Phases of an NMAP scan

Step-by-step towards the network

Vishal Gorai
7 min readDec 20, 2019


Hello readers, hope you all doing well.

For security researchers and hackers nmap must be their breakfast to start their day with. Well, given the diverse functionality and extreme flexibility, it certainly deserves its dominance.

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

There are a good number of blogs enumerating nmap usage, scan types and other utilities. I’ll personally list them at the end. But I didn’t find any reagrding the phases an NMAP scan goes through. This blog will just take you through nmap scan phases with its outcome on the terminal. For futher research and contribution, I recommend you to go through the official website of nmap.

1. Target Enumeration

You must have been always scanning a particular IP, or single IP at a time. No offence, as 80% of the nmap users do so. But nmap is more to this. It can take combination of host DNS names, IP addresses, CIDR network notations. This is an essential step and cannot be skipped. But you make nmap’s task easy by simply providing an IP, so no further resolution is required.

Here, -sL switch comes very very handy to actually identify you targets. The stealth here is : It discovers its host without sending any packets to the target system, so this scan escapes IDS.

Supposing you need to pentest on Jharkhand government webiste(assuming you’ve all required written auth), mapping with -sL gives you a proper list of IPs under your jurisdiction.

nmap -sL
-sL is very useful for planning targets and playing safe.

From the output, it is absolutely clear that you can only test on, because only that IP comes under with CIDR 29 (rest IPs are under some other organisations). Stay away from the other IP addresses as it may land you a handsome civil and criminal charge.

Always perform -sL with CIDR 24 as it gives complete flexibility, though it may take very long time