Hubbry Logo
search
logo
Nmap avatar
Nmap
Nmap
current hub
2209931

Nmap

logo
Community Hub0 Subscribers
Read side by side
Nmap
View on Wikipedia
from Wikipedia
Nmap Security Scanner
Original authorGordon Lyon (Fyodor)
Initial releaseSeptember 1997; 28 years ago (1997-09)
Stable release
7.98[1] Edit this on Wikidata / 21 August 2025; 2 months ago (21 August 2025)
Repository
Written inC, C++, Python, Lua
Operating systemCross-platform
Available inEnglish
TypeNetwork security
LicenseNPSL[2] or modified GPLv2[3] or proprietary
Websitenmap.org Edit this on Wikidata

Nmap (Network Mapper) is a network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich).[4] Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.[5]

Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection,[6] vulnerability detection,[6] and other features. Nmap can adapt to network conditions including latency and congestion during a scan.

Nmap started as a Linux utility[7] and was ported to other systems including Windows, macOS, and BSD.[8] It is most popular on Linux, followed by Windows.[9]

Features

[edit]

Nmap features include:

  • Fast scan (nmap -F [target]) – Performing a basic port scan for fast result.
  • Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
  • Port scanning – Enumerating the open ports on target hosts.
  • Version detection – Interrogating network services on remote devices to determine application name and version number.[10]
  • Ping Scan – Check host by sending ping requests.
  • TCP/IP stack fingerprinting – Determining the operating system and hardware characteristics of network devices based on observations of network activity of said devices.
  • Scriptable interaction with the target – using Nmap Scripting Engine[11] (NSE) and Lua programming language.

Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.[12]

Typical uses of Nmap:

  • Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.[13]
  • Identifying open ports on a target host in preparation for auditing.[14]
  • Network inventory, network mapping, maintenance and asset management.[15]
  • Auditing the security of a network by identifying new servers.[16]
  • Generating traffic to hosts on a network, response analysis and response time measurement.[17]
  • Finding and exploiting vulnerabilities in a network.[18]
  • DNS queries and subdomain search

User interfaces

[edit]

NmapFE, originally written by Kanchan, was Nmap's official GUI for Nmap versions 2.2 to 4.22.[19] For Nmap 4.50 (originally in the 4.22SOC development series) NmapFE was replaced with Zenmap, a new official graphical user interface based on UMIT, developed by Adriano Monteiro Marques.

Output

[edit]

Four different output formats are offered by Nmap. Everything is saved to a file except the interactive output. Text processing software can be used to modify Nmap output, allowing the user to customize reports.[20]

Interactive
presented and updated real time when a user runs Nmap from the command line. Various options can be entered during the scan to facilitate monitoring.
XML
a format that can be further processed by XML tools. It can be converted into a HTML report using XSLT.
Grepable
output that is tailored to line-oriented processing tools such as grep, sed, or awk.
Normal
the output as seen while running Nmap from the command line, but saved to a file.
Script kiddie
meant to be an amusing way to format the interactive output replacing letters with their visually alike number representations. For example, Interesting ports becomes Int3rest1ng p0rtz. This is known as Leet.

History

[edit]

Nmap was first published in September 1997, as an article in Phrack Magazine with source-code included.[21] With help and contributions of the computer security community, development continued. Enhancements included operating system fingerprinting, service fingerprinting,[10] code rewrites (C to C++), additional scan types, protocol support (e.g. IPv6, SCTP[22]) and new programs that complement Nmap's core features.

Major releases include:[19]

Date Version Significance
December 12, 1998; 26 years ago (1998-12-12) Nmap 2.00 Nmap 2.00 is released, including Operating System fingerprinting[23]
April 11, 1999; 26 years ago (1999-04-11) NmapFE A GTK+ front end, is bundled with Nmap[23]
December 7, 2000; 24 years ago (2000-12-07) Windows port[19]
August 28, 2002; 23 years ago (2002-08-28) Rewrite from C to C++[19]
September 16, 2003; 22 years ago (2003-09-16) The first public release to include service version detection[19]
August 31, 2004; 21 years ago (2004-08-31) Nmap 3.70 Core scan engine rewritten for version 3.70. New engine is called ultra_scan[24]
Summer 2005 Nmap selected for participation in Google Summer of Code.[25] Added features included Zenmap, Nmap Scripting Engine (NSE), Ncat, and 2nd-generation OS detection.
December 13, 2007; 17 years ago (2007-12-13) Nmap 4.50 Nmap 4.50, the 10th Anniversary Edition, was released. Included Zenmap, 2nd-generation OS detection, and the Nmap Scripting Engine[26]
March 30, 2009; 16 years ago (2009-03-30) Nmap 4.85BETA5 Emergency release of Nmap 4.85BETA5, leveraging NSE to detect Conficker infections[27]
July 16, 2009; 16 years ago (2009-07-16) Nmap 5.00 Included netcat-replacement Ncat and Ndiff scan comparison tool[28]
January 28, 2011; 14 years ago (2011-01-28) Nmap 5.50 Included Nping packet generation response analysis and response time measurement, including TCP, UDP and ICMP probe modes.[29][30]
May 21, 2012; 13 years ago (2012-05-21) Nmap 6.00 Released with full IPv6 support.[citation needed]
November 9, 2015; 9 years ago (2015-11-09) Nmap 7.00 [31]
December 20, 2016; 8 years ago (2016-12-20) Nmap 7.40
March 20, 2018; 7 years ago (2018-03-20) Nmap 7.70 [32]
August 10, 2019; 6 years ago (2019-08-10) Nmap 7.80 [33]
October 3, 2020; 5 years ago (2020-10-03) Nmap 7.90 [34] The new fingerprints allow better operating system and service/version detection. 3 new NSE scripts, new protocol library and payloads for host discovery, port scanning and version detection. Npcap 1.0.0, the first fully stable version of the Windows raw packet capturing/sending driver.
[edit]

Nmap is a tool that can be used to discover services running on Internet connected systems. Like any tool, it could potentially be used for black hat hacking,[35] as a precursor to attempts to gain unauthorized access to computer systems. However, Nmap is also used by security and systems administrators to assess their own networks for vulnerabilities (i.e. white hat hacking).

System administrators can use Nmap to search for unauthorized servers, or for computers that do not conform to security standards.[36]

In 2003 Supreme Court of Finland has ruled that port scanning has amounted to an attempted computer break in, which was illegal under Finnish Penal code at the time:[37]

In its ruling the Supreme Court stated that the defendant had systematically carried out port scanning operations to gather information for the purpose of unauthorised break-in to the bank's computer network. This amounted to an attempted computer break in.[37]

License

[edit]

Nmap was originally distributed under the GNU General Public License (GPL).[21] In later releases, Nmap's authors added clarifications and specific interpretations to the license where they felt the GPL was unclear or lacking.[38] For instance, Nmap 3.50 specifically revoked the license of SCO Group to distribute Nmap software because of their views on the SCO-Linux controversies.[39]

Starting with version 7.90, Nmap transitions to a new custom license NPSL, dual-licensing versions 7.90, 7.91, and 7.92 under both old and new licenses.[40] Several Linux distributions consider the new license non-free.[41][42]

[edit]

In The Matrix Reloaded, Trinity is seen using Nmap to access a power plant's computer system,[43] allowing Neo to "physically" break into a building. The appearance of Nmap in the film was widely discussed on Internet forums and hailed as an unusually realistic example of hacking.[44]

Nmap and NmapFE were used in The Listening, a 2006 movie about a former NSA officer who defects and mounts a clandestine counter-listening station high in the Italian alps.

Nmap source code can be seen in the movie Battle Royale, as well as brief views of the command line version of Nmap executing in Live Free or Die Hard and Bourne Ultimatum.[43] In 2013, Nmap continued to make appearances in movies including popular sci-fi movie Elysium.

The film Dredd, a film adaptation of the famous Judge Dredd comics, was released in 2012 and also contains multiple Nmap scenes.[43] Nmap is used for network reconnaissance and exploitation of the slum tower network. It is even seen briefly in the movie's trailer.

The command Nmap is widely used in the video game Hacknet, allowing to probe the network ports of a target system to hack it.

In Snowden, Nmap is used in the aptitude test scene about 14 minutes into the movie.

