What is the difference between a TCP SYN scan and a TCP Connect scan with Nmap?

The TCP SYN scan (-sS) is known as "stealth": Nmap sends a SYN packet and interprets the response without ever completing the TCP connection (no final ACK). It is faster, less visible in application logs and requires root privileges. The TCP Connect scan (-sT) performs a full connection via the operating system's connect() system call; it does not require root privileges but leaves traces in the logs of the target services.

Am I legally allowed to scan a network with Nmap?

You are only authorized to scan systems that you own or for which you have explicit written authorization. Scanning third-party systems without authorization is a violation of the law in most countries (in France, article 323-1 of the Penal Code). Always use a lab environment or obtain formal authorization before any audit.

How can I improve Nmap's performance on a large network?

Several options can speed up scans: use -T4 or -T5 to increase the timing, --min-parallelism and --max-parallelism to parallelize the probes, -F or --top-ports to limit the scanned ports, and --host-timeout to give up on hosts that are too slow. Avoid mass UDP scans (-sU), as they are inherently slow. Split CIDR ranges into sub-ranges and run multiple Nmap instances in parallel if necessary.

What is the difference between Nmap and netstat?

Netstat (or ss) runs locally on a machine and lists the connections and open ports on that same machine. Nmap is an external network scanner: it sends packets to one or more remote targets to discover open ports, services and operating systems. Netstat requires local access; Nmap works remotely from any machine on the network with the required connectivity.

Can Nmap be integrated into a CI/CD pipeline for automated audits?

Yes. Nmap can be run from the command line in a pipeline step with the XML output format (-oX) or the grepable format (-oG). Tools like nmap-parse-output or Python scripts can parse the XML file and generate a report or fail the pipeline if unexpected ports are detected. However, it is essential that scans stay on dedicated staging/QA environments and never run against production without validation.

Nmap: Scan and Audit a Linux Network

Back to tutorials

What is Nmap?
Nmap (Network Mapper) is an open source network scanner created by Gordon Lyon (Fyodor) in 1997. It is the reference tool for host discovery, network inventory, service detection and security auditing. It is used by system administrators, pentesters and security teams around the world.

Introduction: why use Nmap?

Nmap answers a fundamental question in network administration: what is on my network, and what state is it in? Its use cases are numerous:

Network inventory: automatically discover all active hosts on a segment or an address range.
Security auditing: identify open ports and services that are needlessly exposed.
Service and version detection: know exactly which software is listening on which port, along with its version number.
OS detection: identify the operating system of remote machines to adapt security measures.
Firewall auditing: verify that filtering rules are correctly applied from the outside.
Vulnerability detection: through NSE scripts, Nmap can test for weak configurations or known vulnerabilities.

Mandatory legal framework
Scanning a network without authorization is illegal in most countries. In France, article 323-1 of the Penal Code punishes unauthorized access to a computer system. Use Nmap only on your own systems or with explicit written authorization.

Installing Nmap

Nmap is available in the official repositories of all major Linux distributions.

Debian / Ubuntu

sudo apt update
sudo apt install -y nmap

# Check the installed version
nmap --version

CentOS / RHEL / AlmaLinux / Rocky Linux

# CentOS 7 / RHEL 7
sudo yum install -y nmap

# CentOS 8+ / RHEL 8+ / AlmaLinux / Rocky Linux
sudo dnf install -y nmap

nmap --version

Arch Linux / Manjaro

sudo pacman -S nmap

From source (latest version)

To get the very latest version with all features:

# Build dependencies
sudo apt install -y build-essential libssl-dev libpcap-dev

# Download the sources from nmap.org
wget https://nmap.org/dist/nmap-7.95.tar.bz2
tar -xjf nmap-7.95.tar.bz2
cd nmap-7.95/

# Compile and install
./configure
make
sudo make install

nmap --version

Basic syntax

The general Nmap syntax is:

nmap [options] target

The target can be an IP address, a hostname, an address range or CIDR notation. The options define the scan type, the ports to probe, the timing and the output format.

