Nmap scanning techniques

March 19, 2024  |  Kushalveer Singh Bachchas

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In our previous blog, we explored the significance of host discovery techniques using Nmap, Netdiscover, and Angry IP Scanner. Now, let's dive deeper into the network reconnaissance and focus specifically on the powerful features offered by Nmap.

Renowned for its versatility and robust feature set, Nmap enables analysts to probe networked systems, map network topology, identify open ports, detect services, and even determine operating system details. Its command-line interface, coupled with a myriad of options and scripting capabilities, makes it an indispensable asset for security professionals, network administrators, and ethical hackers alike.

I have used a virtual environment created mainly for demonstration purposes to see these scanning techniques in action, Target machine for this demonstration is metasploitable2 (, Attacker Machine is Kali Linux ( We already have seen how to discover hosts in a networked environment in our previous blog. Additionally, you can refer to nmap.org for better understanding of these techniques.

Let's take a look at different techniques nmap offers:

1. TCP SYN scan (-sS):

The TCP SYN scan, also known as a half-open scan, sends SYN packets to target hosts and analyzes responses to determine if the host is alive. This technique is stealthy and efficient, as it does not complete the TCP handshake, thereby minimizing detection by intrusion detection systems (IDS).

Syntax: sudo nmap -sS target_ip

TCP SYN scan 

2. UDP scan (-sU):

The UDP scan sends UDP packets to target hosts and analyzes responses to identify open UDP ports. This technique is particularly useful for discovering services that may not respond to TCP probes.

Syntax: sudo nmap -sU target_ip 

3. Comprehensive scan (-sC):

The comprehensive scan option, denoted by -sC, enables users to launch a battery of default scripts against target hosts. These scripts encompass a wide range of functionalities, including service discovery, version detection, vulnerability assessment, and more.

Syntax: nmap -sC target_ip
co0mprehensive scan

Users can try and compare the output with aggressive scan and other scanning techniques

Aggressive scan (-A):

The aggressive scan option, denoted by -A, combines various scanning techniques such as TCP SYN scanning, version detection, OS detection, and script scanning into a single command. This scan provides comprehensive insights into target hosts but may increase the risk of detection.

aggressive scan

Syntax: nmap -A target_ip 

aggressive scan 2

Above images are partial snapshots of aggressive scan.

Best practices:

While Nmap offers unparalleled capabilities for network reconnaissance and security auditing, it is essential to adhere to best practices and ethical guidelines:

Permission and authorization: Always ensure that you have explicit permission to conduct scans on target networks and systems. Unauthorized scanning can lead to legal repercussions and damage relationships with network owners.

Scan timing and stealth: Adjust scan timing and techniques to minimize disruption and avoid detection by intrusion detection systems (IDS) and firewalls. Use stealthy scanning options, such as TCP SYN scans, to maintain a low profile.

Data interpretation: Analyze scan results meticulously to identify potential security risks, prioritize remediation efforts, and validate security configurations. Exercise caution while interpreting findings and avoid making assumptions based solely on scan results.

Continuous learning and collaboration: Network reconnaissance and security auditing are dynamic fields. Stay updated with the latest developments, collaborate with peers, and engage in knowledge-sharing activities to enhance your expertise and adapt to evolving threats.

Nmap's rich feature set, scanning techniques, and scripting capabilities empower analysts to navigate complex networks, identify potential vulnerabilities, and fortify defenses against emerging threats. 

Share this with others

Get price Free trial