Nmap’s true power isn’t just finding open ports; it’s its ability to act as a dynamic reconnaissance engine that evolves with your understanding of the target.
Let’s say you’re tasked with a penetration test of a small e-commerce company. You’ve got their domain, example.com. Your first step isn’t to just hammer away. It’s to understand the landscape.
# Initial broad scan to find live hosts and common services
nmap -sS -T4 --min-rate 1000 -oA initial_scan example.com
This command kicks off a SYN scan (-sS) at a brisk pace (-T4 --min-rate 1000). We’re not waiting around. The output is saved in all formats (-oA) for later analysis. initial_scan.nmap, initial_scan.gnmap, and initial_scan.xml will be generated.
From the initial_scan.gnmap (or by parsing the XML), you’ll see which IPs are alive. Let’s assume you find 192.168.1.100 and 192.168.1.101. Now, you want to dig deeper into these specific hosts.
# Deeper scan on specific hosts, including OS detection and service versioning
nmap -sV -O -p- -T4 --min-rate 1000 -oA detailed_scan 192.168.1.100 192.168.1.101
Here, -sV attempts to determine service versions, and -O tries to guess the operating system. -p- tells Nmap to scan all 65535 TCP ports, which is crucial because you never know what might be running on an unusual port. The speed is maintained.
The output from detailed_scan.gnmap or detailed_scan.xml is where the real intelligence starts to form. You might see:
192.168.1.100: Port 80 (HTTP) running Apache 2.4.41, Port 443 (HTTPS) running Nginx 1.18.0, Port 3306 (MySQL) open. OS: Linux.192.168.1.101: Port 22 (SSH) running OpenSSH 8.2p1, Port 8080 (HTTP-proxy) running Tomcat 9.0.37. OS: Windows Server 2019.
This tells you a lot. 192.168.1.100 is likely a web server, possibly facing the internet, with a database. 192.168.1.101 is an SSH server and a Java application server. The OS information helps tailor further attacks.
Now, you pivot based on this information. If you see a specific version of Apache or Nginx, you’d immediately think about known vulnerabilities for that version.
# Script scan to check for common vulnerabilities and misconfigurations
nmap -sV -O -p 80,443,8080 --script vuln,discovery -T4 --min-rate 1000 -oA script_scan 192.168.1.100 192.168.1.101
We’ve narrowed down the ports here to those identified as interesting (80,443,8080) and added --script vuln,discovery. The vuln category runs scripts that check for common vulnerabilities, while discovery can reveal more about the network services.
Let’s say script_scan.xml reveals that on 192.168.1.100, the Apache http-vuln-cve2021-41773 script finds it’s vulnerable to path traversal. This is a critical finding.
The real magic of Nmap’s workflow is the iterative refinement. You start broad, then narrow your focus, leveraging the output of each scan to inform the next. You’re not just port scanning; you’re mapping the attack surface and identifying potential entry points.
The sheer volume of information Nmap can gather means that you’re not guessing what’s on the network; you’re knowing. The service version detection and OS guessing are not perfect, but they provide strong indicators that guide your subsequent actions. For example, seeing Microsoft IIS versus Apache immediately changes the types of exploits you’d consider.
One of Nmap’s most powerful, yet often overlooked, features for reconnaissance is its ability to perform UDP scans (-sU) efficiently, especially when combined with service version detection (-sV). While TCP scans are common, many critical services like DNS (port 53), SNMP (port 161), and various VoIP protocols run over UDP. These scans are inherently slower and less reliable than TCP scans due to UDP’s connectionless nature, but Nmap’s --min-rate and -T options, when applied judiciously, can significantly speed them up. Furthermore, combining UDP scans with the --version-intensity flag (e.g., --version-intensity 9) can increase the likelihood of accurate service detection, albeit at the cost of scan time.
After discovering a specific vulnerability like the Apache path traversal, your next step would be to exploit it.