TECHNICAL BRIEF — ADVERSARIAL OPERATIONS & DEFENSIVE DOCTRINE
This analysis deconstructs Nmap from dual perspectives: as the attacker's opening move and as the defender's diagnostic mirror. Written for security professionals who need to understand both sides of the reconnaissance equation.

Executive Summary

Before exploit code fires, before credentials are compromised, before ransomware deploys—there is reconnaissance. This analysis argues that Nmap is not a scanning tool but the operationalized doctrine of network visibility: a four-layer intelligence platform that converts opaque networks into prioritized attack surfaces. Understanding Nmap at this depth is not optional for network security practitioners. The tool is universal, the techniques are baseline, and they are deployed against every network of consequence.

Core Thesis: The attacker who maps your network before you do owns the strategic initiative. The organization that understands its own exposure before adversaries document it operates with a structural advantage that no amount of reactive incident response can replicate.


Part I: The Architecture of Visibility

1.1 The Fundamental Information Asymmetry

The dominant security posture of most organizations rests on a dangerous assumption: obscurity as security. Change SSH to port 2222, run admin panels on port 8443, don't publish internal service documentation. This is security through obscurity—the belief that what isn't advertised isn't findable.

From an adversarial standpoint, obscurity is not protection—it is friction. And Nmap is specifically engineered to dissolve friction. A -p- scan across all 65,535 TCP ports finds SSH on port 2222 as reliably as port 22. The administrator who moved the port bought nothing except false confidence and a slightly larger command in the attacker's terminal.

The Critical Asymmetry: A trained operator can construct a complete intelligence profile of any network—service inventory, OS distribution, software versions, vulnerability exposure—in minutes to hours. The network's operator may have no awareness this profiling occurred. This asymmetry cannot be corrected through firewalls alone. Firewalls manage traffic; they cannot prevent inference of internal architecture from the observable behavior of traffic they permit.

1.2 The Four-Layer Intelligence Architecture

Nmap's true capability consists of four distinct intelligence layers, each building on the previous:

[Layer 1] Host Discovery      → What devices are reachable?
    ↓
[Layer 2] Port Enumeration    → What services are accessible?
    ↓
[Layer 3] Version Detection   → What software/versions are running?
    ↓
[Layer 4] NSE Scripting       → What vulnerabilities are exploitable?

This progression—from gross network topology to granular vulnerability assessment—is not merely a scanning routine. It is a reconnaissance doctrine. Every authorized penetration test begins here. Every sophisticated intrusion attempt begins here. The tool doesn't change. The authorization does.

1.3 What Networks Reveal: The Three Intelligence Objectives

The attacker's reconnaissance phase serves three explicit intelligence objectives:

Target Network →  [1] What is running?        (service enumeration)
               →  [2] What version is it?     (vulnerability cross-reference)
               →  [3] How is it protected?    (firewall/IDS fingerprinting)

Each layer of Nmap capability directly serves one of these objectives:

  • Host discovery answers "what is alive"
  • Port scanning answers "what is accessible"
  • Version detection answers "what is running and what version"
  • NSE scripts answer "is it exploitable?"
  • Firewall evasion answers "can I ask these questions without being caught?"

The attacker who completes this intelligence map before touching an exploit has already won a significant portion of the engagement. They know which CVEs apply, which services are likely misconfigured, which hosts are worth targeting, and which are hardened honeypots worth avoiding.


Part II: The Adversarial Workflow

2.1 Phase One — External Footprinting: Initial Triage

The first operational question for any threat actor is scope: what is reachable from the outside? Before touching the target network, a competent attacker establishes scan origin carefully—a VPS in a neutral jurisdiction, a compromised host several hops from their actual location, or Tor-routed for maximum attribution resistance.

The initial scan is deliberately conservative. The objective is not complete enumeration—it is triage. Which hosts are alive? Which ports are obviously open? The attacker avoids full -p- scans at this stage. That comes later, stealthily.