# Simple scan of an IP
nmap 192.168.1.1

# Scan of a hostname
nmap example.com

# Scan with DNS resolution
nmap -n 192.168.1.1    # disables DNS resolution (faster)
nmap -R 192.168.1.1    # forces reverse DNS resolution

Scan types

Nmap offers several scanning methods, each suited to a specific context.

TCP SYN scan (-sS) — the reference stealth scan

The SYN scan is the default scan when Nmap is run with root privileges. It sends a SYN packet and analyzes the response:

SYN/ACK received: the port is open. Nmap responds with a RST so as not to complete the connection.
RST received: the port is closed.
No response: the port is filtered (firewall).

This scan is fast, stealthy (it does not complete the TCP connection) and generally leaves no trace in application logs.

# SYN scan on the 1000 most common ports (requires root)
sudo nmap -sS 192.168.1.1

# SYN scan on all ports
sudo nmap -sS -p- 192.168.1.1

TCP Connect scan (-sT)

The TCP Connect scan uses the operating system's connect() system call to establish a full TCP connection (SYN → SYN/ACK → ACK). It does not require root privileges but is slower and leaves traces in the logs of the target services.

# TCP Connect scan (without root)
nmap -sT 192.168.1.1

# Useful from an unprivileged user or through a SOCKS proxy
nmap -sT --proxies socks4://127.0.0.1:1080 192.168.1.1

UDP scan (-sU)

The UDP scan probes UDP ports. It is inherently slow because UDP is connectionless: Nmap has to wait for the timeout to expire to confirm a filtered port. A UDP port is considered open if a UDP response is received, closed if an ICMP "port unreachable" is received, and open|filtered in the absence of a response.

# UDP scan (slow, requires root)
sudo nmap -sU 192.168.1.1

# UDP scan on the most common ports only
sudo nmap -sU --top-ports 100 192.168.1.1

# Combined TCP SYN + UDP
sudo nmap -sS -sU -p T:80,443,22,U:53,123,161 192.168.1.1

Service version detection (-sV)

The -sV option enables version detection. After identifying the open ports, Nmap sends specialized probes to identify the exact service and its version number. The nmap-service-probes database contains thousands of signatures.

# Version detection on open ports
sudo nmap -sV 192.168.1.1

# Detection intensity (0=light, 9=exhaustive, default=7)
sudo nmap -sV --version-intensity 9 192.168.1.1

Example output:

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    nginx 1.24.0
443/tcp open  ssl     nginx 1.24.0

OS detection (-O)

Nmap uses TCP/IP fingerprinting techniques — analyzing TTL fields, TCP window sizes, TCP options, ICMP behavior — to identify the remote operating system with a confidence level expressed as a percentage.

# OS detection (requires root)
sudo nmap -O 192.168.1.1

# Enable OS detection even on difficult hosts
sudo nmap -O --osscan-guess 192.168.1.1

Example output:

OS details: Linux 5.4 - 5.15
OS CPE: cpe:/o:linux:linux_kernel:5

Aggressive scan (-A)

The -A option is a shortcut that simultaneously enables version detection (-sV), OS detection (-O), traceroute (--traceroute) and the default NSE scripts (-sC). It is the most complete and the most "noisy" scan on the network.

# Full aggressive scan
sudo nmap -A 192.168.1.1

# Aggressive scan with verbose output
sudo nmap -A -v 192.168.1.1

The -A scan and IDS detection
The aggressive scan generates a large volume of packets and will very likely be detected by an IDS/IPS (Snort, Suricata). Reserve it for authorized audits in a lab environment or in production with prior validation.

Target management

Nmap offers great flexibility for defining the targets to scan.

