Nmap in Practice: A Pentester’s Guide to Scanning, NSE, and Timing

Tools & Defense
2026.01.02
Time it takes to read this article 6 minutes.

Legal & ethical disclaimer. Port scanning can be considered hostile activity and, depending on jurisdiction, unauthorized scanning may be illegal. Only run the commands below against systems you own or have explicit written authorization to test (a signed scope/RoE). Everything here is for education and authorized assessments.

Introduction / Overview

Nmap is the de facto standard for network reconnaissance, and yet most people use maybe 10% of it. In this guide I walk through a realistic engagement workflow: discover live hosts, enumerate the full port range with -p-, then deep-dive with service/version detection (-sV) and the default NSE script set (-sC). I also cover timing templates so you understand the tradeoff between speed and stealth, and finish with a Blue Team section so defenders can detect and slow down exactly this activity.

By the end you'll have a repeatable methodology rather than a pile of disconnected flags.

How it works / Background

Nmap operates at several layers. Host discovery (the "ping" phase) decides which targets are worth probing. On a local segment Nmap uses ARP; across L3 it sends a mix of ICMP echo, ICMP timestamp, a TCP SYN to 443, a TCP ACK to 80, and so on. If a host replies to any probe it's marked "up."

Port scanning then determines port state. The default -sS (TCP SYN / "half-open") scan sends a SYN; a SYN/ACK means open, a RST means closed, and no response (after retries) means filtered. SYN scan requires raw-packet privileges (root/admin); without them Nmap falls back to -sT (full connect via the OS socket API).

Service detection (-sV) goes beyond "port 22 is open" by reading banners and matching responses against nmap-service-probes. NSE (the Nmap Scripting Engine) is a Lua-based framework of 600+ scripts categorized as default, safe, discovery, vuln, auth, brute, exploit, etc. The -sC flag is simply shorthand for --script=default.

Prerequisites / Lab setup

You need Nmap (apt install nmap, brew install nmap, or the Windows installer) and a lab you control — e.g., a local VM, a Vulnhub/HTB-style box, or a target explicitly in scope.

nmap --version          # confirm version + script DB
sudo nmap --iflist      # interfaces/routes Nmap will use
ls /usr/share/nmap/scripts/ | head   # local NSE catalog
Bash

Run privileged scans with sudo so SYN scan and OS detection work. Throughout, replace 10.10.10.5 / 10.10.10.0/24 with your authorized target.

Attack walkthrough / PoC

Step 1 — Host discovery (find live hosts)

Start with a discovery-only sweep (-sn = no port scan) to map the subnet before hammering every host:

sudo nmap -sn 10.10.10.0/24 -oA discovery
Bash

If ICMP is filtered, force specific probes. A TCP SYN ping to common ports often finds hosts that drop ICMP:

sudo nmap -sn -PS22,80,443,3389 -PA80 10.10.10.0/24
Bash

When you already know the host is up (or the firewall blocks all discovery), skip the ping phase entirely with -Pn so Nmap treats every target as online and proceeds straight to scanning:

sudo nmap -Pn 10.10.10.5
Bash

Step 2 — Full TCP port sweep with -p-

The default scan only covers the top 1000 ports. Real services hide on high ports, so enumerate all 65,535 with -p-. Pair it with a faster timing template and a higher minimum rate so it doesn't take an hour:

sudo nmap -p- --min-rate 1000 -T4 10.10.10.5 -oN allports.txt
Bash

A common trick is to extract open ports and feed them into a targeted second scan:

ports=$(grep -oP '^\d+(?=/tcp\s+open)' allports.txt | paste -sd, -)
echo "Open ports: $ports"
Bash

Don't forget UDP — it's slow but DNS (53), SNMP (161), and IKE (500) live there:

sudo nmap -sU --top-ports 50 -T4 10.10.10.5
Bash

Step 3 — Service/version + default scripts (-sC -sV)

Now run the deep scan only against the open ports you found. This is where -sC -sV earns its keep — version banners plus the default NSE scripts (TLS info, HTTP titles, SMB OS discovery, etc.):

sudo nmap -p $ports -sC -sV -O 10.10.10.5 -oA deep
Bash

-O adds OS fingerprinting. -sC is equivalent to --script=default. Together they typically reveal the software stack you need to research for CVEs.