# Speed-priority triage (noisy but quick)
nmap -T4 -F 203.0.113.0/24
 
# Stealth alternative — SYN scan, polite timing, key ports
nmap -sS -T2 -p 21,22,23,25,53,80,110,143,443,445,3306,3389,8080,8443 203.0.113.0/24
 
# Many hosts block ping but answer port probes
nmap -Pn -sS -p 80,443 203.0.113.0/24

Attacker's Note: Every open port is a question: what is this, and can I use it?

2.2 Phase Two — Deep Enumeration: Intelligence Extraction

Version detection is the mechanism that converts a port number into a software version, which converts into a CVE lookup, which converts into an exploit selection. This is where reconnaissance becomes actionable intelligence.

# Version + OS detection on confirmed live hosts
nmap -sV -O -T3 203.0.113.15
 
# Aggressive detection — maximum probe intensity
nmap -A 203.0.113.15
 
# Typical result the attacker hunts for:
# PORT     STATE  SERVICE  VERSION
# 22/tcp   open   ssh      OpenSSH 7.2p2 Ubuntu    ← CVE-2016-6210: user enumeration
# 80/tcp   open   http     Apache 2.4.18          ← CVE-2017-7679: buffer overflow
# 3306/tcp open   mysql    MySQL 5.5.5            ← ancient, many unpatched vulns
# 5900/tcp open   vnc      VNC (protocol 3.8)     ← often no auth required

The version string OpenSSH 7.2p2 is not just information. It is a key. The attacker cross-references it against CVE databases and finds a user enumeration vulnerability—not a direct shell, but an intelligence multiplier. They can now enumerate valid usernames, which feeds directly into credential attack phases.

2.3 Phase Three — NSE: Automated Vulnerability Surface Mapping

Nmap Scripting Engine (NSE) is where reconnaissance becomes weaponized intelligence gathering. Over 600 scripts exist—many explicitly designed for vulnerability confirmation, misconfiguration detection, and exploitation surface mapping.

# Broad vulnerability sweep
nmap --script vuln -sV 203.0.113.15
 
# SMB exploitation surface
nmap --script=smb-vuln-ms17-010,smb-enum-shares,smb-enum-users -p 445 203.0.113.0/24
 
# Web attack surface
nmap --script=http-enum,http-default-accounts,http-shellshock -p 80,443,8080 203.0.113.15
 
# SSL/TLS audit
nmap --script=ssl-enum-ciphers,ssl-heartbleed -p 443 203.0.113.15
 
# Database exposure
nmap --script=mysql-empty-password,pgsql-brute -p 3306,5432 203.0.113.15

Critical Understanding: Each NSE script returns not just "service present" but "service exploitable through X vector." The attacker doesn't guess—they confirm before exploitation.

2.4 Phase Four — Evasion: Operating Below Detection Thresholds

Sophisticated actors don't scan carelessly. They scan with operational discipline:

# Slow, fragmented, randomized (IDS evasion)
nmap -sS -T1 -f --randomize-hosts 203.0.113.0/24
 
# Paranoid timing + decoy sources
nmap -T0 -D decoy1,decoy2,decoy3,ME 203.0.113.0/24
 
# Zombie/idle scan (no source attribution)
nmap -sI zombie_host 203.0.113.15
 
# Source port spoofing (bypass port-based filtering)
nmap --source-port 53 203.0.113.15
 
# Fragmentation + data padding
nmap -f --data-length 200 --randomize-hosts 203.0.113.0/24

Timing Philosophy:

  • -T0 (Paranoid): 5-minute delays between probes—designed to evade rate-based IDS
  • -T1 (Sneaky): 15-second delays—slow enough to avoid thresholds
  • -T2 (Polite): .4-second delays—balanced stealth/speed
  • -T3 (Normal): Default—assumes no IDS evasion needed
  • -T4 (Aggressive): Fast LANs, time-constrained scenarios
  • -T5 (Insane): Speed above all—generates obvious signatures

Defender's Insight: If someone has been running -T1 fragmented scans against your network for three weeks, would you know? Most evidence expires from log storage before anyone correlates it.