In academia

[edit]

Nmap is an integral part of academic activities. It has been used for research involving the TCP/IP protocol suite and networking in general.[45] Besides being a research tool, Nmap has also become a research topic.[46]

Examples

[edit]
$ nmap -f -v -A scanme.nmap.org
Starting Nmap 6.47 ( https://nmap.org ) at 2014-12-29 20:02 CET
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_  2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp   open  http       Apache httpd 2.2.14 ((Ubuntu))
|_http-title: Go ahead and ScanMe!
9929/tcp open  nping-echo Nping echo
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|storage-misc|WAP
Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (94%), Netgear RAIDiator 4.X (86%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.38 cpe:/o:linux:linux_kernel:3 cpe:/o:netgear:raidiator:4 cpe:/o:linux:linux_kernel:2.4
Aggressive OS guesses: Linux 2.6.38 (94%), Linux 3.0 (92%), Linux 2.6.32 - 3.0 (91%), Linux 2.6.18 (91%), Linux 2.6.39 (90%), Linux 2.6.32 - 2.6.39 (90%), Linux 2.6.38 - 3.0 (90%), Linux 2.6.38 - 2.6.39 (89%), Linux 2.6.35 (88%), Linux 2.6.37 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   14.21 ms  151.217.192.1
2   5.27 ms   ae10-0.mx240-iphh.shitty.network (94.45.224.129)
3   13.16 ms  hmb-s2-rou-1102.DE.eurorings.net (134.222.120.121)
4   6.83 ms   blnb-s1-rou-1041.DE.eurorings.net (134.222.229.78)
5   8.30 ms   blnb-s3-rou-1041.DE.eurorings.net (134.222.229.82)
6   9.42 ms   as6939.bcix.de (193.178.185.34)
7   24.56 ms  10ge10-6.core1.ams1.he.net (184.105.213.229)
8   30.60 ms  100ge9-1.core1.lon2.he.net (72.52.92.213)
9   93.54 ms  100ge1-1.core1.nyc4.he.net (72.52.92.166)
10  181.14 ms 10ge9-6.core1.sjc2.he.net (184.105.213.173)
11  169.54 ms 10ge3-2.core3.fmt2.he.net (184.105.222.13)
12  164.58 ms router4-fmt.linode.com (64.71.132.138)
13  164.32 ms scanme.nmap.org (74.207.244.221)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.98 seconds

See also

[edit]

Bibliography

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Nmap

View on Grokipedia
from Grokipedia
Nmap, short for Network Mapper, is a free and open-source software tool designed for network discovery and security auditing.[1] Developed by Gordon "Fyodor" Lyon, it was first released on September 1, 1997, as an article in Phrack magazine issue 51, complete with source code.[2][3] Nmap enables users to scan networks to identify active hosts, detect open ports, determine operating systems, and detect service versions running on those hosts, making it a foundational tool in cybersecurity for vulnerability assessment and penetration testing.[1] Since its inception, Nmap has evolved significantly through continuous development by the Nmap Project, incorporating advanced features such as TCP/UDP port scanning, ping sweeps for host discovery, scriptable automation via the Nmap Scripting Engine (NSE), and support for IPv6.[2] It runs on multiple platforms including Linux, Windows, macOS, and Unix variants, and includes companion tools like Zenmap (a graphical user interface), Ncat (a versatile networking utility), Ndiff (for comparing scan results), and Nping (for packet crafting and analysis).[1] The tool is licensed under the Nmap Public Source License, allowing free use for most purposes while restricting commercial redistribution without permission.[4] Nmap's impact extends beyond technical users; it has been featured in over a dozen films, including The Matrix Reloaded and Blackhat, and has received awards such as Linux Journal's "Security Product of the Year."[1] Maintained by a vibrant community through mailing lists, IRC, and conferences, Nmap remains actively updated, with version 7.98 released on August 21, 2025—the latest stable release as of 2026—ensuring its continued relevance in modern network security practices. Tools like Rapid7's InsightVM have announced plans to upgrade their integrated Nmap engine in March 2026 to further enhance vulnerability management capabilities.[5][1][6]

Overview

Definition and Purpose

Nmap, short for Network Mapper, is a free and open-source utility designed for network exploration and security auditing.[1][7] It enables users to discover hosts and services on a computer network, map network topology, identify open ports, and detect operating systems along with service versions running on those hosts.[7] Many network administrators rely on it for routine tasks, such as conducting network inventories, scheduling service upgrades, and monitoring host or service uptime.[1] At its core, Nmap operates by sending specially crafted raw IP packets to target hosts and analyzing the responses to infer network characteristics, including the presence of firewalls or packet filters.[7] This packet-based approach allows it to efficiently probe large networks or individual devices, providing insights into connectivity and potential vulnerabilities without requiring administrative access to the targets.[1] Nmap was created in 1997 by Gordon Lyon, known by the pseudonym Fyodor, to overcome the limitations of earlier tools like strobe, which lacked flexibility in port specification, operating system detection, and support for multiple scanning protocols beyond basic TCP.[8] Initially released through Phrack Magazine, it addressed the need for a more robust and versatile scanner capable of handling massive networks with features like parallel scanning and dynamic timing adjustments.[8] Among its key benefits, Nmap is freely available under the Nmap Public Source License, ensuring broad accessibility, and offers cross-platform compatibility across major operating systems including Linux, Windows, and macOS.[1][7] Its extensibility through user-contributed scripts further enhances its utility for customized auditing tasks.[1]

Development Overview

Nmap was initiated in 1997 by Gordon Lyon, who uses the pseudonym Fyodor, as a free and open-source network scanning tool designed for security auditing and exploration.[9] Lyon has served as the primary developer and coordinator of the project since its inception, overseeing its evolution into a widely used utility through ongoing maintenance and feature enhancements.[10] The project is hosted and distributed by Insecure.Org, which manages the official website, release archives, and community resources to facilitate global access and collaboration.[11] Insecure.Org supports a community-driven development model, where volunteers contribute code, bug fixes, and improvements via the official Subversion (SVN) repository at svn.nmap.org, mirrored on GitHub for broader accessibility.[12] This open collaboration has enabled Nmap to incorporate diverse expertise while maintaining its core focus on reliability and extensibility. Nmap integrates with related open-source projects, notably Npcap, the Nmap Project's Windows packet capture library, which replaced the older WinPcap in recent versions to deliver improved performance and compatibility for raw packet operations on Microsoft Windows systems.[13] Funding for the Nmap Project primarily comes from user donations, corporate sponsorships, and revenue generated through commercial services, including sales of the authoritative guide Nmap Network Scanning by Gordon Lyon and licensing of the Nmap OEM Edition for software redistribution.[9][14] These sources sustain development without compromising the tool's free availability under the Nmap Public Source License.

Core Functionality

Host Discovery

Host discovery in Nmap serves as the initial phase of network exploration, aimed at identifying active hosts on a target network without performing full port scans, thereby conserving time and minimizing network traffic and detection risks.[15] This process determines whether an IP address corresponds to a responsive device, which is essential for efficient subsequent scanning activities. By default, Nmap employs multiple probe types to maximize discovery rates, as individual methods can be thwarted by firewalls or security configurations.[16] Nmap implements several host discovery techniques to detect live hosts. The standard ICMP echo request/reply method, often referred to as a ping scan (-PE), sends an ICMP type 8 packet and awaits a type 0 reply, as defined in RFC 792; however, this is frequently blocked by firewalls compliant with RFC 1122, which recommend filtering such requests.[15][17][18] To circumvent these restrictions, Nmap supports TCP SYN ping (-PS), which transmits SYN packets to common ports like 80 or 443 and interprets RST or SYN/ACK responses as indicators of host activity; this approach is faster and evades some ICMP-only filters.[15] Similarly, TCP ACK ping (-PA) sends unsolicited ACK packets, eliciting RST responses from most hosts, though it is less effective against stateful firewalls that drop unexpected packets.[15] For local networks, ARP scanning (-PR) is the default, broadcasting ARP requests to map IP addresses to MAC addresses via replies, offering superior speed and accuracy on Ethernet segments without relying on IP-layer probes.[15] Additional variants include UDP ping (-PU), which probes for ICMP port unreachable messages, and IP protocol ping (-PO), which tests various protocols like ICMP or IGMP for responses or unreachables.[15] Users can invoke host discovery explicitly with the -sn option, which skips port scanning entirely and outputs only live hosts, ideal for large networks where full scans are impractical. The best Nmap command for discovering live hosts on a local network is sudo nmap -sn <subnet>, e.g., sudo nmap -sn 192.168.1.0/24. This performs host discovery only (no port scanning) and uses ARP requests by default on local Ethernet networks when run with root privileges (via sudo), making it fast, reliable, and efficient for identifying active hosts.[16] The --traceroute option complements discovery by mapping the route to each host using techniques like ICMP time exceeded or TCP responses, aiding in understanding network topology.[16] To address firewalls and enhance stealth, Nmap includes the idle scan (-sI), a technique that leverages an intermediary "zombie" host to proxy probes, anonymizing the attacker's source IP.[19] This method forges packets appearing to originate from the zombie, monitors its IP ID sequence for changes induced by target responses (an increment of 1 for closed ports, 2 for open), and thus avoids direct communication with the target, potentially bypassing source-based filtering.[19] It is particularly useful against intrusion detection systems, as logs attribute activity to the zombie, though it requires a suitable idle zombie with predictable IP ID behavior and incurs higher latency.[19] Despite these capabilities, host discovery faces limitations, particularly with hosts configured to block probes, where firewalls may silently drop ICMP, TCP, or UDP packets, resulting in false negatives—for instance, tests have shown only partial detection rates across probe types.[15] In IPv6 environments, support has evolved since initial implementation in 2002, now including ICMPv6 echo requests, TCP SYN/ACK pings (via connect calls for unprivileged users due to lacking raw socket support), and Neighbor Discovery akin to ARP, but excluding features like ICMP timestamp requests absent in ICMPv6; full IPv6 compatibility requires the -6 flag and proper network configuration.[16][20] As of Nmap 7.98 (August 2025), improvements include fixed parallel DNS resolver crashes and better reverse DNS handling for more reliable host discovery.[5]

