Introduction
Revision Historyβ
| Date | Author | Summary |
|---|---|---|
| 03-AUG-2024 | TSgt. Bernadotte | Initial draft |
| 19-MAR-2026 | CW2 Bernadotte | Added End-State, Requirements, Considerations; expanded content sections |
Purposeβ
The purpose of this aid is to provide operators with a basic understanding of how to employ Nmap's capabilities for Discovering Live Hosts, Enumerating Open Ports and Services, Service, OS, and Version Detection, Target Specification, Firewall/IDS Evasion, Output Formatting, CPT Scan Recipes, and Tool Integrations.
End-Stateβ
- Operators can confidently employ Nmap for host discovery, port scanning, and service/OS enumeration across varied network environments.
- Operators can select the appropriate scan technique based on operational constraints including stealth requirements, network topology, and mission ROE.
- Operators can produce, format, and export scan results for further analysis, reporting, and integration with other tools.
- Operators understand Nmap's scripting engine and can leverage NSE scripts for targeted interrogation of services and vulnerabilities.
Requirementsβ
- Nmap version 7.x or later installed on the scanning host.
- Network access to the target range.
- Root or administrator privileges for privileged scan types (SYN scan
-sS, OS detection-O, raw packet techniques). - Mission authorization and compliance with applicable Rules of Engagement (ROE).
Considerationsβ
- Privileges: Many scan types (e.g., SYN scan, OS detection, raw ICMP) require root/sudo. Running without root will fall back to less capable alternatives (e.g., TCP Connect scan instead of SYN scan).
- Noise and Detection: Aggressive scans (
-T4,-T5,-A) generate significant traffic and are likely to trigger IDS/IPS alerts. Match scan aggression to the operational environment and ROE. - DNS Resolution: By default, Nmap resolves IP addresses to hostnames. On large subnets this adds time and may alert network defenders. Use
-nto suppress DNS resolution where it is not needed. - Documentation: Always save output to file using
-oAor a specific output flag for documentation, deconfliction, and post-mission reporting. - OS Detection Accuracy: Nmap's OS detection (
-O) is most accurate when the target has at least one open and one closed port. Results are probabilistic estimates and should be corroborated with other data. - UDP Scans: UDP scanning (
-sU) is significantly slower than TCP scanning. Combine with--top-portsor a targeted port list to keep scan times manageable.