Single IP, hostname

nmap 192.168.1.10
nmap myserver.local
nmap example.com

Address range

# Range with a dash
nmap 192.168.1.1-50

# Subnet range with a wildcard
nmap 192.168.1.*

# Multiple hosts separated by spaces
nmap 192.168.1.1 192.168.1.5 192.168.1.10

CIDR notation

# Scan an entire /24 subnet (254 hosts)
sudo nmap -sn 192.168.1.0/24

# /16 subnet (65534 hosts) — prefer narrowing the target
sudo nmap -sn 10.0.0.0/16

Target file (-iL)

To scan a list of hosts stored in a text file (one IP or hostname per line):

# Contents of targets.txt
# 192.168.1.1
# 192.168.1.5
# web-server.local

sudo nmap -iL targets.txt -sV -oA results

Excluding targets (--exclude, --excludefile)

# Exclude an IP from a subnet scan
sudo nmap 192.168.1.0/24 --exclude 192.168.1.1

# Exclude a list of hosts from a file
sudo nmap 192.168.1.0/24 --excludefile exclusions.txt

Port management

Specifying ports (-p)

# Single port
nmap -p 80 192.168.1.1

# Multiple ports
nmap -p 22,80,443,8080 192.168.1.1

# Port range
nmap -p 1-1024 192.168.1.1

# All TCP ports (1-65535)
nmap -p- 192.168.1.1

# Combined TCP and UDP ports
nmap -p T:80,443,U:53,161 192.168.1.1

Most common ports (--top-ports, -F)

# The 100 most common ports (fast)
nmap -F 192.168.1.1

# The N most common ports (based on frequency in nmap-services)
nmap --top-ports 200 192.168.1.1
nmap --top-ports 1000 192.168.1.1

Timing options (-T0 to -T5)

Timing controls the speed and aggressiveness of the scan. A high timing is faster but more visible and less reliable on congested networks.

Option	Name	Use case
`-T0`	Paranoid	IDS evasion, extremely slow (5 min between probes)
`-T1`	Sneaky	IDS evasion, very slow (15 sec between probes)
`-T2`	Polite	Reduces network load, slows down the scan
`-T3`	Normal	Default, balance between speed and reliability
`-T4`	Aggressive	Fast and reliable network, recommended for labs
`-T5`	Insane	Maximum speed, risk of inaccurate results

# Fast scan on a reliable local network
sudo nmap -T4 -F 192.168.1.0/24

# Discreet scan to avoid IDS
sudo nmap -T1 -sS 10.0.0.1

NSE scripts (Nmap Scripting Engine)

The NSE scripting engine is one of Nmap's most powerful features. It lets you run Lua scripts to automate advanced tasks: vulnerability detection, service enumeration, authentication testing, and so on. Nmap includes more than 600 scripts organized into categories.

Main categories

auth: tests authentication mechanisms (default credentials, bypass).
broadcast: host discovery via broadcast (mDNS, DHCP, etc.).
default: scripts considered useful, fast and non-intrusive (enabled by -sC).
discovery: enumeration of additional information (DNS, SNMP, LDAP).
exploit: actual exploitation attempts (caution, intrusive).
fuzzer: fuzzing tests on protocols.
intrusive: aggressive scripts that can trigger alerts or impact services.
malware: detection of known backdoors and malware.
safe: non-intrusive scripts with no impact on target services.
version: version detection extensions.
vuln: detection of known vulnerabilities (CVEs, misconfigurations).

Using scripts

# Default scripts (-sC is equivalent to --script=default)
sudo nmap -sC 192.168.1.1

# Specific script
sudo nmap --script http-title 192.168.1.1

# Full category
sudo nmap --script vuln 192.168.1.1

# Multiple categories
sudo nmap --script "auth,discovery" 192.168.1.1

# Script with arguments
sudo nmap --script http-brute --script-args http-brute.hostname=example.com 192.168.1.1

Concrete NSE script examples

# Detect Heartbleed on port 443
sudo nmap -p 443 --script ssl-heartbleed 192.168.1.1

# Detect SMBv1 (EternalBlue/WannaCry) on Windows
sudo nmap -p 445 --script smb-vuln-ms17-010 192.168.1.0/24

# Test default SSH credentials
sudo nmap -p 22 --script ssh-brute 192.168.1.1

# Enumerate SMB shares
sudo nmap -p 445 --script smb-enum-shares 192.168.1.1

# Retrieve HTTP headers and the page title
sudo nmap -p 80,443 --script http-headers,http-title 192.168.1.1

# Detect misconfigured RDP services
sudo nmap -p 3389 --script rdp-enum-encryption 192.168.1.0/24

# List the available scripts in a category
ls /usr/share/nmap/scripts/ | grep vuln

Output formats

Nmap offers several output formats to integrate its results into analysis or reporting workflows.