Port Scanning Techniques

Nmap determines the state of TCP and UDP ports on target hosts through various scanning techniques, categorizing them as open, closed, filtered, or open|filtered. An open port accepts connections or messages, indicating an active listening service, as evidenced by a SYN/ACK response in TCP scans or a UDP protocol-specific reply.[21] A closed port has no listening service but allows probes to reach the host, typically resulting in a RST packet for TCP or an ICMP port unreachable message for UDP.[21] Ports are marked filtered when a firewall or intrusion detection system blocks the probe, yielding no response or specific ICMP unreachable errors (type 3, codes 0, 1, 2, 3, 9, 10, or 13).[21] The open|filtered state applies when Nmap cannot differentiate between open and filtered ports due to ambiguous responses, such as no reply in UDP scans or certain stealthy TCP scans.[21] For TCP port scanning, Nmap offers multiple methods tailored to different levels of stealth, privilege requirements, and network conditions. The default SYN scan (-sS), also known as half-open scanning, remains Nmap's default and most popular stealth scanning technique in 2026 (Nmap 7.98+). It sends SYN packets to target ports without completing the full TCP handshake to avoid full connections, thereby reducing logging and detection risks compared to connect scans; a SYN/ACK indicates an open port, an RST signals closed, and no response suggests filtered. This technique requires raw socket privileges, typically necessitating root or sudo privileges on Unix-like systems.[21][5] A basic command is sudo nmap -sS <target>, which scans the top 1000 most common ports by default.[21] To maximize the effectiveness and stealth of the SYN scan, several best practices are recommended. Always run Nmap with sudo or root privileges to enable raw packet capabilities for -sS. Use -Pn to skip host discovery if the target does not respond to pings, ensuring the scan proceeds against all specified IPs. For enhanced evasion, employ lower timing templates such as -T2 or -T3, packet fragmentation (-f), decoys (-D RND:10), a spoofed source port (--source-port 53), and data padding (--data-length 50). An example stealth command is: sudo nmap -sS -T2 -f -D RND:5 --source-port 53 --data-length 50 <target>.[22] Combining with service version detection (-sV) and operating system fingerprinting (-O) provides additional intelligence, for example: sudo nmap -sS -sV -O -T4 <target>. First identify live hosts with -sn (ping scan only) to minimize noise by avoiding probes to inactive systems, then target those hosts. The --reason option offers detailed explanations of why ports are classified in specific states. Critically, always obtain explicit permission before scanning to avoid legal issues. While these measures improve stealth, modern IDS and firewalls can still detect SYN scans through advanced analysis; evasion techniques help but do not guarantee undetectability.[16][23][22] The connect scan (-sT) performs a full three-way TCP handshake using the operating system's connect() system call, suitable for unprivileged users but more detectable as it completes connections and may generate logs on the target.[21] Evasion-oriented FIN (-sF), NULL (-sN), and Xmas (-sX) scans send TCP packets lacking the SYN flag (or with invalid flag combinations), exploiting a loophole in RFC 793 where compliant systems ignore such packets on open ports but respond with RST on closed ones; however, these techniques fail against non-RFC-compliant operating systems like Windows and modern firewalls.[21][24] UDP scanning (-sU) probes UDP ports by sending empty or protocol-specific payloads, facing inherent challenges due to the protocol's unreliability; closed ports reliably return ICMP port unreachable messages, while open ports may respond only if the service generates output (e.g., DNS on port 53), and filtered or open|filtered ports often yield no response, leading to slow scans that can take minutes per port and integrate with TCP scans for comprehensive coverage.[21][25] The IP protocol scan (-sO) extends beyond TCP and UDP to detect support for other IP protocols such as ICMP, IGMP, or SCTP by crafting IP packets with varying protocol numbers in the header; a response from the target indicates the protocol is open, while an ICMP protocol unreachable (type 3, code 2) marks it closed, useful for identifying unusual network configurations.[21] Nmap allows specification of the ports to scan via the -p option, which overrides the default of scanning the 1,000 most common ports. The -p- specifier scans all ports from 1 to 65535. This is commonly employed for thorough scans of localhost, as in nmap -p- localhost (equivalent to nmap -p 1-65535 localhost).[26] Privileged users often use sudo nmap -sS -p- localhost for SYN scanning. On the loopback interface, the -T4 timing template is suitable for faster execution, for example sudo nmap -sS -p- -T4 localhost.[27] The -A option enables aggressive scanning, including operating system detection, service and version detection, script scanning, and traceroute.[28] To balance scan speed against stealth and accuracy, Nmap employs timing templates from T0 (paranoid) to T5 (insane), which preset parameters like probe delays, retransmission timeouts, and parallelism; T0 and T1 use serial scanning with long delays (up to five minutes) for maximum evasion of intrusion detection systems, T3 provides the default balanced approach, and T4/T5 assume high-bandwidth networks for rapid parallel scans but risk dropped packets and false negatives.[27] Fine-tuned control includes the --min-rate option, which enforces a minimum packet transmission rate (e.g., 300 packets per second) to accelerate scans across potentially lossy networks, and --max-retries, which caps probe retransmissions (default 10, reducible to 2 or 3) to shorten overall time at the expense of potentially missing intermittent responses.[27] Nmap incorporates evasion techniques to obscure scans from firewalls and logging systems. Decoys (-D) spoof additional source IP addresses alongside the real one, flooding logs with false positives to hide the true origin.[21] Fragmentation (-f) splits probe packets into smaller fragments to bypass filters that inspect full IP datagrams, though advanced firewalls may reassemble them.[21] Source IP spoofing (-S) allows faking the originating IP address for enhanced stealth, requiring raw socket access but preventing response reception unless combined with techniques like idle scanning.[21] As of Nmap 7.98 (August 2025), fixes include resolution of TCP connect scan socket leaks and improved UDP payload accuracy.[5]

Service and Version Detection

Service and version detection in Nmap identifies the applications and their versions running on open ports, building upon prior port scanning to provide detailed service information.[29] This feature sends protocol-specific probes to elicit responses from target services, which are then matched against a comprehensive database of known signatures to determine the service type, version number, hostname, device type, operating system family, and Common Platform Enumeration (CPE) identifiers.[29] For instance, an HTTP probe might send a GET request to a port, analyzing the response headers for server software details like Apache or Nginx versions.[29] The -sV option activates service and version detection, performing sequential probing starting with the most common protocols and escalating in intensity as needed.[29] Intensity levels range from 0 (minimal probes for speed) to 9 (exhaustive probing for maximum accuracy), with the default at 7, allowing users to balance thoroughness against scan duration.[29] This process integrates lightly with the Nmap Scripting Engine for enhanced detection on complex services, such as querying SSL/TLS-encrypted connections using the ssl-enum-ciphers script to enumerate supported ciphers and infer underlying protocols.[30] Nmap's detection relies on the nmap-service-probes database, which contains 11,921 pattern matches across 1,227 protocols, regularly updated through community-submitted fingerprints in each release.[31] Recent updates, such as in version 7.98 (August 2025), have integrated thousands of additional fingerprints, enhanced UDP service probing, and added support for DTLS, improving detection coverage for emerging services and encrypted traffic.[5] Accuracy can be affected by factors such as services running on non-standard ports or misconfigurations leading to false positives, where responses mimic other services.[29] The database's reliance on user contributions ensures ongoing refinements, but detection remains probabilistic rather than guaranteed for all edge cases.[29]

Operating System Fingerprinting

Nmap's operating system detection feature enables the identification of remote hosts' operating systems and device types through active TCP/IP stack fingerprinting. This process involves sending specialized probes to elicit responses that reveal unique characteristics of the target's network stack implementation. The -O option activates this capability, which is also enabled by the more comprehensive -A option for aggressive scanning. Detection is most effective when performed after host discovery and port scanning, as it relies on knowledge of open and closed ports to direct probes accurately.[32] The fingerprinting process begins with Nmap transmitting up to 16 probes, including TCP SYN packets to open and closed ports, UDP packets, and ICMP echo requests. Key techniques include TCP initial sequence number (ISN) sampling via six SYN packets spaced 100 milliseconds apart, which analyzes sequence predictability through metrics like greatest common divisor (GCD), initial sequence rate (ISR), and sequence predictability (SP); examination of TCP options such as maximum segment size (MSS), window scaling, and timestamps in these probes; and ICMP parameter testing with two echo requests varying in type of service (TOS), code, and data length to observe responses like Don't Fragment (DF) bit handling and time-to-live (TTL) values. These responses are captured and compared against entries in the nmap-os-db file, a database containing 6,036 fingerprints covering 1,522 OS classes, primarily for IPv4 with hundreds for IPv6, each representing characteristic behaviors of specific OS versions, vendors, and device types. Matches are scored based on similarity, with Nmap selecting the highest-confidence result.[33][32][31] The nmap-os-db database has evolved through community contributions, where users submit fingerprints when Nmap encounters unidentified or incorrectly guessed systems. Running Nmap with -O --osscan-guess generates a printable fingerprint for submission to the Nmap development team via email or web form, facilitating database expansion. This crowdsourced approach has integrated thousands of submissions over releases; as of version 7.98 (August 2025), the database includes 6,036 fingerprints covering 1,522 classes. Enhanced IPv6 support, including dedicated probes for IPv6 networks using the -6 flag alongside -O, continues to improve.[34][35][5][31] Detection accuracy is high for common operating systems, often exceeding 90% confidence in perfect matches against the database, though it can drop with imperfect data. Challenges arise with hardened systems, such as those behind firewalls that drop probes, or virtual machines that inherit host OS fingerprints without distinct traits, leading to ambiguous results or reliance on guessing. Options like --osscan-limit restrict attempts to promising targets with open and closed ports, while --osscan-guess allows speculative output when no strong match exists.[32][36] Output from OS detection includes the classified OS details, formatted as a free-form description (e.g., "Linux 5.4") followed by structured elements like Common Platform Enumeration (CPE) identifiers (e.g., cpe:/o:linux:linux_kernel:5.4), device type (e.g., general purpose, router), and match accuracy percentage (e.g., 96%). In verbose mode (-v), Nmap also estimates system uptime using TCP timestamps from probe responses, though this can be unreliable due to counter resets or non-standard implementations.[32][37]

