Tools & Scripts

Nmap Mastery: Advanced Scanning, NSE Scripts and IDS Evasion Techniques

Complete Nmap mastery guide — scan types, timing, OS detection, NSE script categories, output formats, firewall evasion with fragmentation, decoys and source port spoofing.

lazyhackers

Mar 27, 2026 · 14 min read · 37 views

Nmap (Network Mapper) is the most widely deployed network reconnaissance tool in existence, used by security professionals, system administrators, and adversaries alike. First released in 1997 and continuously developed since, Nmap's depth goes far beyond simple port scanning — it encompasses service version detection, operating system fingerprinting, scriptable interaction with services via the Nmap Scripting Engine (NSE), and sophisticated firewall and IDS evasion capabilities. This guide covers Nmap from a professional penetration testing perspective.

Scan Type Reference

TCP Scan Types

Flag	Type	Description	Requires Root
`-sS`	TCP SYN (stealth)	Sends SYN, never completes handshake. Fastest and most popular.	Yes
`-sT`	TCP Connect	Full 3-way handshake via OS connect(). Logged by target.	No
`-sA`	TCP ACK	Maps firewall rules — not for port state, but for filtering detection.	Yes
`-sW`	TCP Window	Like ACK scan but uses window size to identify open ports on some OSes.	Yes
`-sM`	Maimon	FIN/ACK probe — works on some BSD-derived systems.	Yes
`-sF`	FIN	Sends FIN packet. No response = open\|filtered. RST = closed.	Yes
`-sX`	Xmas	Sets FIN, PSH, URG flags. Same interpretation as FIN.	Yes
`-sN`	Null	No flags set. Same interpretation. Evades some stateless firewalls.	Yes

Other Scan Types

# UDP scan (slow but critical — many services use UDP)
nmap -sU target.com

# SCTP INIT scan
nmap -sY target.com

# IP protocol scan (find which IP protocols are supported)
nmap -sO target.com

# Ping scan only (host discovery, no port scan)
nmap -sn 192.168.1.0/24

# No ping (assume host is up — bypass host discovery)
nmap -Pn target.com

# Combined TCP and UDP
nmap -sS -sU -p T:80,443,U:53,161 target.com

Host Discovery Techniques

# Default discovery: ICMP echo + TCP 80/443 + ICMP timestamp
nmap -sn 192.168.1.0/24

# TCP SYN to port 443 for host discovery (bypasses ICMP blocks)
nmap -sn -PS443 192.168.1.0/24

# TCP ACK to port 80 (bypasses stateless firewalls)
nmap -sn -PA80 192.168.1.0/24

# UDP discovery
nmap -sn -PU53 192.168.1.0/24

# ICMP only
nmap -sn -PE 192.168.1.0/24    # echo
nmap -sn -PP 192.168.1.0/24    # timestamp
nmap -sn -PM 192.168.1.0/24    # address mask

# ARP scan (fastest on local network, requires root)
nmap -sn --send-eth -PR 192.168.1.0/24

# No ping — scan all targets regardless of ping response
nmap -Pn 192.168.1.0/24

# Discovery from file
nmap -sn -iL hosts.txt

Port Specification

# Specific ports
nmap -p 22,80,443,3306 target.com

# Port range
nmap -p 1-1000 target.com

# All ports (1-65535)
nmap -p- target.com
nmap -p 0-65535 target.com

# Top N most common ports
nmap --top-ports 100 target.com
nmap --top-ports 1000 target.com

# Default: top 1000 ports

# Service-based port selection
nmap -p http,https,smb target.com

# TCP only, UDP only, both
nmap -p T:80,443 target.com
nmap -p U:53,161 target.com
nmap -p T:80,U:53 target.com

# Exclude ports
nmap -p 1-65535 --exclude-ports 8080 target.com

Service Version and OS Detection

# Service version detection
nmap -sV target.com

# Intensity levels (0-9)
nmap -sV --version-intensity 9 target.com  # maximum probing
nmap -sV --version-light target.com        # quick, less accurate (intensity 2)
nmap -sV --version-all target.com          # try all probes (intensity 9)

# OS detection (requires root)
nmap -O target.com
nmap -O --osscan-guess target.com          # more aggressive guessing
nmap -O --osscan-limit target.com          # only guess if confident

# Combined: aggressive scan
nmap -A target.com
# Equivalent to: -sV -O --traceroute --script=default

# OS + version + scripts + traceroute
nmap -sV -O --traceroute -sC target.com

Timing and Performance

# Timing templates (-T0 to -T5)
nmap -T0 target.com   # Paranoid  (5 min between probes)  — IDS evasion
nmap -T1 target.com   # Sneaky    (15 sec between probes) — IDS evasion
nmap -T2 target.com   # Polite    (0.4 sec between probes)
nmap -T3 target.com   # Normal    (default)
nmap -T4 target.com   # Aggressive (faster, assumes reliable network)
nmap -T5 target.com   # Insane    (very fast, may miss results)

# Fine-grained timing control
nmap --min-rate 1000 target.com          # send at least 1000 packets/sec
nmap --max-rate 500 target.com           # send at most 500 packets/sec
nmap --min-parallelism 100 target.com    # at least 100 parallel probes
nmap --max-parallelism 50 target.com     # at most 50 parallel probes
nmap --host-timeout 30m target.com       # 30 minute host timeout
nmap --scan-delay 1s target.com          # 1 second between probes

# For large network sweeps
nmap -sn --min-hostgroup 256 --min-parallelism 1024 192.168.0.0/16

Nmap Scripting Engine (NSE)

NSE extends Nmap's capabilities dramatically. Scripts are written in Lua and cover vulnerability detection, authentication testing, discovery, brute force, and more. NSE scripts live in /usr/share/nmap/scripts/.