Part III: The Mechanics — How Nmap Actually Works

3.1 Host Discovery: Four Methods, Different Detection Surfaces

MethodFlagMechanismDefensive Consideration
ICMP Echo-PEEcho Request → Echo ReplyBlocked by most perimeter firewalls
ARP Scan-PRLayer 2 (Data Link)Cannot be firewalled on local subnets—definitive
TCP SYN-PSSYN to port → any response confirms aliveBypasses ICMP filtering
TCP ACK-PAACK packet → RST confirms existenceBypasses SYN-filtering firewalls
# Disable port scan—host discovery only
nmap -sn 10.10.10.0/24
 
# ARP discovery (local network)
nmap -PR -sn 192.168.1.0/24
 
# TCP SYN discovery on HTTPS (bypasses ICMP blocks)
nmap -PS443 -sn 10.0.0.0/16
 
# Skip discovery entirely—assume all hosts alive
nmap -Pn 10.10.10.10

3.2 Scan Types: The Taxonomy of Port Interrogation

Scan TypeFlagMechanismStealth LevelDetection Surface
SYN Stealth-sSHalf-open scan—never completes handshakeHighNot logged by most applications
TCP Connect-sTFull three-way handshakeLowLogged by target applications
UDP-sUSends UDP packets; closed ports return ICMP unreachableMediumSlow, often filtered
ACK-sASends ACK packets—firewall rule mappingHighUsed for firewall fingerprinting
FIN-sFSends FIN—closed ports return RSTHighEvades some stateless firewalls
Xmas-sXFIN+PSH+URG set—"Christmas tree" packetHighSame as FIN scan
Null-sNNo flags setHighSame as FIN scan
# Standard stealth scan (requires root)
nmap -sS target
 
# Non-privileged alternative
nmap -sT target
 
# UDP scan (critical services: DNS, DHCP, SNMP)
nmap -sU -p 53,67,161,500 target
 
# Firewall rule mapping
nmap -sA target
 
# Evasion scan types
nmap -sF target  # FIN scan
nmap -sX target  # Xmas scan
nmap -sN target  # Null scan

3.3 Version Detection: The Vulnerability Cross-Reference Engine

Version detection (-sV) is where port numbers become CVE lookups. Nmap maintains an extensive database of service probes—specific queries sent to services to elicit version-identifying responses.

# Standard version detection
nmap -sV 10.10.10.50
 
# Maximum intensity (more probes, higher accuracy)
nmap -sV --version-intensity 9 10.10.10.50
 
# Version detection + OS fingerprinting
nmap -sV -O 10.10.10.50
 
# Aggressive mode (version + OS + scripts + traceroute)
nmap -A 10.10.10.50

Output Analysis:

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql    MySQL 5.7.20-0ubuntu0.16.04.1

From this output, the attacker immediately searches:

  • OpenSSH 7.2p2 CVE → CVE-2016-6210 (user enumeration)
  • Apache 2.4.18 CVE → CVE-2017-7679 (buffer overflow)
  • MySQL 5.7.20 CVE → Multiple privilege escalation vectors

3.4 OS Fingerprinting: Stack Behavior as Identity

OS fingerprinting exploits subtle differences in TCP/IP stack implementations. Each OS responds to malformed packets, edge cases, and protocol violations slightly differently. Nmap sends these unusual probes and analyzes response patterns.

# OS detection
nmap -O 10.10.10.50
 
# Aggressive OS detection
nmap -O --osscan-guess 10.10.10.50
 
# Typical output:
# OS details: Linux 4.4 - 4.9
# Network Distance: 2 hops

Defensive Consideration: OS fingerprinting is detectable through unusual packet patterns—malformed flags, unusual window sizes, atypical TTL values. Modern NDR platforms can identify these signatures.