Advanced Features

Nmap Scripting Engine

The Nmap Scripting Engine (NSE) is a framework integrated into Nmap that enables users to automate and extend network scanning tasks through custom Lua scripts, facilitating advanced functions such as vulnerability detection, brute-force attacks, and service enumeration beyond the tool's core capabilities.[38] Introduced with Nmap version 5.00 in July 2009, NSE transformed Nmap from a basic port scanner into a versatile platform for security auditing by allowing the development and sharing of reusable scripts that run efficiently in parallel with standard scans.[39] These scripts leverage Nmap's host and port discovery results to perform targeted actions, enhancing the depth of information gathered during reconnaissance.[40] NSE organizes scripts into categories to guide their application and manage risk levels, including safe (non-disruptive reconnaissance like discovery and version checks), intrusive (potentially harmful actions such as denial-of-service probes or exploitation attempts), version (integration with service identification), discovery (host and network mapping), and vuln (vulnerability scanning).[38] Other categories encompass auth (authentication attempts), broadcast (network broadcasts), default (scripts run by default in comprehensive scans), dos (denial-of-service tests), exploit (payload delivery), external (integration with third-party tools), fuzzer (protocol fuzzing), and malware (malware detection).[38] Scripts are selected and executed via the --script option, with categories invoked by name (e.g., --script vuln) or combined for customized scans, ensuring controlled deployment based on user intent.[40] Scripts are written in the Lua programming language, chosen for its lightweight syntax, embeddability, and efficiency in handling asynchronous operations suitable for network tasks.[41] NSE provides a rich set of libraries to simplify development, including socket handling for TCP/UDP connections (e.g., stdnse and nmap namespaces for timeouts and port management), output formatting for structured results (e.g., structured tables for XML compatibility), and specialized modules like http for web interactions, smb for Microsoft protocols, and vulns for CVE tracking and report generation.[42] As of Nmap 7.98 in August 2025, the official NSE repository includes over 600 scripts, covering a wide range of protocols and threats, with ongoing community contributions expanding this library.[5] Developers can extend functionality by creating new scripts or modifying existing ones, following NSE's API for thread-safe parallelism and error handling.[43] Recent enhancements to NSE have focused on library robustness and performance, such as improvements to the brute library in versions 7.95 and later, which added support for username-as-password guessing, empty string passwords, and better retry logic to reduce false negatives in authentication scripts.[5] Version 7.96 introduced parallel forward DNS lookups, indirectly boosting NSE efficiency for scripts reliant on hostname resolution, while 7.98 enhanced bindings for libraries like libssh2 and tls.lua to support modern protocols including TLS 1.3.[5] These updates, along with new scripts like mikrotik-routeros-version for device fingerprinting, ensure NSE remains adaptable to evolving network environments.[5] NSE scripts can briefly integrate with Nmap's version detection to refine service probes, using detected application details to trigger specialized checks.[41] Representative examples illustrate NSE's practical utility: the http-enum script performs directory and file enumeration on web servers by testing common paths from a fingerprint database, helping identify hidden administrative interfaces or misconfigurations.[44] Scripts such as http-methods, http-title, and http-enum can probe for HTTP services on non-standard ports (e.g., via --script +http-methods,http-title,http-enum), sending requests like OPTIONS for supported methods or GET for titles to test if non-web services respond to HTTP, potentially revealing misconfigurations where services misinterpret web requests.[45][46] Similarly, smb-vuln-ms17-010 detects the EternalBlue vulnerability (CVE-2017-0143) in SMBv1 implementations by sending crafted transactions and analyzing error responses, aiding in the identification of unpatched Windows systems susceptible to exploits like WannaCry.[47] Nmap's NSE includes many scripts dedicated to enumerating and auditing HTTP and web services, commonly found on ports 80, 443, 8080, and others. These scripts are especially valuable for web security assessments and penetration testing. Notable examples include:
  • http-enum: Enumerates common directories and files on web servers by testing paths from a fingerprint database, often revealing hidden paths such as /admin, /icons, /phpmyadmin, or application-specific endpoints (similar to tools like Nikto).[44]
  • http-default-accounts: Detects default credentials in popular web applications and admin interfaces, such as Tomcat Manager (admin:admin), Jenkins, and others.[48]
  • http-title: Retrieves the HTML page title to help identify web applications and services.[46]
  • http-server-header: Extracts the Server header from HTTP responses to reveal web server software and versions.[49]
  • http-methods: Determines the HTTP methods permitted by the server (e.g., GET, POST, OPTIONS, potentially including risky ones like PUT or DELETE).[45]
  • http-security-headers: Checks for the presence and proper configuration of important security headers, including Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, and X-Frame-Options.[50]
These scripts assist in discovering misconfigurations, default installations, information disclosures, and potential vulnerabilities. They can be executed selectively or in bulk using --script http-* or by listing specific script names.

Output Processing and Formats

Nmap's default output is presented in an interactive format sent to standard output (stdout), providing real-time information such as runtime details, warnings, and scan results in a human-readable table format listing discovered hosts and open ports.[23] This output includes essential details like host addresses, port states (open, closed, filtered), and service names where detected, making it suitable for immediate review during scans.[23] Verbosity levels can be adjusted using the -v flag, with options like -v for basic additional details, -vv for more comprehensive information on scan progress and reasons for port states, and up to -v5 for debugging-level output, influencing both interactive and certain file-based formats.[23] For persistent storage and further processing, Nmap supports multiple file output formats specified via command-line options. The normal format (-oN) produces a file resembling the interactive output but omits excessive runtime information, resulting in a clean, text-based log suitable for manual review.[23] XML output (-oX) generates machine-parsable structured data compliant with a Document Type Definition (DTD) available at https://svn.nmap.org/nmap/docs/nmap.dtd, enabling integration with tools like Zenmap or custom scripts; it includes an optional XSL stylesheet for rendering as HTML.[23] The grepable format (-oG), now deprecated in favor of XML, outputs one line per host in a tab-separated format with fields for host details and ports, facilitating quick searches via tools like grep.[23] Additionally, the script kiddie format (-oS) delivers a humorous, verbose rendition of interactive output for novelty, while the all-in-one option (-oA) simultaneously saves results in normal, XML, and grepable formats using a shared basename.[23] Filenames can incorporate strftime-like substitutions for timestamps, and the --append-output flag allows adding to existing files rather than overwriting them.[23] Post-scan processing enhances result interpretation and management. The --reason option provides explanations for host and port states by detailing the packet types involved, such as RST/ACK responses indicating closed ports, which is particularly useful when combined with higher verbosity or debugging modes.[23] For monitoring long-running scans, --stats-every specifies intervals (e.g., 10 seconds) to print timing statistics, including packets sent and completion estimates.[23] The ndiff utility, included with Nmap, compares two normal or grepable output files to highlight differences in scan results, aiding in change detection over time. Recent versions have refined output handling for better automation and compatibility. In Nmap 7.98, the XML output DTD was updated to accurately reflect elements like introduced in prior releases, ensuring validation tools process results without errors.[5] Earlier enhancements, such as structured output from the Nmap Scripting Engine in XML format since version 6.20, allow scripts to generate queryable name-value tables for advanced data extraction.[43] For programmatic access, third-party parsing tools facilitate integration with other systems. The Nmap::Parser Perl module processes normal, grepable, or XML outputs to extract structured data into objects, supporting applications like database imports or automated reporting. These tools leverage Nmap's XML schema for reliable parsing, though users must account for version-specific changes in output structure.[23]

