The Latest

Nmap Tutorial: Network Scanning From Beginner to Advanced (2026)

byPriyanshu Sahay
June 27, 2026
Nmap tutorial beginner to advanced
Nmap tutorial beginner to advanced
By HOC Team  |  Last updated: June 27, 2026  |  Category: Kali Linux · Network Scanning · Ethical Hacking  |  Read time: ~20 min

Nmap is the first tool every ethical hacker learns and the last tool they ever stop using. Whether you are running your first network scan or preparing for the OSCP exam, Nmap is the foundation everything else is built on. You cannot exploit what you cannot find — and Nmap finds everything.

This tutorial takes you from absolute zero to advanced Nmap usage. You will learn every major scan type, the essential flags that separate beginners from professionals, how to use the Nmap Scripting Engine (NSE) to automate vulnerability detection, and how to save results for your penetration test report. A complete cheatsheet is at the end. Jump to cheatsheet →

⚖️ Legal Disclaimer Only run Nmap against networks and systems you own or have explicit written permission to scan. Unauthorised network scanning is illegal in most countries. All examples use a local lab environment (Metasploitable 2, your own machines, or a TryHackMe/HackTheBox room). HOC does not condone unauthorised scanning of any kind.
📋 Table of Contents
  1. What is Nmap and why do pentesters use it?
  2. How to install Nmap
  3. Your first Nmap scan — the basics
  4. Nmap scan types explained
  5. Essential Nmap flags every hacker must know
  6. OS detection and version scanning
  7. Nmap Scripting Engine (NSE) — automate vulnerability detection
  8. Saving Nmap output for reports
  9. Firewall evasion and stealth scanning techniques
  10. Complete Nmap cheatsheet
  11. Legal practice targets
  12. Frequently asked questions
1. What is Nmap and why do pentesters use it?

Nmap (Network Mapper) is a free, open-source network discovery and security auditing tool created by Gordon Lyon (Fyodor) in 1997. It is the industry-standard tool for network scanning — used by penetration testers, sysadmins, and security researchers worldwide.

In a penetration test, Nmap answers the four most critical Phase 1 questions:

  • Which hosts are alive? — discovers every live machine on a network or subnet
  • What ports are open? — identifies which TCP and UDP ports are accepting connections
  • What services are running? — detects the software and version behind each open port
  • What OS is the target running? — fingerprints the operating system with high accuracy
💡 Why Nmap is still the #1 tool after 29 years Nothing else combines host discovery, port scanning, service detection, OS fingerprinting, and scripted vulnerability detection in a single free CLI tool. It works on Linux, Windows, and macOS. The NSE script library now contains over 600 scripts — making it a vulnerability scanner too.
2. How to install Nmap

Nmap comes pre-installed on Kali Linux. On other systems:

Kali Linux / Debian / Ubuntu
# Verify Nmap is installed on Kali nmap --version# If not installed sudo apt-get install nmap
macOS (Homebrew)
brew install nmap
Windows
# Download installer from https://nmap.org/download.html # Includes Zenmap GUI — useful for beginners # After install, open Command Prompt as Administrator: nmap --version
Verify installation
nmap --version Nmap version 7.95 ( https://nmap.org ) Platform: x86_64-pc-linux-gnu Compiled with: nmap-liblua-5.4.6 openssl-3.2.1
Pro tip: Always run Nmap as root (sudo nmap) on Linux. Many scan types — including the SYN scan — require raw socket access which only root has. Without root, Nmap silently falls back to less effective scan types.
3. Your first Nmap scan — the basics

Nmap's syntax is straightforward. You give it a target and optional flags that control what it does. Let's run your first scans.

Basic syntax
nmap [scan type] [options]
Scan a single host
Beginner
# Scan a single IP address nmap 192.168.1.10# Scan a hostname nmap scanme.nmap.orgStarting Nmap 7.95 Nmap scan report for 192.168.1.10 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 2.34s
Note: scanme.nmap.org is a machine run by the Nmap project specifically for legal practice scanning. It is one of the only hosts on the internet you can scan without written permission.
Scan multiple targets and ranges
Beginner
# Scan multiple IPs nmap 192.168.1.1 192.168.1.10 192.168.1.20# Scan an entire /24 subnet nmap 192.168.1.0/24# Scan a range of IPs nmap 192.168.1.1-50# Scan from a target list file nmap -iL targets.txt
Pro tip: Create a targets.txt file with one IP or hostname per line. Use -iL to feed it to Nmap. This is how professional pentesters manage large scopes — never type IPs manually when you have a target list.
4. Nmap scan types explained

Nmap has multiple scan types, each working differently at the TCP/IP level. Understanding which to use — and why — is what separates a beginner from a professional.

