Nmap Guide: Scanning Networks and Detecting Vulnerabilities

Nmap (Network Mapper) is an open-source utility used for network exploration and security auditing. It enables system administrators and developers to discover hosts, detect services, and uncover potential vulnerabilities within a network. Nmap reveals which ports are active, what services are listening, and even which operating system runs on the target machine.

This guide demonstrates essential Nmap operations, including scanning hosts for open ports, identifying the services running on them, and using the Nmap Scripting Engine (NSE) for vulnerability detection. You will also learn to interpret the scan output and take preventive security steps.

Prerequisites

Before proceeding, ensure the following:

• You have access to a Linux-based system.
• Your user account has sudo privileges but is not the root user.

The nmap Command

This section outlines the syntax of the nmap command and explains its main components.

Command Syntax

nmap [SCAN TYPES...] [OPTIONS] TARGET

Where:

• [SCAN TYPES…]: Defines the method Nmap uses to probe the target and identify open ports.
• [OPTIONS]: Additional flags or parameters that modify how Nmap performs scans and displays results.
• TARGET: Specifies the system(s) to be scanned. This can be an IP address, hostname, range, or subnet.

Common Scan Types

Below are the most frequently used scan types. Some require elevated privileges.

Common Command Options

Performing a Basic Port Scan

Use Nmap to identify open TCP ports, which could represent possible entry points. This example uses localhost as the target. Replace it with any host you are authorized to scan.

By default, Nmap checks the 1,000 most common ports. Run the following command to perform a basic scan:

$ sudo nmap localhost

Sample Output

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-03 21:49 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3001/tcp open  nessus
5432/tcp open  postgresql

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Interpreting the Results

• Not shown: 997 closed tcp ports – These are inactive or filtered ports.
• PORT – Displays the port number and protocol.
• STATE – Indicates whether the port is open, closed, or filtered.
• SERVICE – Identifies the detected service running on that port.

In this output, the open ports include 22 (SSH), 3001 (Nessus), and 5432 (PostgreSQL).

Detecting Service Versions and Operating Systems

Use Nmap to identify specific service versions running on open ports. This is valuable for detecting outdated or insecure software.

Execute the following command to perform version detection:

$ sudo nmap -sV localhost

Sample Output

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-03 21:56 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 9.6p1 Ubuntu 3ubuntu13.13 (Ubuntu Linux; protocol 2.0)
3001/tcp open  nessus?
5432/tcp open  postgresql PostgreSQL DB 9.6.0 or later

This output reveals details such as the detected OpenSSH and PostgreSQL versions. The question mark next to Nessus means the identification is uncertain and may require manual verification.

Vulnerability Scanning with the Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) enhances Nmap by allowing scripted tasks, such as vulnerability detection. The vuln category includes scripts for testing known exploits. This section demonstrates creating a test vulnerability using vsftpd and identifying it through NSE.

Installing vsftpd

On Ubuntu or Debian systems, run:

$ sudo apt install -y vsftpd

On Rocky Linux or RHEL systems, run:

$ sudo dnf install -y vsftpd

Creating a Vulnerability (Anonymous Login)

To simulate a vulnerability, enable anonymous login in the vsftpd configuration.

Edit the configuration file:

$ sudo nano /etc/vsftpd.conf

Locate the line anonymous_enable=NO and change it to YES. Save the file and restart the service:

$ sudo systemctl restart vsftpd

Running a Vulnerability Scan

Now use the ftp-anon NSE script to test if the FTP server allows anonymous access:

$ sudo nmap -p 21 --script ftp-anon localhost

Sample Output

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-22 11:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Other addresses for localhost (not scanned): ::1

PORT   STATE SERVICE
21/tcp open  ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

The scan confirms the issue: anonymous FTP access is permitted (FTP code 230).

Fixing the Vulnerability

Disable anonymous login to close the detected security gap.

Edit the configuration again:

$ sudo nano /etc/vsftpd.conf

Change the line anonymous_enable=YES back to NO, then restart the service:

$ sudo systemctl restart vsftpd

Run the scan again to confirm the issue is resolved:

$ sudo nmap -p 21 --script ftp-anon localhost

Output

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-22 11:19 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Other addresses for localhost (not scanned): ::1

PORT   STATE SERVICE
21/tcp open  ftp

Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds

Conclusion

This guide demonstrated how to use Nmap to perform network scanning and identify potential vulnerabilities. You executed different scan types, analyzed service versions, tested for anonymous FTP access, and secured your configuration accordingly. For advanced use cases, consult the official Nmap documentation.