Performance Optimizations

Nmap provides a range of timing parameters to fine-tune scan speed, allowing users to balance performance with accuracy and stealth. The -T option offers six predefined templates, from -T0 (paranoid) for extremely slow, IDS-evading scans to -T5 (insane) for maximum aggressiveness on reliable, high-bandwidth networks. For instance, -T4 (aggressive) sets a --max-rtt-timeout of 1250ms, --min-rtt-timeout of 100ms, --initial-rtt-timeout of 500ms, --max-retries of 6, and a maximum scan delay of 10ms, enabling faster probe responses while maintaining reliability. These templates automate adjustments to round-trip time (RTT) timeouts, retry counts, and inter-probe delays, with -T3 (normal) as the default for most scenarios.[27] Concurrency is managed through hostgroup and parallelism options, which control how Nmap distributes scanning tasks across multiple threads or processes. The --min-hostgroup and --max-hostgroup parameters set the size of parallel host scan groups, with defaults ranging from 5 to 1024; for example, setting --min-hostgroup 256 optimizes scans of /24 networks by ensuring larger, more efficient batches. Similarly, --min-parallelism and --max-parallelism govern the number of outstanding probes, where a --min-parallelism of 10 can accelerate scans on slow networks by increasing probe volume, while --max-parallelism 1 limits concurrency to reduce resource strain. These settings enhance throughput on multi-core systems but require careful tuning to avoid network congestion.[27] Resource management features address timeouts and rates to handle variable network conditions. The --host-timeout option skips unresponsive hosts after a specified duration, such as 30 minutes, preventing scans from stalling on slow targets; a value of 0 disables this entirely. RTT-related options like --max-rtt-timeout cap probe wait times (e.g., 100ms for local networks), while --scan-delay introduces minimum delays between probes (e.g., 1 second) to comply with rate limits or evade detection. Packet rate controls, including --min-rate and --max-rate, enforce sending rates (e.g., 300 packets per second minimum), and --max-retries limits retransmissions (default 10, reducible to 3 for speed). For scripts, --script-timeout bounds execution time, as in 10 minutes under -T5. Options like --defeat-rst-ratelimit bypass kernel rate limits on RST packets for faster port scans, though at the cost of potential accuracy loss.[27] Hardware dependencies significantly influence Nmap's efficiency, particularly through the Npcap library on Windows, which handles raw packet injection. In Nmap 7.95, Npcap was upgraded to version 1.79, incorporating performance improvements and bug fixes that enhance overall scanning speed. Nmap 7.96 further advanced this with Npcap 1.82, enabling faster packet injection rates and support for SR-IOV virtual adapters, which is beneficial for virtualized environments. Parallel DNS resolution, introduced in Nmap 7.96, performs forward and reverse lookups concurrently using a high-performance engine, reducing resolution times for large target sets—for example, resolving 1 million names in about 1 hour compared to 49 hours sequentially. IPv6 scanning benefits from optimizations in Nmap 7.96, including fixes for crashes in extension header parsing and improved IP protocol scanning, leading to more reliable and efficient IPv6 host discovery and port scanning.[5][51] For large-scale or cloud-based scanning, such as in AWS or Azure environments with inherent latency, Nmap's adaptive timing—initially assuming high latency and packet loss before accelerating based on observed statistics—proves effective, often paired with increased --max-rtt-timeout values to accommodate variable delays. These adjustments mitigate slowdowns in distributed networks without dedicated cloud-specific modes.[52] Performance optimizations involve inherent trade-offs: aggressive settings like -T5 or low --max-retries (e.g., 0) accelerate scans but risk missing open ports, hosts, or accurate responses due to reduced retries and tighter timeouts, while also heightening detectability by intrusion detection systems. Conversely, conservative options enhance stealth and precision at the expense of speed, and high parallelism can overload low-bandwidth links, triggering unnecessary retransmissions. In scripting contexts, --script-timeout ensures NSE scripts do not unduly prolong optimized runs.[27]

User Interfaces

Command-Line Interface

Nmap's command-line interface (CLI) serves as the primary method for interacting with the tool, offering extensive flexibility for network exploration and security auditing through text-based commands. The basic syntax follows the structure nmap [Scan Type(s)] [Options] {target specification}, where scan types specify the probing method, options configure behavior, and targets define the hosts or networks to examine.[53] This design enables users to tailor scans precisely, from simple host checks to comprehensive vulnerability assessments, all executed via standard terminal input.[28] Target specifications in Nmap support diverse formats to accommodate various scanning scenarios, including individual IP addresses (e.g., 192.168.1.1), hostnames (e.g., scanme.nmap.org), IP ranges (e.g., 192.168.1.1-254), and CIDR notation for subnets (e.g., 192.168.1.0/24).[28] Users can also read targets from files using the -iL <filename> option, which loads a list of hosts from a specified text file, facilitating batch processing of large target sets.[53] To refine scans, hosts can be excluded via --exclude <host1[,host2][,...]> for comma-separated lists or --excludefile <exclude_file> for file-based exclusions, preventing unnecessary probing of known or irrelevant addresses.[28] Essential options are grouped by function to streamline common tasks: host discovery uses -sn for ping-only scans that identify live hosts without port probing; port scanning employs techniques like -sS for TCP SYN scans, which send SYN packets to detect open ports efficiently while avoiding full connections.[53] Service and version detection is enabled with -sV, which probes open ports to identify running services and their versions, while -O performs operating system fingerprinting by analyzing TCP/IP stack characteristics.[28] For enhanced analysis, the Nmap Scripting Engine integrates via --script=<name1, name2, ...> to run custom Lua scripts or -sC for default scripts, allowing automation of advanced checks like vulnerability detection.[53] Advanced CLI features support complex workflows, such as resuming interrupted scans with --resume <filename>, which reloads a previously saved output file to continue from the interruption point without re-scanning completed hosts.[28] Input flexibility extends to random host selection via -iR <num hosts> for testing purposes, and output can be directed to files or pipes for further processing.[53] In automation contexts, Nmap's grepable output format (-oG) is particularly useful, as it produces results easily parsed by tools like grep and awk—for instance, piping scan results to awk can filter open ports across hosts, enabling integration into shell scripts for routine monitoring.[54] Additionally, Nmap commands can be scheduled via cron jobs on Unix-like systems to perform periodic scans, supporting ongoing network security assessments.[55]

Graphical User Interface

Zenmap serves as the official graphical user interface (GUI) for the Nmap Security Scanner, providing a cross-platform, free, and open-source application designed to simplify network exploration and security auditing for users of varying expertise levels.[56] Developed using Python and the GTK toolkit, it wraps around the core Nmap command-line tool to offer an intuitive visual environment that runs on Linux, Windows, macOS, BSD, and other operating systems.[56] This GUI enhances accessibility by translating complex command-line operations into interactive elements, while maintaining full compatibility with Nmap's underlying functionality.[57] Key features of Zenmap include the ability to save frequently used scan configurations as profiles, allowing users to reuse common commands without repeatedly entering them manually.[56] It provides topology mapping to visualize network structures based on scan results, displaying host connections and relationships in an interactive graph format.[56] Comparison views enable side-by-side analysis of scan results from different sessions, highlighting changes in hosts, ports, or services over time.[56] Additionally, a searchable database stores command history and recent scans, facilitating quick retrieval and review of past activities.[56] Zenmap integrates seamlessly with the Nmap Scripting Engine (NSE), allowing visualization of script outputs in a structured, user-friendly manner.[56] Installation of Zenmap is typically bundled with official Nmap installers, making it readily available across supported platforms without additional downloads in most cases. For Linux distributions, it can be installed via package managers like apt or yum, while Windows and macOS users benefit from self-installing executables that include dependencies such as Python and GTK. An older alternative, NmapFE, was the initial GUI but has been deprecated in favor of Zenmap's more robust implementation.[56] Recent enhancements in Zenmap align with Nmap version 7.96, released in May 2025, which introduced dark mode support for improved usability in low-light conditions and better rendering of NSE results through updated scripting capabilities.[5] These updates enhance visual clarity for complex scans. Further improvements in version 7.98, released in August 2025, include fixes for crashes such as UnicodeDecodeError and ValueError, along with enhanced language translations.[5] Despite its advantages, Zenmap is less ideal for automated or scripted workflows compared to the command-line interface, as it prioritizes interactive use over programmatic control.[56] Third-party GUIs, such as Angry IP Scanner, provide a user-friendly interface and excel in speed and simplicity for quick ping-based sweeps of large IP ranges through its multi-threaded scanning approach. However, they lack the depth of Nmap integration provided by Zenmap, including advanced features like stealth scanning options, OS detection, scripting capabilities, and widespread adoption in professional reconnaissance workflows such as bug bounty hunting, where Nmap is generally preferred for its reliability, customization, and ability to perform deeper analysis beyond basic host discovery.[58][59][16]