Part IV: NSE — The Weaponized Intelligence Layer

4.1 NSE Architecture: Lua-Based Extensibility

The Nmap Scripting Engine (NSE) transforms Nmap from a scanner into a programmable reconnaissance platform. Over 600 scripts exist across multiple categories:

  • auth — Authentication testing, credential attacks
  • broadcast — Network discovery via broadcast/multicast
  • brute — Brute-force credential attacks
  • default — Default safe scripts (-sC)
  • discovery — Service/network discovery beyond standard scanning
  • dos — Denial-of-service testing (use with extreme caution)
  • exploit — Actual exploitation (authorization required)
  • external — Queries external databases (Whois, Shodan, VirusTotal)
  • fuzzer — Sends unexpected input to detect crashes
  • intrusive — Likely to crash services or trigger alerts
  • malware — Malware detection
  • safe — Unlikely to affect target
  • version — Extended version detection
  • vuln — Vulnerability detection

4.2 Essential NSE Scripts for Reconnaissance

# Default safe scripts (recommended starting point)
nmap -sC 10.10.10.50
 
# Vulnerability assessment sweep
nmap --script vuln 10.10.10.50
 
# SMB vulnerability surface
nmap --script smb-vuln-* -p 445 10.10.10.0/24
nmap --script smb-enum-shares,smb-enum-users -p 445 10.10.10.50
nmap --script smb-security-mode -p 445 10.10.10.50
 
# Web application enumeration
nmap --script http-enum -p 80,443,8080 10.10.10.50
nmap --script http-title,http-headers -p 80,443 10.10.10.50
nmap --script http-default-accounts -p 80,443,8080 10.10.10.50
nmap --script http-shellshock -p 80,443 10.10.10.50
 
# SSL/TLS analysis
nmap --script ssl-enum-ciphers -p 443 10.10.10.50
nmap --script ssl-heartbleed -p 443 10.10.10.50
nmap --script ssl-cert -p 443 10.10.10.50
 
# Database exposure
nmap --script mysql-empty-password -p 3306 10.10.10.50
nmap --script pgsql-brute -p 5432 10.10.10.50
nmap --script mongodb-databases -p 27017 10.10.10.50
 
# DNS reconnaissance
nmap --script dns-brute domain.com
nmap --script dns-zone-transfer -p 53 ns.domain.com
 
# Authentication testing
nmap --script ssh-auth-methods -p 22 10.10.10.50
nmap --script ftp-anon -p 21 10.10.10.50
nmap --script smtp-enum-users -p 25 10.10.10.50

4.3 Case Study: MS17-010 (EternalBlue) Discovery

The EternalBlue vulnerability—weaponized by WannaCry ransomware in 2017—exploited a flaw in Windows SMB protocol. Before exploitation comes discovery.

# Identify EternalBlue-vulnerable hosts across subnet
nmap --script smb-vuln-ms17-010 -p 445 192.168.1.0/24
 
# Typical vulnerable output:
# Host: 192.168.1.45 | Port 445: open
# | smb-vuln-ms17-010:
# |   VULNERABLE: Remote Code Execution in Microsoft SMBv1
# |     State: VULNERABLE
# |     Risk: HIGH  CVSSv3: 8.1
# |_    References: https://technet.microsoft.com/security/ms17-010.aspx

The 2017 campaigns that caused $4–8 billion in global damages began exactly this way: mass scanning, automated identification of vulnerable SMB services, systematic exploitation. This is not academic—this is the defensive baseline.


Part V: Integration with Exploitation Frameworks

5.1 Metasploit Integration: From Reconnaissance to Exploitation

Nmap's XML output integrates directly with Metasploit, converting reconnaissance data into actionable exploitation targets.