Script Categories

Category	Purpose	Risk Level
auth	Authentication bypass, default credential testing	Medium
broadcast	Discover services via broadcast	Low
brute	Brute force credentials	High
default	Safe, fast scripts run with -sC	Low
discovery	Active service interrogation	Low-Medium
dos	Denial of service testing	Very High
exploit	Exploit known vulnerabilities	High
external	Queries external resources	Medium
fuzzer	Fuzz input to discover bugs	High
intrusive	May crash services or trigger alarms	High
malware	Detect malware/backdoors	Low
safe	No harmful side effects	Low
version	Service version detection	Low
vuln	Vulnerability detection	Medium-High

Running NSE Scripts

# Default scripts (-sC is equivalent to --script=default)
nmap -sC target.com
nmap --script=default target.com

# Specific category
nmap --script=vuln target.com
nmap --script=auth target.com
nmap --script=discovery target.com

# Specific scripts
nmap --script=http-title,http-headers,http-methods target.com
nmap --script=smb-vuln-ms17-010 target.com

# Multiple scripts by pattern
nmap --script="http-*" target.com
nmap --script="smb-*" target.com

# Script with arguments
nmap --script=http-brute --script-args userdb=/tmp/users.txt,passdb=/tmp/pass.txt target.com

# Script categories combined
nmap --script="default,safe,vuln" target.com

# Update NSE script database
nmap --script-updatedb

High-Value NSE Scripts for Penetration Testing

# SMB vulnerabilities (critical — EternalBlue/WannaCry)
nmap --script=smb-vuln-ms17-010 -p 445 192.168.1.0/24
nmap --script=smb-vuln-ms08-067 -p 445 target.com
nmap --script=smb-vuln-cve-2020-0796 -p 445 target.com   # SMBGhost

# SMB enumeration
nmap --script=smb-enum-users,smb-enum-shares,smb-enum-sessions -p 445 target.com
nmap --script=smb-os-discovery -p 445 target.com

# HTTP discovery
nmap --script=http-title,http-headers,http-methods,http-auth-finder -p 80,443,8080 target.com
nmap --script=http-vhosts --script-args http-vhosts.domain=target.com -p 80 target.com
nmap --script=http-shellshock --script-args uri=/cgi-bin/test.sh -p 80 target.com
nmap --script=http-wordpress-enum target.com

# SSL/TLS analysis
nmap --script=ssl-enum-ciphers -p 443 target.com
nmap --script=ssl-heartbleed -p 443 target.com   # Heartbleed
nmap --script=ssl-poodle -p 443 target.com       # POODLE

# FTP
nmap --script=ftp-anon,ftp-bounce,ftp-vuln-cve2010-4221 -p 21 target.com

# SSH
nmap --script=ssh-auth-methods,ssh-hostkey,ssh2-enum-algos -p 22 target.com

# DNS
nmap --script=dns-zone-transfer,dns-recursion,dns-brute --script-args dns-brute.domain=target.com -p 53 target.com

# SNMP
nmap --script=snmp-info,snmp-sysdescr,snmp-interfaces -p 161 -sU target.com

# MySQL/MSSQL
nmap --script=mysql-info,mysql-empty-password,mysql-enum -p 3306 target.com
nmap --script=ms-sql-info,ms-sql-empty-password -p 1433 target.com

# Vulnerabilities on all ports
nmap --script=vuln -sV -p- target.com

Output Formats

# Normal output (default, human-readable)
nmap target.com

# XML output (parse with tools, import to Metasploit)
nmap -oX output.xml target.com

# Grepable output (simple, machine-parseable)
nmap -oG output.gnmap target.com

# All three formats at once
nmap -oA output_basename target.com
# Creates: output_basename.nmap, output_basename.xml, output_basename.gnmap

# Verbose output
nmap -v target.com     # verbose
nmap -vv target.com    # very verbose
nmap -d target.com     # debug level 1
nmap -dd target.com    # debug level 2

# Append to existing output
nmap --append-output -oA existing_file target2.com

# Convert XML to HTML report
xsltproc output.xml -o output.html

# Parse grepable output
grep 'open' output.gnmap | awk '{print $2}'  # extract IPs with open ports
grep 'open' output.gnmap | grep '80/open'     # hosts with port 80 open

Firewall and IDS Evasion

Real-world networks deploy intrusion detection systems, firewalls, and security monitoring. Nmap provides multiple techniques to reduce scan visibility and bypass filtering.