History and Development

Origins and Key Milestones

Nmap originated from the efforts of Gordon Lyon, known by the pseudonym Fyodor, who developed the tool in 1997 to address the need for an efficient network scanner capable of consolidating various port scanning techniques into a unified interface. Initially created for personal use during a summer project, Nmap's first public release occurred on September 1, 1997, when Lyon published its source code—approximately 2,000 lines supporting only Linux—in issue 51 of Phrack magazine.[60] This debut version focused on basic host discovery and port scanning, rapidly gaining attention within the security community for its speed and flexibility in mapping network topologies.[8] Early development accelerated through subsequent releases, with version 2.00 arriving in December 1998 and introducing operating system detection via TCP/IP fingerprinting, expanding Nmap's utility beyond simple port enumeration.[2] By April 1999, version 2.11BETA1 added the first graphical user interface (NmapFE), an X11-based frontend for Unix systems that provided a visual alternative to the command-line interface, enhancing accessibility for non-expert users.[2] Version 3.00, released on July 31, 2002, marked a significant milestone with support for Mac OS X, XML output for structured results, and uptime detection, while version 3.10ALPHA1 in August 2002 introduced initial IPv6 scanning capabilities and a shift to C++ for improved performance and maintainability.[2] Further refinement came in version 4.00 on January 31, 2006, which enhanced raw Ethernet frame support and overall stability, solidifying Nmap's role in professional security auditing.[61] The Nmap Scripting Engine (NSE) represented a pivotal advancement in extensibility, debuting in version 4.21ALPHA1 on December 10, 2006, with 23 initial Lua-based scripts for automating complex tasks like vulnerability detection.[2] Version 5.00, released on July 16, 2009, expanded NSE significantly to 59 scripts, alongside thousands of OS fingerprints and version detection signatures, enabling more sophisticated and customizable scans.[39] This period also saw licensing evolution; Nmap launched under the original Nmap Public Source License—a variant of the GNU General Public License version 2 (GPLv2)—and transitioned in 2009 to a refined version aligned more closely with GPLv2 standards, promoting broader open-source compatibility while retaining protections against proprietary embedding.[62] Community engagement flourished alongside these technical milestones, culminating in the 2008 publication of "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning" by Gordon Lyon, which served as a comprehensive reference and boosted adoption among administrators and researchers.[9] The project's growth fostered active contributor involvement, with annual developments and events like presentations at major hacking conferences highlighting Nmap's influence, though formal annual Nmap-specific gatherings emerged later in the community's evolution.[63]

Recent Updates and Versions

Nmap has continued to evolve significantly since 2020, with regular releases introducing performance enhancements, expanded detection capabilities, and library updates to maintain its relevance in modern network environments. Version 7.90, released on October 3, 2020, marked a key update by upgrading Npcap to version 1.00 for improved packet capture on Windows, adding support for parallel DNS lookups to accelerate hostname resolution during scans, and incorporating new UDP payloads for better service detection. It also added three new Nmap Scripting Engine (NSE) scripts, bringing the total to 601.[5] Subsequent releases built on this foundation. Version 7.94, released on May 19, 2023, enhanced the OS detection database with 22 new IPv4 fingerprints (total 5,700) and introduced the Nmap Public Source License (NPSL) version 0.95, allowing dual licensing options for broader adoption while maintaining open-source principles. This version included bug fixes for scan reliability, such as improvements to TCP Connect scans and HTTP parsing, alongside NSE updates adding one script (tftp-version) for a total of 612; service version detection was extended to probe UDP services more effectively. Zenmap and Ndiff now use Python 3, Npcap was upgraded to 1.75, and OpenSSL to 3.0.8.[5][64] In 2024, Nmap 7.95, released on April 23, integrated over 4,000 community-submitted IPv4 OS fingerprints (adding 336 signatures, total 6,036) and included support for recent systems like iOS 15 and 16, Android 13 and 14, Linux kernel 6.5, Windows 11 23H2, and more. IPv6 OS detection also saw improvements through ongoing database refinements, with enhanced scripting performance via four additional NSE scripts (total 616) and better service scan accuracy (adding over 2,500 service/version fingerprints, total 12,089). Npcap was upgraded to 1.79, contributing to faster raw packet operations. OpenSSL was updated to 3.0.13.[5][65] The 2025 releases further optimized performance and compatibility. Nmap 7.96, released on May 1, 2025, upgraded Npcap to 1.82 for enhanced injection speeds and introduced advanced parallel forward DNS resolution, enabling scans of large host lists to complete dramatically faster—such as resolving a million names in under an hour. It expanded protocol support with additions like IP protocol 255 handling and added three NSE scripts (total 619), while fixing issues in TCP Connect scans and NSE execution. OpenSSL was upgraded to 3.0.16 and Lua to 5.4.7.[5][66] Later, version 7.97 on May 12 addressed minor DNS resolver and Zenmap stability issues on Windows, with no major new features. Nmap 7.98, released on August 21, 2025, upgraded Npcap to 1.83 for better PPPoE support and performance, updated OpenSSL to 3.0.17 and Lua to 5.4.8 for improved security and scripting, and included NSE TLS enhancements alongside fixes for FTP bounce scans and DNS crashes. It also added one NSE script (total 620) and addressed a security issue in the Windows installer (CVE-2025-43715).[5] Looking ahead, Nmap's development emphasizes community-driven enhancements, with contributions welcomed via the official GitHub repository for features like new scripts and fingerprint submissions. Future efforts are likely to prioritize expanded support for emerging technologies such as IoT devices and 5G networks, building on existing protocol expansions to address evolving security auditing needs.[12]

Licensing and Legal Aspects

License Terms

Nmap is distributed under the Nmap Public Source License (NPSL) version 0.95, introduced with version 7.90 released in October 2020 and updated in subsequent releases, including version 0.95 with 7.94.[62][5] The NPSL is derived from the GNU General Public License version 2 (GPLv2) but includes additional terms and exceptions to address specific concerns about proprietary use and redistribution.[67] It permits individuals and organizations to freely download, use, modify, and redistribute Nmap for personal or commercial purposes, provided that the source code remains publicly available and any derivative works comply with the license terms.[62] Key permissions under the NPSL include the right to copy, modify, and distribute the covered software, with contributors granting perpetual, royalty-free licenses for copyright and patents to ensure ongoing development and user access.[67] Source code is available for review and patching via the official repository, promoting community contributions.[62] However, the license imposes restrictions on proprietary applications: it prohibits distributing Nmap or its components in proprietary hardware or software products without obtaining a separate Nmap OEM redistribution license, which is available for commercial embedding and requires payment.[14] External deployments, such as integrations in services or products, must include attribution to Nmap with a link to https://nmap.org/ where feasible.[67] The NPSL provides no warranty, distributing Nmap "as is" and disclaiming liability for any damages, with users assuming all risks of use.[62] To facilitate transition, versions 7.90 through 7.92 are dual-licensed under both the NPSL and the previous Nmap license (a custom GPLv2-based agreement from version 7.80), allowing compatibility with earlier terms that emphasized free redistribution but also expanded the definition of derivative works to include source integration, data file parsing, and library linking.[68] Earlier versions prior to 7.90 were solely under this custom GPLv2-derived license, which included special exceptions for linking with OpenSSL but was incompatible with unmodified GPL software due to its broadened scope.[68] Compared to the standard GPLv2, the NPSL prioritizes the main license body in cases of conflict, enforcing stricter controls on proprietary redistribution while allowing non-proprietary open-source use; it is not fully GPL-compatible for linking in some scenarios.[67] The Nmap Scripting Engine (NSE) scripts follow the same NPSL terms, ensuring consistency across the project.[62] Revenue for Nmap development primarily comes from related commercial offerings, such as the official book, training courses, and OEM licenses, rather than the core software itself.[69]

Legal and Ethical Considerations

Unauthorized use of Nmap for network scanning can constitute a violation of the Computer Fraud and Abuse Act (CFAA) in the United States, specifically under 18 U.S.C. § 1030, which prohibits unauthorized access to protected computers, potentially leading to criminal penalties including fines and imprisonment depending on intent and damage caused.[70] In jurisdictions outside the U.S., such as the European Union, unauthorized scanning may implicate the General Data Protection Regulation (GDPR) if it results in the exposure or processing of personal data without a lawful basis, exposing users to civil liabilities for privacy breaches.[71] Legal risks vary by jurisdiction and context, with prosecutorial discretion often playing a role in whether scanning without permission escalates to formal charges.[72] Ethical guidelines for Nmap usage emphasize obtaining explicit permission before scanning any network, prioritizing defensive security assessments over offensive reconnaissance to minimize harm.[73] Users should avoid aggressive scan options, such as those that could mimic denial-of-service attacks (e.g., flood pings or high-rate SYN scans), as these may unintentionally disrupt services and raise ethical concerns about proportionality in testing.[74] Corporate and ISP policies frequently restrict port scanning without authorization, viewing it as a potential security threat that could trigger account suspension or termination, even if no laws are broken.[73] Best practices include securing written authorization from network owners prior to any scan, documenting the scope and purpose to demonstrate good faith, and including clear disclaimers in scan outputs to identify the activity as authorized testing.[71] For scenarios where active scanning poses risks, alternatives like passive reconnaissance—monitoring public traffic or DNS records without direct probing—offer a less intrusive means of gathering network intelligence while adhering to ethical standards.[75] The legal landscape for Nmap continues to evolve, particularly in cloud environments; for instance, Amazon Web Services (AWS) permits customers to perform penetration testing, including port scanning, on their own infrastructure without prior approval, but users must comply with terms of service to avoid violations related to excessive resource use or scanning shared services.[76] Recent Nmap releases in 2025, such as version 7.98 (August 2025), incorporate scripting improvements and detection features that support security audits in modern regulatory environments, including hybrid and cloud setups.[5]