# Generate XML output for Metasploit import
nmap -sS -sV -O -p- -oX full_recon.xml 10.10.10.0/24
 
# Import into Metasploit
msf6> db_import full_recon.xml
msf6> hosts
msf6> services
msf6> vulns
 
# Automatic exploitation workflow
msf6> db_autopwn -t -e -p 10.10.10.50

Attacker's Workflow:

  1. Nmap reconnaissance identifies services and versions
  2. XML export structures the data
  3. Metasploit import creates target database
  4. Automated matching between services and exploits
  5. Exploitation executes against pre-validated targets

Every open port with a known vulnerable version becomes a queued exploit. Every misconfigured service becomes a queued credential test. The attacker's next action isn't guesswork—it's execution against a pre-validated target list.

5.2 Output Formats: Structured Intelligence

# Normal text output (human-readable)
nmap -oN scan_results.txt 10.10.10.50
 
# XML output (machine-readable, Metasploit-compatible)
nmap -oX scan_results.xml 10.10.10.50
 
# Grepable output (single-line per host, scriptable)
nmap -oG scan_results.grep 10.10.10.50
 
# All formats simultaneously
nmap -oA complete_scan 10.10.10.50
 
# Append to existing file
nmap -oN scan_results.txt --append-output 10.10.10.51

Part VI: Detection and Defensive Countermeasures

6.1 What the Attacker Fears: Detection Surfaces

Understanding what attackers deliberately avoid reveals what defenders should monitor:

1. Rate-Based Detection

  • Surge in SYN packets from single source to multiple ports
  • Attacker mitigation: -T0/-T1 timing, source IP rotation
  • Defender strategy: Monitor for slow, distributed patterns—not just fast scans

2. Banner-Grabbing Logs

  • Version detection probes trigger connection logs
  • Series of short-lived connections from same IP across multiple services
  • Defender strategy: Correlate brief connections across services from common sources

3. NSE Script Signatures

  • Many scripts have detectable probe patterns
  • smb-vuln-ms17-010: specific malformed SMB request
  • http-enum: predictable directory probe sequence
  • Defender strategy: Signature-based IDS rules for common NSE scripts

4. Firewall State Table Anomalies

  • Half-open connections that never complete (SYN scans)
  • Unusual flag combinations (FIN, Xmas, Null scans)
  • Defender strategy: Monitor firewall logs for protocol violations

6.2 Detection Strategies for Defenders

# Log all connection attempts (iptables example)
iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROPPED: "
 
# Monitor for scan signatures (example Snort rule)
alert tcp any any -> $HOME_NET any (msg:"SCAN nmap XMAS"; \
  flags:FPU; sid:1000001;)
 
# Correlation-based detection
# Look for: Same source IP, multiple destination ports, no established connections

Modern Defense Approach:

  • Traditional signature-based IDS: Limited effectiveness against timing evasion
  • Behavioral analysis (NDR platforms): Models normal traffic patterns, identifies statistical anomalies
  • Machine learning-based detection: Categorically different approach that timing tricks don't circumvent

6.3 The Defender's Scanning Doctrine

Critical Defensive Practice: Organizations should run authorized Nmap scans against their own infrastructure regularly to understand what an external observer can determine.

# External perspective audit
nmap -sS -sV -O -p- -oA external_audit public_ip_range
 
# Internal vulnerability assessment
nmap --script vuln -sV -oA internal_vuln 10.0.0.0/8
 
# Compliance checking
nmap --script=http-security-headers,ssl-enum-ciphers -p 443 webapp.company.com

The question is not whether your network can be scanned—it can. The question is whether you know what information that scan returns, and whether you've seen it before your adversary has.


