During my cybersecurity internship, one of the first tools I worked with extensively was Nmap. These are my organized notes covering its role as a footprinting tool, the flags I used most often, port states, host discovery tricks, output formats, evasion techniques, and the underlying TCP/UDP concepts that make scanning possible.
What is Nmap?
Nmap is a footprinting tool — meaning its primary job is to gather information about a target before any deeper assessment begins. It maps out hosts, open ports, running services, and even the operating system behind them.
Important: Nmap is inherently noisy. Default scans send a lot of traffic and are easily detected by intrusion detection systems. In real engagements, we need to think carefully about how to perform these scans quietly.
Verbosity & Output
The first thing I got comfortable with was controlling how much feedback Nmap gives me, and how to save that output for later analysis.
syn-ack, no-response, reset, TTL info). Output Formats: -oA and Friends
When I needed to save scans for later, -oA became my favorite — it writes three different output files at once, each suited to a different use case. I can also pick just one if I don't need all three.
| Flag | Extension | What it gives me |
|---|---|---|
| -oN | .nmap | Normal / human-readable — a one-to-one copy of what I see on screen. |
| -oG | .gnmap | Grepable output — one host per line, perfect for parsing with awk, grep, or scripts. |
| -oX | .xml | Machine-readable XML — strictly structured, the most exhaustive format. Great input for reporting tools. |
| -oA | all three | Writes all three formats at once with the same basename. |
# Save the same scan in all three formats nmap -sS -sV -oA scan_results 192.168.1.50 # Produces: scan_results.nmap, scan_results.gnmap, scan_results.xml
Scan Types I Used Most
Nmap supports many different scan techniques. These are the ones that showed up the most during my internship:
| Flag | What it does |
|---|---|
| -A | Aggressive scan — combines OS detection, version detection, script scanning, and traceroute in a single command. |
| -O | OS detection — tries to identify the operating system running on the target. |
| -sV | Version detection — scans the service versions of open ports, useful for matching them against known vulnerabilities. |
| -sC | Default script scan — runs Nmap's set of safe NSE scripts against open ports to grab banners, weak configs, common info. |
| -sT | TCP connect scan — completes a legitimate connection (not stealthy like a SYN scan). |
| -sS | SYN / stealth scan — like -sT but doesn't fully establish a connection. Faster and harder for firewalls to detect. |
| -sU | UDP scan — for finding services that don't use TCP. |
| -sn | Ping sweep — no port scan; lists which devices are online and their MAC addresses. Accepts multiple IPs at once. |
| -Pn | Ping sweep — skip host discovery (the ping phase) and treat every target as if it's already up.Nmap goes straight to the port scan |
| -F | Fast scan — only scans the most important 100 ports instead of the default 1000. |
A very common combo I ended up running often was:
nmap -sS -sC -sV -p 22,80,445 192.168.1.50 # Stealth SYN scan + default scripts + version detection on specific ports
Port Scanning Details
In total there are 65,535 ports available on a host, but Nmap doesn't blast through all of them by default. It scans the first 1000 most common ports, which is usually enough for an initial sweep. Several flags let me narrow or expand that range:
# Scan a specific port nmap -p 80 target.com # Scan ALL 65,535 ports nmap -p- target.com # Show only the open ports in the output nmap --open target.com # Scan multiple targets at the same time (IP or domain) nmap 192.168.1.1 example.com
Nmap is flexible with what you point it at — you can mix IP addresses and domain names in the same command, which is handy when scanning a small environment.
Port States
Nmap classifies every port it scans into a state. The three I see most often are:
Firewall Detection (ACK Probing)
One of the most useful tricks I picked up: looking at the distribution of port states tells me whether a firewall is in the way. Nmap's ACK probe (-sA) is designed exactly for this — it sends ACK packets and observes how the target responds.
This is also where --reason shines: pairing it with an ACK scan tells me why Nmap landed on each verdict (no-response vs. RST vs. ICMP unreachable), which usually clarifies what kind of device is sitting in the path.
Host Discovery & -Pn
Before Nmap scans ports, it normally pings the target first to check if it's alive. If the ping is blocked, Nmap drops the target and moves on — even if the host is actually online. The -Pn flag tells Nmap to skip that ping check entirely and go straight to port scanning.
Practically, scanning with -Pn against a normal IP or domain is often faster than the default scan, since Nmap skips the discovery round-trip entirely. It's also essential against hosts that block ICMP.
SYN Scan vs Connect Scan
Both -sT and -sS probe TCP ports, but they behave very differently on the wire. -sT completes a full three-way handshake; -sS aborts the handshake after the second step.
-sS (SYN / Stealth Scan) on an open port
Because the connection is never fully completed, the target's application layer often doesn't log the attempt the way it would for a full -sT scan. That makes -sS faster and better for firewall / IDS evasion.
Key insight: the handshake difference between -sS and -sT only matters on open ports. On closed ports, both scans just get an RST back from the target, so they look identical.