Applications and Impact

Practical Examples

Nmap's practical applications span network administration, security auditing, and penetration testing, where specific command combinations enable targeted reconnaissance without overwhelming resources. Users often begin with host discovery to identify active devices on a subnet, followed by more detailed scans to probe services, operating systems, and potential vulnerabilities. These examples draw from standard usage scenarios documented in the official Nmap guide, demonstrating how options like scan types, timing, and scripting integrate for effective results.[77] A basic host discovery scan quickly determines which hosts are online within a local network without performing port scans, conserving time and bandwidth. The best Nmap command for discovering live hosts on a local network is sudo nmap -sn 192.168.1.0/24. This performs host discovery only (no port scanning) and uses ARP requests by default on local Ethernet networks when run with root privileges, making it fast, reliable, and efficient for identifying active hosts.[16] A sample output might appear as: 
Nmap scan report for 192.168.1.1
Host is up (0.00045s latency).
MAC Address: 00:14:22:01:23:45 ([Dell](/page/Dell))
Nmap scan report for 192.168.1.10
Host is up (0.00050s latency).
MAC Address: 00:16:17:AB:CD:EF (Apple)
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.35 seconds
This reveals two active hosts with their MAC addresses (on Ethernet networks) and response latencies, indicating live devices for further scanning; no ports are checked, focusing solely on presence.[16] This simple host discovery technique is particularly useful in bug bounty hunting, where reconnaissance often requires identifying live hosts across large IP ranges. Nmap is generally preferred for IP range host discovery in bug bounty hunting due to its advanced features, high accuracy, and customization capabilities (e.g., -sn for ping scans, timing options like -T4 for speed), as well as its support for deeper analysis such as OS fingerprinting and scripting. It is widely used and recommended in bug bounty guides and communities for reliable, professional-grade discovery.[16][78][41] In contrast, Angry IP Scanner excels in speed and simplicity for quick ping-based sweeps of large IP ranges, thanks to its multi-threaded scanning and user-friendly GUI. However, it lacks Nmap's depth, stealth options, and integration in typical bug bounty toolchains.[58] For a comprehensive scan, administrators combine SYN scanning for efficiency, version detection for service identification, OS fingerprinting, and multi-format output to assess a target's exposure fully. The command nmap -sS -sV -O -oA scan target.com initiates a root-required SYN scan (-sS) on common ports, probes open ports for service versions (-sV), guesses the operating system via TCP/IP stack analysis (-O), and saves results in normal, XML, and grepable formats prefixed with "scan" (-oA).[79][23] An example output snippet could show: 
Nmap scan report for target.com (93.184.216.34)
Host is up (0.045s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.29 ((Ubuntu))
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4
OS details: Linux 4.15
Here, it identifies an Ubuntu Linux server running SSH and Apache, providing actionable details like exact versions for patching priorities.[79] Scanning all TCP ports on the local machine (localhost, which resolves to 127.0.0.1) is a common practice for auditing local services and testing Nmap commands. A standard command for this is nmap -p- localhost, which scans ports 1-65535 (or equivalently nmap -p 1-65535 localhost). For privileged SYN scanning, users often employ sudo nmap -sS -p- localhost. On fast and reliable local connections, the aggressive timing template -T4 is recommended to accelerate the scan (e.g., sudo nmap -sS -p- -T4 localhost). The -A option can be appended for aggressive scanning, enabling OS detection, version detection, script scanning, and traceroute.[26][78][53] Stealthy scans employ slower timing and source obfuscation to evade intrusion detection systems (IDS) during sensitive reconnaissance. The command nmap -sS -T2 -D RND:5 target performs a SYN scan with the "Polite" timing template (-T2), which introduces delays (e.g., 400 ms initial, up to 1 second per probe) and limits retries to ten, reducing the scan's aggressiveness and visibility.[78] Adding -D RND:5 spoofs packets from five random decoy addresses, masking the true scanner's IP in logs.[21] This approach might extend a scan from seconds to minutes but reveals open ports (e.g., 22/tcp open) without alerting firewalls as readily as faster defaults.[78] Vulnerability checks leverage Nmap's Scripting Engine (NSE) to automate detection of common exploits on discovered services. The command nmap --script vuln target executes all scripts in the "vuln" category against the target, probing for issues like weak configurations or known CVEs without a full port scan unless combined with others.[41] For instance, on a host with port 443 open, it might run ssl-heartbleed and output: 
PORT    STATE SERVICE
443/tcp open  [https](/page/HTTPS)
| ssl-heartbleed: 
|   VULNERABLE:
|   [Heartbleed](/page/Heartbleed) CVE-2014-0160
|     Summary: The [Heartbleed](/page/Heartbleed) bug is a [security](/page/Security) vulnerability
|     References:
|       http://cve.[mitre](/page/Mitre).org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      [https](/page/HTTPS)://nmap.org/nsedoc/scripts/ssl-heartbleed.html
This flags the Heartbleed vulnerability if present, enabling immediate remediation; scripts like this were developed rapidly post-disclosure for broad coverage.[41] Scanning large networks benefits from input files and optimized parameters to handle thousands of hosts efficiently. The command nmap -iL hosts.txt -sU -T4 reads targets from hosts.txt (one IP per line), performs a UDP scan (-sU) to identify services like DNS or SNMP, and uses "Aggressive" timing (-T4) for faster execution by minimizing delays and increasing parallelism.[80][21][78] On a file with 1,000 entries, output might summarize: 
Nmap scan report for 192.168.1.100
Host is up.
PORT    STATE         SERVICE
53/udp  open          domain
123/udp open|filtered ntp
Nmap done: 1000 IP addresses (150 hosts up) scanned in 45.2 seconds
It highlights UDP services (e.g., domain on port 53), revealing broadcast or connectionless exposures in enterprise environments where TCP scans alone miss them.[80]

Use in Academia

Nmap serves as a foundational tool in cybersecurity education, particularly in courses focused on ethical hacking and network security. It is prominently featured in the Certified Ethical Hacker (CEH) certification program offered by EC-Council, where trainees learn to use Nmap for reconnaissance, port scanning, and vulnerability identification as part of modules on system hacking and IoT/OT security.[81] In older CompTIA Linux+ objectives (e.g., LX0-104), objective 109.2 on basic network configuration covers manual/automatic interface configuration, TCP/IP setup, and routing, with related troubleshooting using tools like nmap and netstat to discover open ports on systems.[82] In current versions (e.g., XK0-005), network configuration and troubleshooting are covered under domain 4, but Nmap is more prominently featured in CompTIA Security+ (SY0-701) for network scanning, port discovery, and reconnaissance as part of vulnerability assessment and operations.[83] In university settings, Nmap is integrated into curricula at institutions such as the Massachusetts Institute of Technology (MIT), where it is taught in the Post Graduate Certificate in Cybersecurity for hands-on labs involving network mapping and OS detection.[84] Similarly, Purdue University incorporates Nmap in lectures on port and vulnerability scanning, emphasizing its role in protocol analysis and service enumeration.[85] Other programs, like those at Pacific University and Stony Brook University, utilize Nmap in practical labs for TCP SYN scans and bootcamp exercises on network protocol analysis.[86][87] In academic research, Nmap supports studies in network cartography and vulnerability assessment, enabling researchers to map device topologies and identify exposed services. For instance, IEEE publications have leveraged Nmap for IoT device discovery, such as in multilayer perceptron-based identification methods that actively probe networks to classify devices by their responses.[88] Its version detection capabilities are cited in vulnerability research, where scans reveal outdated software versions prone to exploits. The tool's scripting engine allows customization for specialized probes, facilitating automated data collection in empirical studies on network resilience. Academic contributions to Nmap include submissions to its OS and service databases, which rely on community-sourced fingerprints from researchers to enhance detection accuracy. Scholars have provided TCP/IP stack signatures for emerging operating systems, updating the nmap-os-db to include IoT-specific variants, thereby improving global scan reliability.[34] Additionally, the Nmap Scripting Engine (NSE) enables academics to develop bespoke scripts for research, such as vulnerability enumeration in simulated environments.[89] Recent case studies from the 2020s highlight Nmap's application in IoT security analysis, including a 2018 study using port scans to assess web camera vulnerabilities in cloud-integrated setups, revealing default credentials and open ports.[90] In virtual testbeds, researchers employed Nmap to evaluate IoT communication security, identifying misconfigurations through service version probing.[91] Recent updates, such as Nmap 7.98 (August 2025), include enhanced IoT and cloud service detection, supporting advanced research in these areas.[5] These works underscore Nmap's utility in replicating real-world attack vectors for defensive strategy development. Despite its strengths, Nmap's use in research faces limitations, particularly ethical constraints requiring Institutional Review Board (IRB) approvals for live network scans to avoid unauthorized access or disruption.[92] Consequently, studies often prefer simulated environments, such as virtual IoT testbeds, to mitigate legal risks while maintaining experimental validity, as seen in health information system hacking simulations.[93]

