Thiago Teixeira
EN | PT

Nmap

Nmap Project

The de-facto network mapper for host discovery, port scanning, OS and service detection.

Network Recon & Monitoring Free & Open Source CLI Practiced in lab Cross-platform
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

Nmap ("Network Mapper") is the most widely used network discovery and security auditing tool. A CySA+ analyst uses Nmap to enumerate live hosts, open ports, running services, OS fingerprints, and known vulnerabilities via its NSE script engine. Defenders run Nmap against their own networks to find unauthorised services, shadow IT, and misconfigurations before attackers do.

Capabilities relevant to the exam:

  • Host discovery with ICMP, ARP, TCP SYN ping (-sn, -PR, -PS).
  • Stealth and full scans (-sS SYN, -sT TCP connect, -sU UDP).
  • Service/version detection (-sV) and OS fingerprinting (-O).
  • NSE scripts (--script vuln) turn Nmap into a lightweight vulnerability scanner.
  • Output formats for SIEM ingestion: -oN normal, -oX XML, -oG greppable, -oA all.

Use cases

  • Authorised internal network discovery and inventory validation
  • Detecting rogue or unauthorised hosts on the LAN
  • Service banner grabbing during incident triage
  • Verifying firewall rules and segmentation
  • Lightweight vulnerability sweeps via NSE

Example

# Aggressive scan: OS + services + version + scripts + traceroute
sudo nmap -A -T4 -p- 10.10.10.0/24 -oA scans/internal

# Vuln NSE sweep on common ports
sudo nmap --script "vuln" -p 22,80,443,445,3389 10.10.10.5