-sS
SYN scan (-sS) — the default and stealthiest
Most used

The SYN scan (half-open scan) sends a SYN packet and waits for a response. If it receives SYN-ACK, the port is open — but Nmap immediately sends RST instead of completing the handshake. Because the connection is never fully established, it is harder for applications to log and faster than a full connect scan.

# SYN scan — requires root/sudo sudo nmap -sS 192.168.1.10# How it works: # Nmap → SYN → Target # Nmap ← SYN-ACK ← Target (port is OPEN) # Nmap → RST → Target (never completes handshake)
Pro tip: SYN scan is Nmap's default when run as root. It is the fastest and stealthiest TCP scan available. If you do not specify a scan type and run as root, Nmap automatically uses -sS.
-sT
TCP connect scan (-sT) — no root required
Beginner friendly

The TCP connect scan completes the full three-way handshake. More reliably detected by firewalls and IDS because the connection is fully established. However, it does not require root privileges — making it the default when Nmap runs as a regular user.

# TCP connect scan — works without root nmap -sT 192.168.1.10# How it works: # Nmap → SYN → Target # Nmap ← SYN-ACK ← Target # Nmap → ACK → Target (full connection established) # Nmap → RST → Target (then immediately closes it)
When to use it: Use -sT when you cannot run as root. In lab environments always use sudo nmap -sS for speed and stealth.
-sU
UDP scan (-sU) — find hidden services
Intermediate

Most beginners only scan TCP — leaving UDP services completely undiscovered. DNS (53), SNMP (161), DHCP (67/68), and TFTP (69) all run on UDP. Some of the most critical vulnerabilities in history exploited UDP services overlooked during scanning.

# Full UDP scan — slow but essential sudo nmap -sU 192.168.1.10# Combine UDP + TCP in one scan sudo nmap -sS -sU 192.168.1.10# Scan only top 20 UDP ports (much faster) sudo nmap -sU --top-ports 20 192.168.1.10
Pro tip: UDP scans are slow because UDP has no handshake — Nmap must wait for a timeout to distinguish open from filtered ports. Use --top-ports 20 to scan only the 20 most common UDP ports first. This gives you the critical services in a fraction of the time.
-sX
Stealth scans — NULL (-sN), FIN (-sF), Xmas (-sX)
Advanced

These scan types exploit an edge case in the TCP RFC — closed ports must send RST in response to packets without SYN, while open ports simply drop them. This lets you probe ports without ever sending a SYN, potentially bypassing firewalls that only filter SYN packets.

# NULL scan — sends packet with no flags set sudo nmap -sN 192.168.1.10# FIN scan — sends only the FIN flag sudo nmap -sF 192.168.1.10# Xmas scan — sets FIN, PSH, URG flags sudo nmap -sX 192.168.1.10
Important limitation: These scans do not work reliably against Windows targets. Windows always sends RST regardless of port state, making all ports appear closed. Use these only against Unix/Linux systems.
-sn
Ping scan (-sn) — discover live hosts without port scanning
Host discovery

Discovers which hosts are alive on a network without scanning any ports. The fastest way to map a live network before doing deeper scans.

# Ping sweep — find all live hosts on a /24 subnet nmap -sn 192.168.1.0/24Nmap scan report for 192.168.1.1 — Host is up (0.0012s latency) Nmap scan report for 192.168.1.5 — Host is up (0.0034s latency) Nmap scan report for 192.168.1.10 — Host is up (0.0028s latency) Nmap done: 256 IP addresses (3 hosts up) scanned in 3.12s
Pro tip: Always run a ping sweep first on large networks. Knowing which 10 hosts are alive out of 256 addresses means you only deep-scan 10 targets instead of wasting time on 246 dead IPs.
5. Essential Nmap flags every hacker must know

Flags are what make Nmap powerful. Here are the ones you will use on every engagement.

