Nmap Scanning Techniques: Service Detection, NSE Scripts, and Evasion

Nmap is the undisputed standard for network reconnaissance. While most penetration testers know the basics, mastering its full feature set — NSE scripts, evasion techniques, and output formats — is what separates a thorough assessment from a superficial scan. This guide covers everything you need for professional-grade nmap usage.

Port Scan Types

SYN Scan (Default, Stealth)

# SYN scan — requires root, doesn't complete TCP handshake
sudo nmap -sS 192.168.1.10

# Fast scan — top 1000 ports (default)
sudo nmap -sS -F 192.168.1.0/24

# All 65535 ports
sudo nmap -sS -p- 192.168.1.10

# Specific port ranges
sudo nmap -sS -p 22,80,443,8080-8090,3000-3010 192.168.1.10

UDP Scan

# UDP scan (slow — sends probes and waits for ICMP unreachable responses)
sudo nmap -sU 192.168.1.10

# Top UDP ports only (much faster)
sudo nmap -sU --top-ports 200 192.168.1.10

# Combine TCP SYN + UDP
sudo nmap -sS -sU -p U:53,161,123,T:22,80,443 192.168.1.10

Version and OS Detection

# Service version detection (-sV)
sudo nmap -sV 192.168.1.10

# OS detection (-O)
sudo nmap -O 192.168.1.10

# Aggressive detection — version, OS, script scan, traceroute
sudo nmap -A 192.168.1.10

# Version intensity (0-9, default 7)
sudo nmap -sV --version-intensity 9 192.168.1.10

Essential NSE Scripts

Nmap Scripting Engine (NSE) scripts dramatically extend nmap's capabilities. Scripts are categorised by type: auth, broadcast, brute, default, discovery, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.

SMB Scripts

# Check for EternalBlue / MS17-010
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.10

# All SMB vulnerability scripts
nmap -p 445 --script "smb-vuln-*" 192.168.1.10

# SMB security mode (signing status)
nmap -p 445 --script smb-security-mode,smb2-security-mode 192.168.1.0/24

# Enumerate shares, users, sessions
nmap -p 445 --script smb-enum-shares,smb-enum-users 192.168.1.10 --script-args smbuser=admin,smbpass=password

HTTP Scripts

# Detect common web vulnerabilities
nmap -p 80,443,8080 --script http-title,http-headers,http-methods 192.168.1.10

# Find default credentials on web apps
nmap -p 80,443 --script http-default-accounts 192.168.1.10

# Enumerate directories
nmap -p 80 --script http-enum 192.168.1.10

# SQL injection detection
nmap -p 80 --script http-sql-injection --script-args httpspider.maxpagecount=10 192.168.1.10

# XSS detection
nmap -p 80 --script http-stored-xss,http-xssed 192.168.1.10

# WebDAV check
nmap -p 80 --script http-webdav-scan 192.168.1.10

SSL/TLS Scripts

# SSL/TLS cipher enumeration
nmap -p 443 --script ssl-enum-ciphers 192.168.1.10

# Heartbleed detection
nmap -p 443 --script ssl-heartbleed 192.168.1.10

# DROWN, POODLE, other SSL vulns
nmap -p 443 --script ssl-dh-params,ssl-poodle,ssl-ccs-injection 192.168.1.10

# Certificate information
nmap -p 443 --script ssl-cert 192.168.1.10

Other Useful Scripts

# DNS zone transfer
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=target.com 192.168.1.10

# FTP anonymous login
nmap -p 21 --script ftp-anon,ftp-bounce 192.168.1.10

# MySQL enumeration
nmap -p 3306 --script mysql-info,mysql-empty-password,mysql-databases 192.168.1.10

# Redis check
nmap -p 6379 --script redis-info 192.168.1.10

# Run all vuln scripts (noisy but comprehensive)
sudo nmap -sV --script vuln 192.168.1.10

Scan Speed vs Accuracy

# Timing templates (T0=paranoid, T5=insane)
nmap -T1 192.168.1.10   # paranoid — very slow, IDS evasion
nmap -T3 192.168.1.10   # normal (default)
nmap -T4 192.168.1.10   # aggressive — good for fast LAN scans
nmap -T5 192.168.1.10   # insane — may miss results on slow networks

# Fine-grained timing control
nmap --min-rate 1000 --max-rate 5000 192.168.1.10
nmap --min-parallelism 10 --max-retries 2 192.168.1.10

Firewall and IDS Evasion

# Fragment packets (bypass simple packet inspection)
sudo nmap -f 192.168.1.10
sudo nmap --mtu 24 192.168.1.10   # custom MTU (must be multiple of 8)

# Decoy scanning — send spoofed packets from fake IPs
sudo nmap -D RND:10 192.168.1.10  # 10 random decoys
sudo nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.10  # specific decoys + real IP

# Source port manipulation
sudo nmap --source-port 53 192.168.1.10   # appears as DNS traffic
sudo nmap --source-port 80 192.168.1.10   # appears as HTTP traffic

# Slow scan to evade rate-based IDS
sudo nmap -T1 --max-retries 1 192.168.1.10

# Spoof source IP (you won't receive responses — useful for SYN flood checks)
sudo nmap -S SPOOFED-IP -e eth0 192.168.1.10

# Idle/zombie scan — completely blind, uses a third-party "zombie" host
sudo nmap -sI ZOMBIE-IP 192.168.1.10

Output Formats

# Normal text output
nmap -oN scan.txt 192.168.1.0/24

# XML output (for import into Metasploit, tools, etc.)
nmap -oX scan.xml 192.168.1.0/24

# Grepable format
nmap -oG scan.gnmap 192.168.1.0/24

# All formats simultaneously
nmap -oA scan_results 192.168.1.0/24

# Parse grepable output for open ports
grep "Ports:" scan.gnmap | grep " open " | awk '{print $2}' | sort -u

# Import XML into Metasploit
msf> db_import scan.xml

Combine nmap with the Network Recon Tool for automated port discovery and service fingerprinting. For DNS-based discovery before port scanning, see our DNS Enumeration guide. After identifying SMB services, follow up with the SMB Exploitation Guide.