Part VII: Advanced Techniques and Edge Cases

7.1 IPv6 Reconnaissance Challenges

IPv6's massive address space (2^128 addresses) makes traditional sequential scanning infeasible. However, IPv6 addresses are often predictable:

# Multicast discovery (IPv6 local network)
nmap -6 -sn ff02::1/128
 
# Scan known IPv6 addresses
nmap -6 -sS -p 80,443 2001:db8::1
 
# IPv6 neighbor discovery
nmap -6 --script=ipv6-node-info 2001:db8::/64

Reality Check: The reconnaissance doctrine for IPv6-native networks remains an open problem in security research. Address prediction, DNS enumeration, and targeted scanning replace brute-force approaches.

7.2 Firewall and NAT Traversal

# ACK scan for firewall rule mapping
nmap -sA 10.10.10.50
 
# Idle/zombie scan (no packets from your IP)
nmap -sI zombie_host 10.10.10.50
 
# FTP bounce scan (deprecated but instructive)
nmap -b ftp_relay_host target
 
# Firewall rule enumeration
nmap --script=firewalk --traceroute 10.10.10.50

7.3 The Complete Adversarial Reconnaissance Command

# Professional-grade reconnaissance sweep
nmap -sS -sV -O -sC -T2 -f -p- --randomize-hosts \
  --script=vuln,smb-enum-shares,http-enum \
  -oA full_adversarial_recon 10.10.10.0/24
 
# What this does:
# -sS          SYN stealth scan
# -sV          Version detection
# -O           OS fingerprinting
# -sC          Default NSE scripts
# -T2          Polite timing (stealth)
# -f           Fragment packets (IDS evasion)
# -p-          All 65,535 ports
# --randomize  Non-sequential host scanning
# --script     Targeted vulnerability and enumeration scripts
# -oA          All output formats

Part VIII: Strategic Implications and Systemic Consequences

8.1 The Permanent Condition of Network Exposure

From a structural analysis perspective, Nmap has achieved something unusual: it has become simultaneously the standard tool of authorized security assessment and the standard tool of unauthorized reconnaissance. This dual-use reality is not a flaw—it is the condition of all reconnaissance capability.

Operational Reality: Any network connected to the internet should be modeled as having been Nmap-scanned by unknown parties. Not as theoretical risk—as baseline operational assumption.

Projects like Shodan, Censys, and FOFA maintain continuously updated databases of internet-exposed services derived from exactly this kind of systematic scanning. Your network's exposure is already documented. The question is whether you've documented it yourself.

8.2 The Time Asymmetry Problem

By the time an organization suspects it may be under active attack, it has almost certainly already been scanned. The reconnaissance phase precedes every other phase by days, weeks, sometimes months.

An attacker patient enough to use -T0 against a high-value target will spend weeks mapping the network before touching an exploit. During those weeks, the security team's logs contain evidence—fragmented packets from rotating IPs, occasional connection attempts to unusual ports, slow SMB probes staying just below alerting thresholds.

Most evidence is never reviewed. Most is never correlated. Most expires from log storage before anyone looks.

8.3 The Defender's Critical Question

If someone has been running a -T1 fragmented Nmap scan against your network for the past three weeks, would you know?

If the answer is no or uncertain, your detection posture requires immediate reassessment.

8.4 Continuous Internet Scanning Infrastructure

Traditional "security through obscurity"—unusual ports, non-default services—is definitively invalidated. Some IP ranges are indexed by Shodan within minutes of a new service appearing.

The reconnaissance calculus has fundamentally changed:

  • Question is not: "Can I be found?"
  • Question is: "Can I respond faster to my exposed vulnerabilities than automated scanning infrastructure can index them?"

Conclusion: Reconnaissance as Permanent Condition

This analysis has argued that Nmap is not a port scanner. It is the operationalized doctrine of network visibility—a four-layer intelligence platform whose capabilities extend from gross network topology through OS fingerprinting, service identification, NSE-driven vulnerability confirmation, and structured exploitation framework integration.

Understanding Nmap at this depth is not optional for network security practitioners. The tool is universal. The techniques it implements are not exotic—they are the baseline of competent reconnaissance. They are used against every network of consequence.