-p
Port selection — control which ports are scanned
Essential
# Scan a specific port nmap -p 80 192.168.1.10# Scan multiple specific ports nmap -p 22,80,443,3306 192.168.1.10# Scan a port range nmap -p 1-1024 192.168.1.10# Scan ALL 65535 ports — slow but thorough nmap -p- 192.168.1.10# Scan only the top 100 most common ports nmap --top-ports 100 192.168.1.10
Pro tip — two-phase scanning: First run nmap -p- --min-rate 5000 to quickly find all open ports. Then run a targeted scan only on those ports: nmap -sV -sC -p 22,80,8080 . This is significantly faster than running -sV -p- in one pass.
-T
Timing templates (-T0 to -T5) — control scan speed
Essential
# T0 — Paranoid (slowest, most stealthy — evades IDS) sudo nmap -T0 192.168.1.10# T1 — Sneaky (slow, IDS evasion) sudo nmap -T1 192.168.1.10# T2 — Polite (slower, reduces bandwidth) nmap -T2 192.168.1.10# T3 — Normal (default) nmap -T3 192.168.1.10# T4 — Aggressive (fast, ideal for local lab networks) nmap -T4 192.168.1.10# T5 — Insane (fastest, may miss open ports, very noisy) nmap -T5 192.168.1.10
Rule of thumb: Use -T4 in local labs and CTFs. Use -T2 on production systems during authorised engagements. Never use -T5 on real targets — it drops packets and produces unreliable results.
-v
Verbosity (-v, -vv) — see results live as they come in
Essential
# Verbose — shows results as they arrive (don't wait for scan to finish) nmap -v 192.168.1.10# Very verbose — more detail on what Nmap is doing nmap -vv 192.168.1.10# Debug mode — troubleshoot unexpected scan behaviour nmap -d 192.168.1.10
Pro tip: Always use at least -v on slow scans like -p- or UDP scans. Without it you stare at a blank screen. With it you see open ports immediately as they are discovered — no waiting for the whole scan to finish.
-Pn
Skipping host discovery and excluding hosts
Practical
# Skip ping check — scan hosts even if they don't respond to ICMP nmap -Pn 192.168.1.10# Exclude specific IPs from a subnet scan nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.2# Randomise target order — avoids sequential scan signatures nmap --randomize-hosts 192.168.1.0/24
Pro tip: Use -Pn when targets appear offline but you know they are up. Windows machines and many enterprise firewalls block ICMP ping by default — without -Pn, Nmap marks them as down and skips them entirely.
6. OS detection and version scanning

Finding open ports is just the beginning. Knowing what software and OS version is running behind those ports is what enables you to find and use the right exploits.

-sV
Service version detection (-sV)
Essential

The -sV flag probes open ports and determines the exact service name and version number. This is the most important flag for finding exploitable software versions.

nmap -sV 192.168.1.10PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 80/tcp open http Apache httpd 2.2.8 (Ubuntu) 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0-8.3.7
Pro tip: vsftpd 2.3.4 in the output above is a famous backdoored version — it has a Metasploit exploit (exploit/unix/ftp/vsftpd_234_backdoor) that gives instant root access. Version detection is what connects a scan result directly to a working exploit.
-O
OS fingerprinting (-O)
Intermediate

Nmap analyses how the target responds to crafted packets and compares behaviour against a database of 2,600+ OS fingerprints to identify the operating system and version.

# OS detection — requires root sudo nmap -O 192.168.1.10OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop OS CPE: cpe:/o:linux:linux_kernel:2.6# Force Nmap to guess even with limited info sudo nmap -O --osscan-guess 192.168.1.10
Pro tip: OS detection requires at least one open and one closed port to work accurately. If all ports are filtered, Nmap cannot fingerprint reliably. Use --osscan-guess to force a best-guess even with incomplete information.
-A
Aggressive scan (-A) — the all-in-one command
Most used

The -A flag enables OS detection, version scanning, script scanning, and traceroute all in one command. It is the most commonly used Nmap command in CTFs and professional penetration tests.

# Aggressive scan — the go-to command for CTFs and pentests sudo nmap -A -T4 192.168.1.10# -A enables: -sV + -O + -sC (default scripts) + traceroutePORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 8a:f8:af:27:1f (RSA) 80/tcp open http Apache httpd 2.4.6 |_http-title: Welcome to CentOS |_http-server-header: Apache/2.4.6 (CentOS) OS: Linux 3.10-4.11 (95% confidence)
Pro tip: sudo nmap -A -T4 is the single most informative Nmap command and the first one to run on any CTF box or authorised pentest target. Script output alone often reveals the exploitation path without any further research needed.
7. Nmap Scripting Engine (NSE) — automate vulnerability detection

The NSE transforms Nmap from a port scanner into a vulnerability scanner. Scripts are written in Lua and perform tasks from banner grabbing to full vulnerability checks. Kali Linux ships with 600+ NSE scripts at /usr/share/nmap/scripts/.

