How to Use Nmap Commands for Effective Penetration Testing: Step-by-Step Guide
In this blog, we’ll uncover the practical power of Nmap commands, showing how this tool can be used efficiently during different stages of a pentest engagement.
When it comes to penetration testing, information is power, and one tool that stands tall in this domain is Nmap (Network Mapper). Whether you are scanning networks for open ports or identifying running services and OS fingerprints, it is often the first weapon in a pentester’s arsenal.
Understanding Nmap:
Nmap, short for Network Mapper, is an open-source utility designed for network scanning and reconnaissance. Created by Gordon Lyon (Fyodor), it has evolved into one of the most powerful tools for discovering hosts and services within a network. It is now considered a standard in penetration testing, red teaming, and network defence audits.
At its core, it operates by sending carefully crafted packets to target systems and analysing the responses. From this interaction, it can be inferred that details such as:
- Open or filtered ports
- Running services and their versions
- Operating system types
- Network topology
- Host availability
Why Is Nmap So Essential for Network Discovery?
In any real-world offensive security engagement, you can’t exploit what you haven’t discovered. It serves as the first line of digital reconnaissance, helping you build a complete picture of the target environment before taking further steps.
Here’s why professionals rely on it:
- Comprehensive Recon: It doesn’t just list IPs and ports — it gives deep insights into services, daemons, and configurations.
- Stealth and Control: Offers granular control over scan speed, packet timing, and detection techniques — essential when flying under the radar.
- Target Prioritisation: Helps identify high-value assets by revealing exposed services, outdated versions, or weak configurations.
- Scriptable Intelligence: With the Nmap Scripting Engine (NSE), you can automate enumeration, fingerprinting, and even light vulnerability scanning.
- Integrates Easily: Nmap output can be piped into tools like Metasploit, Burp Suite, or custom parsers for seamless chaining.
Nmap in the Offensive Security Lifecycle
It fits naturally into the initial recon and enumeration phases, but its full potential unfolds when:
- Chaining with custom workflows
- Crafting precise scans for stealth
- Leveraging the Nmap Scripting Engine (NSE)
- Evasion through packet manipulation and timing control
As a professional, your goal isn’t just “find open ports”; it’s to map the digital attack surface without detection, and feed that intel downstream to tools like Metasploit, Cobalt Strike, or custom exploits.
How to Use Nmap Commands:
It is widely supported and easy to install across Linux, Windows, and macOS. Below are the steps for each platform:
On Linux:
For Debian-based distributions (Kali, Ubuntu, Parrot OS):
sudo apt update
sudo apt install nmap
You can verify installation with:
nmap –version
On Windows:
- Visit the official site: https://nmap.org/download.html
- Download the Windows Installer (includes Zenmap GUI and Npcap driver).
- Run the installer and follow the setup wizard.
After installation, open Command Prompt or PowerShell and type:
nmap –version
On macOS:
Using Homebrew:
brew install nmap
If you don’t have Homebrew installed, you can get it from https://brew.sh.
Alternatively, you can download the macOS installer from https://nmap.org/download.html, but Homebrew keeps it easier to update and manage.
Nmap Commands for Scanning Techniques:
Understanding the right scanning technique is crucial for extracting meaningful data without triggering alarms. Below are commonly used scanning types with example commands and clear explanations:
TCP Connect Scan (Full Open Scan)
Nmap Commands: nmap -sT 10.10.1.87 –top-ports 50
Explanation:
- -sT: Performs a TCP Connect Scan, which completes the three-way handshake (SYN → SYN-ACK → ACK).
- –top-ports 50: Scans the top 50 most-used TCP ports.
- 10.10.1.87: Target IP address.
SYN Scan (Stealth Scan)
Nmap Commands: nmap -sS 10.10.1.87 -p 1-1000nmapnmap
Explanation:
- -sS: Performs a SYN (stealth) scan, sending only SYN packets and analysing the response.
- -p 1-1000: Scans the first 1000 TCP ports.
- Sudo: for root privilege access.
Note: This is the default and most popular scan type, often used because it’s faster and less detectable than full TCP connects.
UDP Scan
Nmap Commands: nmap -sU 10.10.1.87 -p 53,67,123
Explanation:
- -sU: Performs a UDP scan.
- -p 53,67,123: Scans specific UDP ports (commonly DNS, DHCP, NTP).
Note: UDP scans are slower and less reliable but essential for detecting non-TCP services.
Aggressive Scan (Use with Caution)
Nmap Commands: nmap -A 10.10.1.87
Explanation:
- -A: An Aggressive scan includes OS detection, version detection, script scanning, and traceroute.
Use case: Only in test environments. Scanning public assets like this can be interpreted as hostile activity.
Service Version Detection
Nmap Commands: nmap -sV 10.10.1.87 -p 443
Explanation:
- -sV: Tries to identify the service and its version running on port 443 (HTTPS).
Note: Google’s infrastructure may rate-limit or reject fingerprinting attempts.
DNS Name to IP Conversion
Nmap Commands: nmap 10.10.1.87
Explanation:
- No flags: Nmap will resolve the domain to an IP address and perform a basic scan on 1000 common ports.
Final Thoughts
Nmap is not just a network scanner. It’s a tactical intelligence tool, especially in the hands of an advanced pentester. Even with just the basic scans, you can gather a lot of useful information, like finding live systems, checking open ports, and identifying running services.
Understanding these basics is the first step to building stronger security skills. As you practice more, you’ll discover just how powerful it can be when used the right way.
Remember, always scan ethically and with proper permission. Start with the basics, keep learning, and soon you’ll be ready to explore the advanced features it has to offer.
For more cybersecurity content, visit https://learn.cyberfrat.com
Written By
Tamanna Agrawal
Assistant Manager – Operations, CyberFrat