Only use evasion techniques during authorized penetration tests. Unauthorized port scanning or IDS evasion is illegal in most jurisdictions. Always ensure you have written authorization before conducting scans.

Packet Fragmentation

# Fragment TCP header into 8-byte chunks
nmap -f target.com

# Double fragmentation (16-byte fragments)
nmap -ff target.com

# Custom fragment size (multiple of 8)
nmap --mtu 24 target.com

# Why it works: Simple packet inspection reassembles fragments before inspection,
# while basic IDS signatures may miss fragmented payloads

Decoy Scanning

# Use decoy IPs to obscure real source
nmap -D 10.0.0.1,10.0.0.2,10.0.0.3 target.com

# Mix real IP among decoys (ME = your real IP)
nmap -D 10.0.0.1,ME,10.0.0.2 target.com

# Random decoys
nmap -D RND:10 target.com   # 10 random decoy IPs

# Note: Decoys must be live hosts or target may be flooded with RSTs
# from the fake source IPs

# Full decoy scan
nmap -sS -D RND:15 -f --data-length 200 target.com

Source Port Manipulation

# Spoof source port to bypass port-based firewall rules
# Many firewalls allow traffic from port 53 (DNS) or 80 (HTTP)
nmap --source-port 53 target.com
nmap -g 80 target.com        # same as --source-port

# TCP scan using source port 88 (Kerberos — often allowed internally)
nmap -sS -g 88 -p 1-1024 target.com

# DNS source port to bypass firewalls allowing DNS responses
nmap -g 53 -sU -p 53 target.com

Timing and Randomization

# Randomize target order (less predictable scan pattern)
nmap --randomize-hosts 192.168.1.0/24

# Slow scan to stay under IDS thresholds
nmap -T1 --scan-delay 5s --max-parallelism 1 target.com

# Random data length (evades packet-size signatures)
nmap --data-length 50 target.com     # add 50 random bytes to each packet
nmap --data-length 200 target.com    # add 200 random bytes

# Spoof MAC address
nmap --spoof-mac 0 target.com        # random MAC
nmap --spoof-mac Cisco target.com    # Cisco vendor MAC
nmap --spoof-mac 00:11:22:33:44:55 target.com  # specific MAC

IP Spoofing and Bounce Scanning

# Idle scan (IP ID side-channel attack)
# Requires a "zombie" host with predictable IP ID sequence
# Completely hides your real IP — appears as zombie to target

# Find a suitable zombie (predictable IPID)
nmap -O --script=ipidseq 192.168.1.0/24

# Idle scan using zombie
nmap -sI zombie.host.com target.com

# Full idle scan with port specification
nmap -Pn -sI zombie.host.com:80 -p 1-1024 target.com

Specific Service Enumeration Examples

# Web server full enumeration
nmap -sV -sC --script="http-*" -p 80,443,8080,8443 target.com

# Windows domain controller
nmap -sS -sV --script=smb-os-discovery,ldap-rootdse,msrpc-enum,smb-enum-domains \
  -p 88,135,389,445,464,636,3268,3269 dc.corp.local

# Linux SSH server
nmap -sV --script=ssh2-enum-algos,ssh-auth-methods,ssh-run -p 22 target.com

# Database servers
nmap -sV --script=mysql-info,mysql-enum,mysql-databases -p 3306 target.com
nmap -sV --script=ms-sql-info,ms-sql-config,ms-sql-dac -p 1433 target.com
nmap -sV --script=oracle-enum-users --script-args oracle-enum-users.sid=ORCL -p 1521 target.com

# Network devices (SNMP)
nmap -sU --script=snmp-brute,snmp-info,snmp-interfaces,snmp-processes \
  --script-args snmp-brute.communitiesdb=/usr/share/nmap/nselib/data/snmpcommunities.lst \
  -p 161 target.com

# Full assessment scan (typical pentest)
nmap -sS -sV -sC -O -A --script=vuln,safe -p- -T4 \
  --min-rate 5000 --max-retries 1 -oA full_scan target.com

For large-scope engagements, use masscan for initial fast port discovery across large IP ranges, then feed discovered open ports into Nmap for detailed version/script scanning. Masscan can scan the entire internet in under 6 minutes: masscan 192.168.0.0/16 -p 80,443,22,445 --rate=10000 -oG masscan.gnmap

Reactions

Published	Mar 27, 2026
Updated	Apr 1, 2026
Reading time	14 min
Views	37
Access	public

Scan Type Reference

TCP Scan Types

Other Scan Types

Host Discovery Techniques

Port Specification

Service Version and OS Detection

Timing and Performance

Nmap Scripting Engine (NSE)

Script Categories

Running NSE Scripts

High-Value NSE Scripts for Penetration Testing

Output Formats

Firewall and IDS Evasion

Packet Fragmentation

Decoy Scanning

Source Port Manipulation

Timing and Randomization

IP Spoofing and Bounce Scanning

Specific Service Enumeration Examples

Related Articles