-sC
Default scripts (-sC) — run the essential script set
Essential
# Run default scripts nmap -sC 192.168.1.10# Combine with version detection (standard pentest combo) nmap -sV -sC 192.168.1.10
What default scripts check: Anonymous FTP login, SSH host keys, HTTP titles and headers, SSL certificate details, SMB shares, database banners, and dozens more quick wins. Running -sC frequently reveals vulnerabilities in under 60 seconds that would take hours to find manually.
--script
Running specific and category-based NSE scripts
Intermediate
# Run a specific script nmap --script http-title 192.168.1.10# Run multiple scripts nmap --script http-title,http-headers 192.168.1.10# Run all scripts in a category nmap --script vuln 192.168.1.10# Wildcard — all HTTP scripts nmap --script "http-*" 192.168.1.10# Read what a script does before running it nmap --script-help smb-vuln-ms17-010
8 highest-value NSE scripts for penetration testing
High value
# Check for EternalBlue / MS17-010 (WannaCry) — Windows SMB nmap -p 445 --script smb-vuln-ms17-010 192.168.1.10# Check for anonymous FTP login nmap -p 21 --script ftp-anon 192.168.1.10# Check for Shellshock (CVE-2014-6271) nmap -p 80 --script http-shellshock 192.168.1.10# Enumerate SMB shares nmap -p 445 --script smb-enum-shares 192.168.1.10# Check for Heartbleed (OpenSSL CVE-2014-0160) nmap -p 443 --script ssl-heartbleed 192.168.1.10# Brute force SSH login nmap -p 22 --script ssh-brute 192.168.1.10# Detect web application firewalls nmap -p 80 --script http-waf-detect 192.168.1.10# Full vulnerability scan — ALL vuln category scripts sudo nmap -sV --script vuln 192.168.1.10
Pro tip: The --script vuln category runs every vulnerability-detection script against your target. It is noisy but comprehensive — on a CTF box, it often hands you the exact CVE number to research and exploit. Always run it early on authorised targets.
📁
Finding and exploring NSE scripts
Reference
# List all NSE scripts ls /usr/share/nmap/scripts/# Find scripts for a specific service ls /usr/share/nmap/scripts/ | grep smb# Update the NSE script database sudo nmap --script-updatedb# Read what a script does before running it nmap --script-help ftp-anon
8. Saving Nmap output for penetration test reports

Professional pentesters always save their Nmap output. Never re-run a scan to recover results you forgot to save. Nmap supports multiple output formats suited to different purposes.

-oA
Output formats — save your results properly
Professional
# Normal — human readable, same as terminal output nmap -oN scan-results.txt 192.168.1.10# XML — machine readable, import into Metasploit or Burp Suite nmap -oX scan-results.xml 192.168.1.10# Grepable — easy to parse with grep/awk in scripts nmap -oG scan-results.gnmap 192.168.1.10# ALL formats simultaneously — RECOMMENDED (creates 3 files at once) nmap -oA scan-results 192.168.1.10 # Creates: scan-results.nmap scan-results.xml scan-results.gnmap# Full real-world example — everything saved sudo nmap -sV -sC -A -T4 -oA initial-scan 192.168.1.10
Pro tip: Always use -oA — it saves all three formats with zero extra effort. The XML file can be directly imported into Metasploit with db_import scan-results.xml, instantly populating your database with discovered hosts and services.
9. Firewall evasion and stealth scanning techniques

In real penetration tests you will often encounter firewalls and IDS that block standard Nmap scans. These techniques help you gather information while minimising detection.

⚠️ Authorised engagements only These techniques are for systems you are explicitly authorised to test. Using evasion techniques against systems without permission is a more serious offence than basic unauthorised scanning.
-f
Packet fragmentation (-f) — split packets to bypass inspection
Evasion
# Fragment packets — many IDS fail to reassemble and inspect them sudo nmap -f 192.168.1.10# Double fragmentation — even smaller fragments sudo nmap -ff 192.168.1.10# Specify custom MTU (must be multiple of 8) sudo nmap --mtu 24 192.168.1.10
-D
Decoy scanning (-D) — hide your real IP in noise
Evasion
# Scan from decoy IPs + your real IP (ME) # Target sees scan from multiple IPs — harder to find the real attacker sudo nmap -D 192.168.1.50,192.168.1.51,ME 192.168.1.10# Use 5 random decoy IPs sudo nmap -D RND:5 192.168.1.10
Pro tip: Decoy IPs should be alive on the network. If the target tries to respond to dead IPs, those packets go nowhere and the pattern becomes obvious to a skilled analyst.
--sp
Source port spoofing and scan delay
Evasion
# Spoof source port — some firewalls trust traffic from port 53 (DNS) sudo nmap --source-port 53 192.168.1.10# Add delay between probes — evades rate-based detection rules nmap --scan-delay 1s 192.168.1.10# Randomise host order — avoids sequential scan signatures nmap --randomize-hosts 192.168.1.0/24
Speed control — fast scans for CTFs and large targets
Performance
# Set minimum packet rate — much faster than default nmap --min-rate 5000 192.168.1.10# Cap rate — gentler on production systems nmap --max-rate 100 192.168.1.10# FASTEST full-port scan — ideal for CTFs sudo nmap -p- --min-rate 5000 -T4 192.168.1.10
CTF speed trick — the two-step method every OSCP student uses:
Step 1: sudo nmap -p- --min-rate 5000 -T4 -oN allports.txt
Step 2: Extract open ports, then: sudo nmap -sV -sC -A -p 22,80,8080 -oN targeted.txt
This two-phase approach is faster than any single combined scan.
10. Complete Nmap cheatsheet — all commands in one place

