From Wikipedia, the free encyclopedia
Jump to: navigation, search


Nmap features include:

  • Host discovery - Identifying hosts on a network. For example, listing the hosts which respond to pings or have a particular port open.
  • Port scanning - Enumerating the open ports on one or more target hosts.
  • Version detection - Interrogating listening network services listening on remote devices to determine the application name and version number.[1]
  • OS detection - Remotely determining the operating system and hardware characteristics of network devices.
  • Scriptable interaction with the target - using Nmap Scripting Engine (NSE) and Lua programming language, customized queries can be made.

In addition to these, Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.[2]


Hosts Discovery[edit]

Host discovery typically represents the first step in network scanning. Nmap provides a number of different facilities to achieve this, ranging from no host discovery, to only discovering the hostnames of devices, and all the way up to checking multiple protocols and ports to see if a host is online.

As mentioned sometime during network scanning it is not necessary to probe to see if a host is online. This is particularly true when performing what is know as a list scan.[3] The goal of this scan is to list out the address that would be targeted but to not actually perform any scanning activities against the listed hosts. So, it is not necessary to determine if the actual hosts are online.

, and unless disabled this will also perform a reverse DNS look-up for the hostnames of the addresses listed out.

In cases of network scanning the bulk retrieval of hostnames is all that is needed

Nmap offers a variety of methods to determine if the scan targets are on line. By default it uses ICMP echo-requests, ICMP timestamp requests, TCP SYNs on port 443, and TCP ACKs on port 80 to check if a host is online[4]. If the scan targets are on the local subnet Address Resolution Protocol (ARP) or Neighbor Discovery Protocol (NDP) scans are used as well depending if the targets are Internet Protocol Version 4 (IPv4) or Internet Protocol version 6 (IPv6). The defaults are pretty sane for basic scanning purposes, but are best suited to discover hosts on local subnets or hosts that are running web servers.

The host discovery feature can also be used to do bulk retrieval of Domain Name System (DNS)

Nmap provides the ability to change how hosts are determined to be up or down these include: other types of ICMP packets besides timestamp and echo-request, User Datagram Protocol (UDP), Stream Control Transmission Protocol (SCTP), and Internet Protocol (IP)[4].

There are also cases that during scanning where it can be necessary to treat a host as if

Port Scanning[edit]

Service/ OS Detection[edit]

Scan Tuning[edit]



  1. ^ Service and Application Version Detection
  2. ^ Chapter 15. Nmap Reference Guide. (2011-03-25). Retrieved on 2011-04-23.
  3. ^ Host Discovery. Retrieved on 2013-06-01.
  4. ^ a b Host Discovery. Retrieved on 2013-02-10