Step 4 — Targeted NSE scripts

Beyond the default set, NSE shines for category-specific enumeration. List scripts by category, then run them. For example, enumerate SMB and check for vulns:

# Discovery: list everything in the 'vuln' category
ls /usr/share/nmap/scripts/ | grep -i smb

# Run a focused vuln check (e.g., MS17-010 / EternalBlue, CVE-2017-0144)
sudo nmap -p445 --script smb-vuln-ms17-010 10.10.10.5

# HTTP enumeration with arguments
sudo nmap -p80,443 --script http-enum,http-title,http-headers 10.10.10.5
Bash

Pass arguments with --script-args, and update the script DB after adding new scripts:

sudo nmap -p445 --script smb-enum-shares,smb-enum-users \
  --script-args 'smbusername=guest,smbpassword=' 10.10.10.5
nmap --script-updatedb
Bash

Tip: avoid running entire categories like --script vuln or --script brute against production — they're noisy, can trigger IPS, and brute/exploit scripts are actively intrusive.

Step 5 — Timing & evasion

The -T templates range T0 (paranoid) to T5 (insane). T0/T1 are used to evade IDS by spacing probes seconds-to-minutes apart; T4 is the practical default for assessments on reliable networks. For fine control use raw knobs:

# Slow + quiet: one probe at a time, long delays
sudo nmap -T1 --max-retries 1 --scan-delay 1s 10.10.10.5

# Fast + aggressive control
sudo nmap -T4 --min-rate 2000 --max-rtt-timeout 200ms 10.10.10.5
Bash

-A bundles -sV -sC -O --traceroute for a quick "everything" pass — convenient, but loud.

Mermaid diagram

Nmap in Practice: A Pentester's Guide to Scanning, NSE, and Timing diagram 1

The diagram shows the funnel: scope → discover live hosts → sweep all ports → deep-scan only the open ones → run targeted NSE → pivot to exploitation.

Detection & Defense (Blue Team)

Scanning is rarely the end goal — it's reconnaissance (MITRE ATT&CK T1046 – Network Service Discovery, and active scanning T1595). Detecting and slowing it buys defenders time.

Detection

  • IDS/IPS signatures. Suricata/Snort ship rules for Nmap behavior. A burst of SYNs to many ports from one source, or SYN-to-RST ratios that don't match normal traffic, is a strong scan indicator. Watch for the classic -sX/-sF/-sN flag combinations (FIN/Xmas/Null) which never occur in legitimate traffic.
  • Connection-rate thresholds. Flag any single source opening connections to, say, >100 distinct ports/hosts in a short window. NetFlow/IPFIX analytics (e.g., in your SIEM) surface this well even when payloads are encrypted.
  • Honeypots/canaries. A host or port that no legitimate user should ever touch (a canary token, an unused listening port) generates a high-fidelity alert the moment a scanner probes it.
  • Firewall/web server logs. -sC -sV and HTTP NSE scripts leave recognizable User-Agents and odd request patterns (e.g., http-enum requesting hundreds of known paths). The default Nmap NSE HTTP UA is Mozilla/5.0 (compatible; Nmap Scripting Engine; ...).
# Example Suricata-style logic (conceptual): many SYNs, few completed handshakes
alert tcp any any -> $HOME_NET any (msg:"Possible Nmap SYN scan"; \
  flags:S; threshold:type both, track by_src, count 100, seconds 5; sid:1000001;)
Bash

Defense / mitigation

  • Reduce attack surface. Close unused ports, bind services to internal interfaces, and host-firewall everything else. -p- only matters if there's something to find.
  • Drop, don't reject. Configure firewalls to DROP instead of REJECT so closed/filtered ports look identical and scans take far longer and yield less.
  • Rate-limit and tarpit. iptables/nftables connection-rate limiting and tools like a TCP tarpit (endlessh for SSH, or iptables -j TARPIT) punish aggressive scanners.
  • Segment the network. VLANs/microsegmentation limit how much a single compromised host can discover (-sn sweeps stop at the segment boundary).
  • Patch the findings. Detection is reactive; the durable fix is to ensure that when an attacker does enumerate -sC -sV, the versions returned have no known CVEs (e.g., remediate MS17-010 / CVE-2017-0144).

For follow-on attacker tradecraft after recon, see Active Directory Enumeration and Kerberoasting. For the defensive side, see Building Detections with Suricata.

Conclusion

Nmap rewards a disciplined funnel: discover hosts, sweep with -p-, then deep-scan only open ports with -sC -sV and targeted NSE. Tune -T and rate flags to the engagement — fast on internal assessments, slow on IDS-monitored networks. And remember the blue-team mirror: nearly every flag here produces a detectable signal, so defenders who watch connection rates, deploy canaries, and minimize attack surface can turn a noisy scan into an early-warning alert.

References

Comments

Copied title and URL