Option	Format	Usage
`-oN file`	Normal (readable text)	Human reading, documentation
`-oX file`	XML	Automated parsing, CI/CD integration
`-oG file`	Grepable	Shell processing (grep, awk, sed)
`-oS file`	Script kiddie	Anecdotal
`-oA prefix`	All formats	Generates .nmap, .xml and .gnmap in a single command

# Simple text output
sudo nmap -sV 192.168.1.0/24 -oN network_scan.txt

# XML output for automated parsing
sudo nmap -sV 192.168.1.0/24 -oX network_scan.xml

# Grepable output
sudo nmap -sV 192.168.1.0/24 -oG network_scan.gnmap

# All formats at once (recommended for audits)
sudo nmap -A 192.168.1.0/24 -oA audit_$(date +%Y%m%d)

# Extract hosts with port 22 open from the grepable output
grep "22/open" network_scan.gnmap | awk '{ print $2 }'

# Parse the XML with nmap-parse-output (third-party tool)
nmap-parse-output network_scan.xml hosts-with-port 80

Practical use cases

Case 1: Network inventory scan

Discover all active hosts on a subnet without scanning ports (ping scan):

# Ping scan: host discovery only (fast)
sudo nmap -sn 192.168.1.0/24

# With DNS resolution disabled (even faster)
sudo nmap -sn -n 192.168.1.0/24

# Save the inventory
sudo nmap -sn 192.168.1.0/24 -oG - | grep "Status: Up" | awk '{ print $2 }' > active_hosts.txt

Case 2: Detecting exposed services

Identify all listening services on a server, along with their versions:

# Full version scan on all ports
sudo nmap -sV -p- -T4 --open 192.168.1.10

# Show only open ports
sudo nmap --open -sV 192.168.1.10

# Detect web services on non-standard ports
sudo nmap -sV --script http-title -p 80,443,8080,8443,8888,3000 192.168.1.10

Case 3: Auditing firewall rules

Verify that firewall rules are correctly applied from the outside:

# Scan from an external machine and compare with the expected policy
sudo nmap -sS -sV -p- 203.0.113.10

# Test evasion techniques (ACK scan to map stateful rules)
sudo nmap -sA -p 80,443 203.0.113.10

# Scan with fragmentation to test packet filtering rules
sudo nmap -sS -f 192.168.1.1

# Test whether a firewall is stateful or stateless (Window scan)
sudo nmap -sW 192.168.1.1

Case 4: Quick web server audit

# Targeted scan on web ports with appropriate NSE scripts
sudo nmap -sV -p 80,443,8080,8443 \
    --script "http-headers,http-title,http-methods,http-security-headers,ssl-cert,ssl-enum-ciphers" \
    -T4 \
    -oA web_audit_$(date +%Y%m%d) \
    myserver.example.com

Legal and ethical best practices

Using Nmap, like any security auditing tool, must comply with a strict framework:

Explicit authorization: Always obtain written authorization before scanning systems you do not own. Document the scope, the dates and the authorized methods.
Test environment: Favor a dedicated lab (virtual machines, isolated network) to learn and test.
Legal platforms: Platforms such as HackTheBox, TryHackMe or VulnHub provide legal environments for practice.
Minimal impact: Adjust the timing (-T2 or -T3) on production environments to limit network load.
Logging: Always save your scans with -oA to trace the operations performed.
Coordination: Inform the network/security team before any scan, even an authorized one, to avoid triggering unnecessary alerts.
Personal data: Scan results can reveal sensitive information about the infrastructure. Treat them as confidential data.

Resources for practicing legally
HackTheBox and TryHackMe offer labs with vulnerable machines on which you can practice Nmap and other pentest tools in a fully legal and ethical framework.