From the adversarial perspective: Nmap is the first act of war—the systematic, disciplined intelligence operation that converts an unknown network into a prioritized attack surface. The scan happens. The only variable is who gets to see the results first.

From the defensive perspective: Organizations that understand this—that have run their own Nmap scans, reviewed their own exposure, modeled their own attack surface before an adversary has—operate with a structural advantage that no amount of reactive incident response can replicate.

Network reconnaissance is not a phase of an attack. It is a permanent condition of network existence—and Nmap is how that condition is made legible.


Appendix: The Complete Professional Command Reference

Host Discovery

nmap -sn 10.10.10.0/24                    # Ping sweep (ICMP+TCP+ARP)
nmap -PR -sn 192.168.1.0/24               # ARP discovery (LAN only, cannot be filtered)
nmap -PS443 -sn 10.0.0.0/16               # TCP SYN discovery on HTTPS (bypass ICMP blocks)
nmap -Pn 10.10.10.10                      # Skip discovery, assume alive
nmap -iL targets.txt                      # Scan from file

Scan Types

nmap -sS target                           # SYN stealth (default with root)
nmap -sT target                           # Full TCP connect (no root required)
nmap -sU target                           # UDP scan
nmap -sA target                           # ACK scan (firewall rule mapping)
nmap -sF target                           # FIN scan (stateless firewall evasion)
nmap -sX target                           # Xmas scan (FIN+PSH+URG)
nmap -sN target                           # Null scan (no flags set)
nmap -sI zombie target                    # Idle/zombie scan (no source attribution)

Port Specification

nmap -p 22,80,443 target                  # Specific ports
nmap -p- target                           # All 65,535 TCP ports
nmap -p 1-1024 target                     # Port range
nmap -F target                            # Fast scan (top 100 ports)
nmap -p U:53,161,T:21-25,80 target        # UDP and TCP ports combined
nmap --top-ports 1000 target              # Most common 1000 ports

Detection and Enumeration

nmap -sV target                           # Service version detection
nmap -O target                            # OS fingerprinting
nmap -A target                            # Aggressive (OS+version+scripts+traceroute)
nmap -sV --version-intensity 9 target     # Maximum version probe intensity
nmap -sV --version-all target             # Try all version probes

NSE Scripts

nmap -sC target                                       # Default safe scripts
nmap --script vuln target                             # Vulnerability assessment
nmap --script=smb-vuln-ms17-010 -p 445 target         # EternalBlue detection
nmap --script=smb-enum-shares,smb-enum-users target   # SMB enumeration
nmap --script=http-enum -p 80,443,8080 target         # Web directory enumeration
nmap --script=ssl-enum-ciphers -p 443 target          # TLS cipher audit
nmap --script=mysql-empty-password -p 3306 target     # Database credential testing
nmap --script=ssh-auth-methods -p 22 target           # SSH authentication methods
nmap --script=dns-brute domain.com                    # DNS subdomain enumeration
nmap --script=broadcast-dhcp-discover                 # DHCP discovery
nmap --script-updatedb                                # Update NSE script database

Timing and Performance

nmap -T0 target                           # Paranoid (5-min delays, IDS evasion)
nmap -T1 target                           # Sneaky (15-sec delays)
nmap -T2 target                           # Polite (.4-sec delays, recommended stealth)
nmap -T3 target                           # Normal (default)
nmap -T4 target                           # Aggressive (fast, for LANs)
nmap -T5 target                           # Insane (overwhelm target, obvious)
nmap --min-rate 100 target                # Minimum packets per second
nmap --max-rate 1000 target               # Maximum packets per second