Advanced Scan Types: XMAS, FIN, NULL
Beyond SYN scans, Nmap has several "weird-flag" scans that abuse how TCP is supposed to behave. By RFC, a closed port should respond with RST to any unexpected packet, while an open port should ignore it. That asymmetry lets us infer port states without ever starting a real handshake.
The response logic for all three is the same:
| Response | Port state inferred |
|---|---|
| RST received | closed |
| No response | open or filtered (Nmap can't tell which) |
| ICMP unreachable | filtered |
These scans skip the three-way handshake entirely, so they can slip past simple stateless firewalls. But many modern Windows systems break RFC and respond with RST to everything, which makes XMAS/FIN/NULL scans much less useful against them. They shine more against older Unix-like targets.
Timing Templates
Speed matters, both for efficiency and for staying under the radar. Nmap exposes six timing templates via the -T flag:
nmap -T0 target.com # paranoid — slowest, very stealthy nmap -T5 target.com # insane — fastest, very noisy
The rule is simple: higher numbers are faster but make the scan louder. Lower numbers are slower and harder to detect.
Firewall & IDS Evasion Techniques
When the target is hardened — IDS in front, strict firewall, logging everything — a default scan won't go far. Nmap has a few techniques designed specifically to blind, confuse, or sidestep defenders.
-D RND:3 — Decoy Scan
Tells Nmap to spoof 3 completely random, valid IP addresses and mix their traffic with your real IP. To a network defender looking at the logs, it looks like 4 different machines are scanning them simultaneously — and figuring out which IP is the actual attacker becomes much harder. You can also specify decoys explicitly instead of letting Nmap randomize them.
# 3 random decoys mixed in with the real source IP nmap -D RND:3 target.com # Explicit decoys — Nmap will mix these in with the real one nmap -D 10.0.0.5,10.0.0.6,ME,10.0.0.7 target.com
-f — Fragment Packets
An evasion technique that splits the TCP header across several small IP fragments (typically 8-byte fragments after the IP header). The logic is to split the attack signature across multiple packets so that older, stateless firewalls or deep packet inspection engines — the kind that don't reassemble fragments before checking rules — never see the full pattern they're trying to match.
nmap -f -sS target.com
--send-eth — Send Raw Ethernet Frames
This bypasses the operating system's standard network layer (Layer 3) processing. Instead of handing the packet to the OS kernel to route via standard IP, Nmap constructs the raw ethernet frames (Layer 2) itself and injects them directly onto the network interface wire.
Why use it: it forces Nmap to use its own optimized, low-level packet generation engine, which helps override certain OS-level firewall restrictions or routing quirks that would otherwise interfere with the scan.
nmap --send-eth -sS target.com
Companion Tools
Nmap rarely works alone. A few other tools I picked up alongside it:
whois
Used to look up information about a target IP address through a web service or command line.
whois <target ip address>
nslookup
Resolves IPs to domains and vice versa. The output can be redirected to a file for later review:
nslookup <ip_address or domain> >> results.txt
netmask
Shows the maximum range of IPs covered by a subnet — useful when scoping out which addresses fall inside a given network.
Zenmap
The graphical version of Nmap, developed by the same team. Same engine underneath, but with a GUI that's helpful when learning or when presenting results to non-technical stakeholders.
WebMap
A very useful companion tool for scanning a target and generating reports from the results — turns raw Nmap output into something presentable.
TCP vs UDP
To really understand what Nmap is doing, I had to revisit the difference between the two main transport protocols:
TCP Flags
TCP packets carry control flags in their header that tell the receiver how to handle the segment. These are the six core flags:
| Flag | Meaning |
|---|---|
| URG | Urgent — the packet should be processed immediately. |
| PSH | Push — transmits the data immediately, without buffering. |
| FIN | Finish — signals there will be no further transmission. |
| ACK | Acknowledgement — confirms receipt of a packet. |
| SYN | Synchronization — initializes a connection between host and target. |
| RST | Reset — resets the connection. |
The TCP 3-Way Handshake
Every TCP connection begins with the same three steps. Understanding this sequence is essential for understanding what scan types like -sT actually do — and what -sS intentionally avoids.
So the flow is:
- The client sends a SYN to the server to start the conversation. The server enters a SYN-Sent-like state.
- The server replies with SYN-ACK, and the client moves to a SYN Received state.
- The client sends a final ACK, and both sides are now ESTABLISHED.
Wrapping up: These notes cover the foundation I built during my internship — network scanning with Nmap, host discovery tricks like -Pn, the difference between stealth and connect scans, the weird-flag scans (XMAS / FIN / NULL), port states, firewall detection via ACK probing, evasion techniques (decoys, fragmentation, raw ethernet), output formats, the supporting toolset around Nmap, and the TCP fundamentals that make it all work. I'll keep expanding this as I move into more advanced topics.