Useful commands — Summary table

Command	Description
`nmap -sn 192.168.1.0/24`	Host discovery (ping scan, no port scan)
`sudo nmap -sS -T4 192.168.1.1`	Fast SYN scan on the 1000 common ports
`sudo nmap -sV -p- -T4 192.168.1.1`	Version detection on all TCP ports
`sudo nmap -A -T4 192.168.1.1`	Aggressive scan: OS + version + scripts + traceroute
`sudo nmap -sU --top-ports 100 192.168.1.1`	UDP scan of the 100 most common ports
`sudo nmap -sC -sV 192.168.1.1`	Default scripts + version detection
`sudo nmap --script vuln 192.168.1.1`	Detection of known vulnerabilities via NSE
`sudo nmap -sS -p- -oA audit 192.168.1.1`	Full SYN scan with output saved in all formats
`sudo nmap -iL targets.txt -sV -oN report.txt`	Scan a list of targets with output to a file
`sudo nmap -sV --open 192.168.1.0/24`	List only the open ports across an entire network

Conclusion

Nmap is an essential tool for any system administrator or security professional. Its wealth of features — from simple pings to advanced NSE scripts — makes it the Swiss Army knife of network mapping. Mastering Nmap means understanding in depth the attack surface of your infrastructure and being able to audit it regularly.

The natural next step is to combine Nmap with complementary tools: Fail2Ban to protect against incoming scans, Suricata or Snort to detect scan attempts on your network, and Lynis for a complete security audit of the operating system. Network security is a continuous process: regularly scanning your own network with Nmap is one of the best ways to keep an accurate view of your exposure.

Nmap: Scan and Audit a Linux Network

Introduction: why use Nmap?

Installing Nmap

Debian / Ubuntu

CentOS / RHEL / AlmaLinux / Rocky Linux

Arch Linux / Manjaro

From source (latest version)

Basic syntax

Scan types

TCP SYN scan (-sS) — the reference stealth scan

TCP Connect scan (-sT)

UDP scan (-sU)

Service version detection (-sV)

OS detection (-O)

Aggressive scan (-A)

Target management

Single IP, hostname

Address range

CIDR notation

Target file (-iL)

Excluding targets (--exclude, --excludefile)

Port management

Specifying ports (-p)

Most common ports (--top-ports, -F)

Timing options (-T0 to -T5)

NSE scripts (Nmap Scripting Engine)

Main categories

Using scripts

Concrete NSE script examples

Output formats

Practical use cases

Case 1: Network inventory scan

Case 2: Detecting exposed services

Case 3: Auditing firewall rules

Case 4: Quick web server audit

Legal and ethical best practices

Useful commands — Summary table

Conclusion

Morgann Riu

Comments

Nmap: Scan and Audit a Linux Network

Introduction: why use Nmap?

Installing Nmap

Debian / Ubuntu

CentOS / RHEL / AlmaLinux / Rocky Linux

Arch Linux / Manjaro

From source (latest version)

Basic syntax

Scan types

TCP SYN scan (-sS) — the reference stealth scan

TCP Connect scan (-sT)

UDP scan (-sU)

Service version detection (-sV)

OS detection (-O)

Aggressive scan (-A)

Target management

Single IP, hostname

Address range

CIDR notation

Target file (-iL)

Excluding targets (--exclude, --excludefile)

Port management

Specifying ports (-p)

Most common ports (--top-ports, -F)

Timing options (-T0 to -T5)

NSE scripts (Nmap Scripting Engine)

Main categories

Using scripts

Concrete NSE script examples

Output formats

Practical use cases

Case 1: Network inventory scan

Case 2: Detecting exposed services

Case 3: Auditing firewall rules

Case 4: Quick web server audit

Legal and ethical best practices

Useful commands — Summary table

Conclusion

Morgann Riu

Comments

Recommended for you

Lynis : Audit de sécurité pour Linux

Auditd : Surveillance et Audit sur Linux

Checklist sécurité : 10 points à vérifier sur tout serveur Linux

RKHunter : Détection de rootkits sur Linux

In-depth article on the topic

Checklist Sécurité Linux