Phases of an NMAP scan

Step-by-step towards the network

Vishal Gorai
7 min readDec 20, 2019

Hello readers, hope you all doing well.

For security researchers and hackers nmap must be their breakfast to start their day with. Well, given the diverse functionality and extreme flexibility, it certainly deserves its dominance.

nmap logo
nmap logo

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

There are a good number of blogs enumerating nmap usage, scan types and other utilities. I’ll personally list them at the end. But I didn’t find any reagrding the phases an NMAP scan goes through. This blog will just take you through nmap scan phases with its outcome on the terminal. For futher research and contribution, I recommend you to go through the official website of nmap.

1. Target Enumeration

You must have been always scanning a particular IP, or single IP at a time. No offence, as 80% of the nmap users do so. But nmap is more to this. It can take combination of host DNS names, IP addresses, CIDR network notations. This is an essential step and cannot be skipped. But you make nmap’s task easy by simply providing an IP, so no further resolution is required.

Here, -sL switch comes very very handy to actually identify you targets. The stealth here is : It discovers its host without sending any packets to the target system, so this scan escapes IDS.

Supposing you need to pentest on Jharkhand government webiste(assuming you’ve all required written auth), mapping with -sL gives you a proper list of IPs under your jurisdiction.

nmap -sL
-sL is very useful for planning targets and playing safe.

From the output, it is absolutely clear that you can only test on, because only that IP comes under with CIDR 29 (rest IPs are under some other organisations). Stay away from the other IP addresses as it may land you a handsome civil and criminal charge.

Always perform -sL with CIDR 24 as it gives complete flexibility, though it may take very long time

On further recon, I evaluated that IP itself gives you acess to these sites :

subdomains with

2. Host Discovery

Scans begin by discovering which hosts are actually up (active) and thus are worth deeper investigaton. Nmap offers various host discovery techniques. Nmap offers many host discovery techniques, ranging from quick ARP requests to elaborate combinations of TCP, ICMP, and other types of probes This phase is run by default, though you can skip it (simply assume all target IPs are online) using the -Pn (no ping) option. To quit after host discovery, specify -sn

The -sn switch is very useful, it only specifies whether the host is active or not. It allows light reconnaissance of a target network without attracting much attention.

-sn for one IP address
-sn for host discovery from a total of 64 IP addresses.

Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name . As shown above form the given CIDR a total of 64 address are there, but only 1 is active rest hosts are down, so it saves time os scanning the inactive IPs for the particular network range.

Not only can nmap scan IPs it can also do with the domain names. It is capable of reverse DNS lookups for the input provided. This feature makes it more human friendly, as we tend to remember domain names more than their IP addresses. This runs by default, but it may be skipped with the -n (no DNS resolution), DNS can be slow even with Nmap’s built-in parallel stub resolver, this option reduces scanning times.

Prefer using -n option for speedy results.

fast scan by removing reverse DNS lookup

3. Port Scanning

This is Nmap’s core operation. Probes are sent, and the responses (or non-responses) to those probes are used to classify remote ports into states such as open, closed, or filtered.

There are many mechanisms by which you can scan and confirm wich ports are open or closed. Sometimes, one scan technique can yield different results that the other due to various firewalls restrictions and filtering.

-sSSYN Stealth port scan

-sT TCP Connect port scan

-sT UDP port scan

-sT TCP ACK port scan

-p Port or port range (eg. -p1–10000)

-p- For scanning all 65535 ports

-F scanning first 100 ports

an example of -sS SYN scan against

Its always better to perform successive scans with multiple ways. Scanning all 65535 ports but it takes very very long, instead break it down into batches of thousands and run all simultaneoulsy.

time consumption increases upon scanning all 65635 ports. For a single IP scanning all 65535 ports would take about 40 minutes.

4. Service and Version Detection

If any ports are found to be open, Nmap may be able to determine what server software is running on the remote system. It does this by sending a variety of probes to the open ports and matching any responses against a database of thousands of more than 6,500 known service signatures. It is not a by-default service and is enabled with the -sV option.

Output with and without service versions

5. OS Detection

If requested with the -O option, Nmap proceeds to Operating System (OS)detection. Different operating systems implement network standards in subtly different ways. By measuring these differences it is often possible to determine the operating system running on a remote host. Nmap matches responses to a standard set of probes against a database of more than a thousand known operating system responses.

Probable OS of the host machine.

Assigning -sV also does the job of OS Detection. Personally, I prefer -sV more than -O .

-sV and -O shows almost equal results

6. Traceroute

Nmap contains an optimized traceroute implementation, enabled by the --traceroute option. It can find the network routes to many hosts in parallel, using the best available probe packets as determined by Nmap's previous discovery phases

I work in virtual box, so my — traceroute doesn’t show up many nodes. But in main machine it should.

7. Script Scanning

Most Nmap Scripting Engine (NSE) scripts run during this main script scanning phase, rather than the prescan and postscan phases. NSE is powered by the Lua programming language and a standard library designed for network information gathering. Scripts running during this phase generally run once for each target host and port number that they interact with. They commonly perform tasks such as detecting service vulnerabilities, malware discovery, collecting more information from databases and other network services, and advanced version detection. NSE is not an option by default. You request it by options switches such as --script or -sC.

8. Output

Nmap collects all the information it has gathered and writes it to the screen or to a file. Nmap can write output in several formats. Its default, human-readable format (interactive format) is usually presented in this book. Nmap also offers an XML-based output format, among others.

-O <filename> Produces output in normal format. No need of example, this is the format we’ve been following from the

-oX <filename>.xml This produces output in XML format.

to get output in XML format

The output in XML can be coverted to html by xsltproc report.xml -o myreport.html and then opening the new report in any browser.

nmap output in XML format

Disclaimer : Using Nmap against a target or network without explicit permission can be illegal under you jurisdiction and hence should therefore not be attempted. Please get authorisation before scanning any organisations network. Please read the following excerpt from nmap before hitting your terminal with nmap.


Thanks for your time. I hope you now know to recon an a target better than you friends. Well, I promised you to give you refernce to other very elaborative nmap blogs. Those are :

  1. by Prakash Sivakumar

2. by Sanyam Chnawla

If you gained knowledge, and found it explanatory enough, do like and share among your hacker friends.