Skip to main content

Introduction


Revision History​

DateAuthorSummary
03-AUG-2024TSgt. BernadotteInitial draft
19-MAR-2026CW2 BernadotteAdded End-State, Requirements, Considerations; expanded content sections

Purpose​

The purpose of this aid is to provide operators with a basic understanding of how to employ Nmap's capabilities for Discovering Live Hosts, Enumerating Open Ports and Services, Service, OS, and Version Detection, Target Specification, Firewall/IDS Evasion, Output Formatting, CPT Scan Recipes, and Tool Integrations.


End-State​

  • Operators can confidently employ Nmap for host discovery, port scanning, and service/OS enumeration across varied network environments.
  • Operators can select the appropriate scan technique based on operational constraints including stealth requirements, network topology, and mission ROE.
  • Operators can produce, format, and export scan results for further analysis, reporting, and integration with other tools.
  • Operators understand Nmap's scripting engine and can leverage NSE scripts for targeted interrogation of services and vulnerabilities.

Requirements​

  1. Nmap version 7.x or later installed on the scanning host.
  2. Network access to the target range.
  3. Root or administrator privileges for privileged scan types (SYN scan -sS, OS detection -O, raw packet techniques).
  4. Mission authorization and compliance with applicable Rules of Engagement (ROE).

Considerations​

  • Privileges: Many scan types (e.g., SYN scan, OS detection, raw ICMP) require root/sudo. Running without root will fall back to less capable alternatives (e.g., TCP Connect scan instead of SYN scan).
  • Noise and Detection: Aggressive scans (-T4, -T5, -A) generate significant traffic and are likely to trigger IDS/IPS alerts. Match scan aggression to the operational environment and ROE.
  • DNS Resolution: By default, Nmap resolves IP addresses to hostnames. On large subnets this adds time and may alert network defenders. Use -n to suppress DNS resolution where it is not needed.
  • Documentation: Always save output to file using -oA or a specific output flag for documentation, deconfliction, and post-mission reporting.
  • OS Detection Accuracy: Nmap's OS detection (-O) is most accurate when the target has at least one open and one closed port. Results are probabilistic estimates and should be corroborated with other data.
  • UDP Scans: UDP scanning (-sU) is significantly slower than TCP scanning. Combine with --top-ports or a targeted port list to keep scan times manageable.