IDS/Firewall Evasion

nmap -f target                                        # Fragment packets (8-byte fragments)
nmap -ff target                                       # Ultra-small fragments (16 bytes)
nmap -D decoy1,decoy2,decoy3,ME target                # Decoy scan (hide among noise)
nmap --source-port 53 target                          # Spoof source port (bypass port-based ACLs)
nmap --data-length 200 target                         # Append random data (evade signatures)
nmap --randomize-hosts target                         # Scan hosts in random order
nmap --spoof-mac Apple target                         # MAC address spoofing
nmap --proxies socks4://127.0.0.1:9050 target         # Proxy through Tor/SOCKS
nmap -g 53 target                                     # Set source port to 53 (DNS)
nmap --badsum target                                  # Send invalid checksums (firewall test)

Output and Reporting

nmap -oN results.txt target               # Normal text output
nmap -oX results.xml target               # XML output (Metasploit-compatible)
nmap -oG results.grep target              # Grepable output
nmap -oA full_scan target                 # All formats (Normal+XML+Grepable)
nmap -oS results.skid target              # Script kiddie format (l33t speak)
nmap -v target                            # Verbose output
nmap -d target                            # Debugging output
nmap --reason target                      # Show reason for port state
nmap --open target                        # Only show open ports
nmap --append-output target               # Append to existing output file

Advanced Reconnaissance Combinations

# Complete external footprint (balanced stealth/thoroughness)
nmap -sS -sV -O -sC -T2 -p- -oA external_recon target
 
# Aggressive internal assessment (assumes authorized LAN access)
nmap -A -T4 -p- --script vuln -oA internal_assessment 10.0.0.0/8
 
# Stealth reconnaissance (maximum evasion)
nmap -sS -T1 -f --randomize-hosts --data-length 200 \
  -D decoy1,decoy2,ME --source-port 53 -oA stealth_scan target
 
# Web application security audit
nmap -sV -p 80,443,8080,8443 \
  --script=http-enum,http-headers,http-methods,http-security-headers,\
ssl-enum-ciphers,ssl-cert -oA web_audit target
 
# Database security assessment
nmap -sV -p 1433,3306,5432,27017 \
  --script=ms-sql-info,mysql-info,pgsql-brute,mongodb-databases \
  -oA database_audit target
 
# SMB vulnerability and enumeration sweep
nmap -sS -p 445 \
  --script=smb-vuln-*,smb-enum-shares,smb-enum-users,smb-security-mode \
  -oA smb_assessment target
 
# Complete adversarial sweep (the works)
nmap -sS -sV -O -sC -T2 -f -p- --randomize-hosts \
  --script=vuln,smb-enum-shares,http-enum,ssl-enum-ciphers \
  -D decoy1,decoy2,ME -oA full_adversarial_recon target

Metasploit Integration Workflow

# Nmap reconnaissance with Metasploit-compatible XML
nmap -sS -sV -O -p- -oX recon.xml target_range
 
# Import into Metasploit
msfconsole
msf6> workspace -a project_name
msf6> db_import recon.xml
msf6> hosts
msf6> services
msf6> vulns
 
# Automatic vulnerability matching
msf6> search type:exploit platform:windows
msf6> db_autopwn -t -e -p target_ip

⚠️ CRITICAL: All techniques described in this document must only be applied to networks and systems you own or have explicit written authorization to test.

Unauthorized network scanning is illegal under:

  • Computer Fraud and Abuse Act (CFAA) — United States
  • Computer Misuse Act — United Kingdom
  • Cybercrime Act — Australia
  • Equivalent legislation worldwide

This document is written for educational purposes to help security professionals understand both offensive and defensive aspects of network reconnaissance. Understanding how attackers operate is essential for building effective defenses.

Know the attacker's playbook. Then close every chapter of it.


References:

About the Author: This analysis is presented from dual perspectives—adversarial operations doctrine and defensive reconnaissance—to provide security professionals with comprehensive understanding of network intelligence gathering. Written for practitioners who need to think like attackers to defend effectively.


Network reconnaissance is not a phase of an attack. It is a permanent condition of network existence—and Nmap is how that condition is made legible.