controlled and authorized environment.
Malicious Hackers (Black Hats)
- Use nmap for network scanning and footprinting before launching attacks.
- Identify:
- Open ports
- Running services
- Operating system fingerprints
- Vulnerable hosts
- Conduct stealth scans (e.g., SYN scan, NULL scan) to avoid detection by firewalls or intrusion detection systems (IDS).
Common Nmap Uses by Hackers
| Technique | What it Does | Why It’s Useful to Hackers |
|---|---|---|
nmap -sS | SYN (stealth) scan | Harder to detect; identifies open ports |
nmap -O | OS detection | Helps tailor exploits to the host |
nmap -sV | Service version detection | Finds known vulnerable software versions |
nmap --script | NSE scripts | Automates vulnerability detection (e.g., CVEs, SMB, SSL issues) |
nmap -Pn | Skip ping | Scans networks where ping is blocked |
If you’re a defender or cybersecurity analyst, understanding how attackers use nmap helps you to recognize scanning behavior in logs, harden systems against common scans and configure firewalls and IDS to detect or block reconnaissance attempts for example. The key point is that nmap itself is not malicious—it’s a legitimate tool. But like a lock pick, its use depends on intent and authorization. So NEVER SCAN WITHOUT PERMISSION/AUTHORIZATION especially in production networks.
With all that said, let’s look at some examples of how to use nmap for Cybersecurity.
Network Discovery
| ARP scanning on your local LAN or VLAN | nmap -sn -PR 192.168.1.0/24 |
| Basic and Limited scan (ping plus TCP port 80 and 443) | nmap -sn 192.168.1.0/24 |
| ICMP (echo request) only scan | nmap -sn -PE 192.168.1.0/24 |
| DNS Lookup without scanning targets | nmap -n -sn 192.168.1.0/24 |
| Passive Listening and Mapping of manufacturers/vendors | nmap -sP 192.168.1.0/24 –script broadcast-listener |
| Service and Version Detection of a target host | nmap -sV 192.168.1.1 |
| Service and Version Detection of a target host with OS fingerprinting | nmap -sS -sV -O 192.168.1.1 |
Vulnerability Sanning
| Check a target host for known vulnerabilities | nmap –script vuln 192.168.1.1 |
| Check a target host for SMB vulnerabilities | nmap -p 445 –script smb-vuln* 192.168.1.1 |
| Check a target host for HTTP misconfigurations | nmap -p 80,443 –script http-enum,http-config-backup 192.168.1.1 |
Port Scanning
| Scan a Single Target Host (using default TCP ports) | nmap 192.168.1.1 nmap -sS 192.168.1.1 (this use uses more stealthy SYN scans) |
| Scan a Single Target Host (using default UCP ports) | nmap -sU 192.168.1.1 |
| Scan a Single Target Host (using all TCP ports) | nmap 192.168.1.1 -p- nmap -sS 192.168.1.1 -p- (this use uses more stealthy SYN scans) |
| Scan a LAN/VLAN for the top 10 TCP ports being used | nmap 192.168.1.0/24 –tcp-ports 10 |
| Scan for MobBus instances | nmap 192.168.1.0/24 -p 502 nmap -p 502 –script modbus-discover 192.168.1.0/24 (or specific target) |
Scan Speed Adjustment
| Speed Options Scan speed is critically important when using nmap because it directly impacts the effectiveness, detectability, and accuracy of your scan. | -T0 is “paranoid” meaning slow -T1 is “sneaky” -T2 is “polite” -T3 is normal -T4 is “aggressive” -T5 is “insane” |
| Control over scan speed | nmap 192.168.1.1 -T2 |
| Send only one packet at a time | nmap 192.168.1.1 –max-parallelism 1 |
| Limit when packets are sent based on time – 10 seconds in this example | nmap 192.168.1.1 –scan-delay 10s |
Exporting Scan Results for Reporting
| Normal Text (formal) | add -oN to the nmap command |
| XML | add -oX to the nmap command |
| Grep-able | add -oG to the nmap command |
nmap Scripting Engine for Cybersecurity
| Enumerate Ethernet/IP Details of a target | nmap 192.168.1.1 -p 5044818 2 –script enip-info |
| Enumerate ModBus Details of a target | nmap 192.168.1.1 -p 502 –script modbus-discover |
| Enumerate Siemens S7 Details of a target | nmap 192.168.1.1 -p 102 –script s7-info |
| Enumerate DNP3 Details of a target | nmap 192.168.1.1 -p 200000 –script dnp3-info |
Some other nmap Command Options When Scanning for Cybersecurity
| Purpose | Key Option(s) |
|---|---|
| Host discovery | -sn |
| TCP port scan | -sS |
| UDP port scan | -sU |
| Service/version detection | -sV |
| OS detection | -O |
| Vulnerability scripts | --script vuln |
| Evade firewalls | -f, -D, -T0 to -T2 |
| Save reports | -oA, -oN, -oX |
Some Other Ports of Possible Interest to Scan
| BACnet | UDP 47808 | Tridium | TCP 1911 |
| OPC UA | TCP 4840 | PCWorx | TCP 1962 |
| MQTT #1 | TCP 1883 | Red Lion | TCP 789 |
| MQTT #2 | TCP 8883 | ProConOS | TCP 20547 |
| MQTT-SN | UDP 1884 | GE-STRP | TCP 18245 |
| HART-IP | TCP 5094 | FINS / | TCP/UDP 9600 |
| MELSEC-Q | TCP 5007 | Omron | TCP/UDP 9600 |
I hope this helps those of you working in Cybersecurity and OT/ICS (Operational Technology / Industrial Control Systems).
Comments are welcomed below from registered users. You can also leave comments at our Discord server.
If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!