Depictions in Popular Culture

Nmap has appeared in several films, often as a visual shorthand for network reconnaissance during hacking sequences. In the 2007 action thriller Live Free or Die Hard, the character Matthew Farrell, played by Justin Long, performs an aggressive Nmap scan using the -A option on targets including insecure.org, scanme.nmap.org, and sectools.org to demonstrate network vulnerabilities early in the plot.[94] Similarly, in The Bourne Ultimatum (2007), CIA operatives employ Nmap alongside its graphical interface Zenmap to infiltrate a newspaper's mail server, highlighting the tool's role in covert operations.[94] These depictions, while simplified, draw from Nmap's real-world capabilities for port scanning and service detection, though they accelerate processes unrealistically for dramatic effect.[95] On television, Nmap features in hacking-themed narratives to lend authenticity to technical scenes. The series Mr. Robot (2015–2019) incorporates Nmap among other tools like Metasploit and Kali Linux in its portrayal of cybersecurity exploits, reflecting realistic command-line interfaces during reconnaissance phases.[96] In the Japanese anime Bloody Monday (2008), the protagonist Falcon repeatedly uses Nmap across episodes to scan networks and avert terrorist threats, emphasizing its utility in high-stakes digital investigations.[94] Such inclusions help bridge entertainment with technical accuracy, though the shows often condense complex scans into seconds. In literature, Nmap appears in fictional accounts of cyber intrusions, blending real tool usage with narrative tension. The anthology Stealing the Network: How to Own the Box (2004), a collection of short stories simulating hacker operations, includes a contribution by Nmap's creator Gordon Lyon (Fyodor) that integrates Nmap scans into a tale of network compromise, showcasing its scripting engine for vulnerability detection.[97] This work, published by Syngress, uses Nmap to illustrate reconnaissance tactics in a semi-fictional context, influencing how readers perceive ethical hacking. Within online hacker communities, Nmap permeates cultural expressions like Capture The Flag (CTF) challenges, where it serves as a foundational tool for enumeration in competitive scenarios. Platforms such as TryHackMe and Hack The Box feature Nmap prominently in beginner-to-advanced CTFs, fostering its status as an iconic element of hacker lore through tutorials and walkthroughs that mimic real-world pentesting.[98] Its ubiquity has inspired memes in cybersecurity forums, often humorously exaggerating scan times or output verbosity to capture the tool's everyday frustrations and triumphs among practitioners.[99] These portrayals have heightened public awareness of network security concepts, introducing Nmap's role in discovery to non-experts via familiar media. However, dramatizations frequently exaggerate speeds and outcomes—such as instantaneous global mappings—perpetuating myths that undermine realistic cybersecurity education, as critiqued by experts who note the tool's actual reliance on methodical probing.[100][95] Despite inaccuracies, such references have popularized Nmap, encouraging interest in ethical hacking and tools for defensive auditing.[101]

References

  1. Nmap: the Network Mapper - Free Security Scanner
  2. The History and Future of Nmap | Nmap Network Scanning
  3. Authors | Nmap Network Scanning
  4. https://nmap.org/data/COPYING
  5. Nmap Changelog
  6. https://docs.rapid7.com/insightvm/nmap-upgrade-march-2026/
  7. Chapter 1. Getting Started with Nmap | Nmap Network Scanning
  8. Nmap Introduction - Phrack 51, Article 11
  9. Nmap Network Scanning - is the official guide to the
  10. Gordon "Fyodor" Lyon - Insecure.Org
  11. Insecure.Org - Nmap Free Security Scanner, Tools & Hacking ...
  12. Nmap - the Network Mapper. Github mirror of official SVN repository.
  13. Npcap: Windows Packet Capture Library & Driver
  14. Nmap OEM Edition—Redistribution License
  15. Host Discovery Techniques | Nmap Network Scanning
  16. Nmap Reference Guide: Host Discovery
  17. https://www.rfc-editor.org/rfc/rfc792.txt
  18. https://www.rfc-editor.org/rfc/rfc1122.txt
  19. TCP Idle Scan (-sI) | Nmap Network Scanning
  20. IPv6 Scanning (-6) - Nmap
  21. Port Scanning Techniques - Nmap
  22. Nmap Reference Guide: Firewall/IDS Evasion and Spoofing
  23. Nmap Reference Guide: Output
  24. http://www.rfc-editor.org/rfc/rfc793.txt
  25. http://www.rfc-editor.org/rfc/rfc768.txt
  26. Port Specification and Scan Order | Nmap Network Scanning
  27. Timing and Performance | Nmap Network Scanning
  28. Nmap Reference Guide
  29. Service and Version Detection | Nmap Network Scanning
  30. Version Detection Using NSE | Nmap Network Scanning
  31. https://nmap.org/cgi-bin/submit.cgi
  32. OS Detection | Nmap Network Scanning
  33. TCP/IP Fingerprinting Methods Supported by Nmap
  34. Nmap OS Detection DB
  35. https://nmap.org/book/osdetect-unidentified.html
  36. Usage and Examples | Nmap Network Scanning
  37. Understanding an Nmap Fingerprint | Nmap Network Scanning
  38. Nmap Scripting Engine (NSE)
  39. Nmap 5.00 Release Notes
  40. Usage and Examples | Nmap Network Scanning
  41. Chapter 9. Nmap Scripting Engine | Nmap Network Scanning
  42. NSEDoc Reference Portal — Nmap Scripting Engine documentation
  43. https://nmap.org/book/nse-api.html
  44. http-enum NSE script — Nmap Scripting Engine documentation
  45. Nmap NSE Documentation: http-methods
  46. Nmap NSE Documentation: http-title
  47. smb-vuln-ms17-010 NSE script — Nmap Scripting Engine documentation
  48. https://nmap.org/nsedoc/scripts/http-default-accounts.html
  49. https://nmap.org/nsedoc/scripts/http-server-header.html
  50. https://nmap.org/nsedoc/scripts/http-security-headers.html
  51. Npcap Changelog
  52. Chapter 6. Optimizing Nmap Performance | Nmap Network Scanning
  53. Options Summary | Nmap Network Scanning
  54. Grepable Output (-oG) | Nmap Network Scanning
  55. Automating nmap scans - SANS Internet Storm Center
  56. Chapter 12. Zenmap GUI Users' Guide | Nmap Network Scanning
  57. Zenmap - Official cross-platform Nmap Security Scanner GUI
  58. Angry IP Scanner Official Website
  59. Angry IP Scanner | Bugcrowd Glossary
  60. Preface | Nmap Network Scanning
  61. Nmap 4.00 Press Release - Insecure.Org
  62. Nmap Public Source License
  63. Fyodor's Nmap Presentations (Video, Audio, and Slides)
  64. Nmap 7.94 Released: What's New! - GBHackers
  65. Nmap 7.95 released: New OS and service detection signatures
  66. Nmap 7.96 Launches with Enhanced Scanning Capabilities and ...
  67. Nmap Public Source License - Annotated Text
  68. previous Nmap license terms
  69. Legal Notices | Nmap Network Scanning
  70. Exploring Reddit Users' Questions and Advice on the Legality of Port ...
  71. Ethical Considerations and Legal Aspects of Network Scanning with ...
  72. Is Port Scanning Legal or Illegal in 2025? - StationX
  73. Legal Issues | Nmap Network Scanning
  74. Legal Considerations for Widespread Scanning | Rapid7 Blog
  75. Nmap scanning techniques - LevelBlue
  76. Penetration Testing - Amazon Web Services (AWS)
  77. Examples | Nmap Network Scanning
  78. Timing Templates (-T) | Nmap Network Scanning
  79. Port Scanning Basics - Nmap
  80. Target Specification | Nmap Network Scanning
  81. CEH Certification | Ethical Hacking Training & Course - EC-Council
  82. CompTIA Linux+ Certification Exam 2 Objectives (LX0-104)
  83. CompTIA Security+ (SY0-701) Exam Objectives
  84. MIT xPRO Post Graduate Certificate in Cybersecurity course
  85. [PDF] Lecture 23: Port and Vulnerability Scanning, Packet
  86. Lab 3 - Scanning with Nmap - Pacific Cybersecurity
  87. Online Cybersecurity Bootcamp - Stony Brook University
  88. Identification and Analysis of IoT Devices Based on Multilayer ...
  89. (PDF) A REVIEW ON NMAP AND ITS FEATURES - Academia.edu
  90. [PDF] IoT Security Vulnerability: A Case Study of a Web Camera - icact
  91. https://www.theseus.fi/bitstream/handle/10024/899582/Karki_Saurav.pdf?sequence=3&isAllowed=y
  92. [PDF] Applying Ethical Principles to Information and Communication ...
  93. Artificial Intelligence–Based Ethical Hacking for Health Information ...
  94. Movies Featuring the Nmap Security Scanner
  95. What Hollywood gets right and wrong about hacking
  96. An In-Depth Analysis of Hacking Realism in Mr. Robot - CertLibrary ...
  97. Ask HN: Recommendations of good cybercrime novels?
  98. HTB's 15 must-know Nmap commands in 2024
  99. Top 29 Cybersecurity Memes of 2025 - Security Compass
  100. How Movies and TV Influence Cybersecurity Awareness
  101. Lights, Camera, Hacking: Cyber Experts Critique Hollywood Hackers
User Avatar
No comments yet.