Every essential Nmap command, flag, and use case. Bookmark this page or save as PDF for offline reference.

CategoryCommand / FlagWhat it does
Basicnmap Default scan — top 1000 TCP ports
Basicnmap 192.168.1.0/24Scan entire /24 subnet
Basicnmap -iL targets.txtScan from a target list file
Host discoverynmap -sn 192.168.1.0/24Ping sweep — find live hosts only
Host discoverynmap -Pn Skip ping — force scan even "offline" hosts
Scan typessudo nmap -sS SYN scan — stealthy, fastest TCP scan
Scan typesnmap -sT TCP connect scan — no root required
Scan typessudo nmap -sU UDP scan — find DNS, SNMP, DHCP
Scan typessudo nmap -sN NULL scan — no flags (bypass some firewalls)
Scan typessudo nmap -sX Xmas scan — FIN+PSH+URG flags
Portsnmap -p 80,443 Scan specific ports
Portsnmap -p- Scan ALL 65535 ports
Portsnmap --top-ports 100 Scan top 100 most common ports
Detectionnmap -sV Service and version detection
Detectionsudo nmap -O OS fingerprinting
Detectionsudo nmap -A Aggressive — OS + version + scripts + traceroute
Scriptsnmap -sC Run default NSE scripts
Scriptsnmap --script vuln Run ALL vulnerability detection scripts
Scriptsnmap --script smb-vuln-ms17-010Check for EternalBlue / MS17-010
Scriptsnmap --script ftp-anonCheck for anonymous FTP login
Scriptsnmap --script ssl-heartbleedCheck for Heartbleed (OpenSSL)
Scriptsnmap --script smb-enum-sharesEnumerate SMB shares
Timingnmap -T4 Fast — use in local labs and CTFs
Timingnmap -T1 Slow — evades IDS rate-based detection
Timingnmap --min-rate 5000Force minimum send rate — faster scans
Outputnmap -oN scan.txtSave normal human-readable output
Outputnmap -oX scan.xmlSave XML output (import to Metasploit)
Outputnmap -oA resultsSave all three formats simultaneously
Evasionsudo nmap -fFragment packets — bypass basic firewalls
Evasionsudo nmap -D RND:5Decoy scan — hide real IP in noise
Evasionnmap --source-port 53Spoof source port to bypass port rules
Evasionnmap --scan-delay 1sAdd delay — evades rate-based IDS
Verbosenmap -v Show results live as they arrive
Verbosenmap -vv Maximum verbosity
🏆 The two commands to master first If you only memorise two Nmap commands, make them these:

Quick discovery: sudo nmap -sV -sC -T4
Full deep scan: sudo nmap -A -p- --min-rate 5000 -oA full-scan
11. Legal practice targets — scan these without permission

The best way to learn Nmap is to run it. Here are completely legal targets you can practice on right now:

  • scanme.nmap.org — officially sanctioned by the Nmap project. Run any scan you like against this host. It is one of the only internet-facing machines you can scan without written permission.
  • Metasploitable 2 — deliberately vulnerable Linux VM. Download free, run in VirtualBox, and practice every scan type from this tutorial. Every service on it is intentionally vulnerable — perfect for chaining Nmap output into Metasploit exploits.
  • TryHackMe — free tier rooms with pre-configured vulnerable machines. The "Network Services" and "Nmap" rooms are specifically designed to practise this tutorial's content.
  • HackTheBox — free "Starting Point" machines designed for beginners learning Nmap and Metasploit together.
  • VulnHub — downloadable offline VM images. Run any machine in VirtualBox and practice scanning completely offline.
📖 Recommended practice flow 1. Download Metasploitable 2 → run in VirtualBox
2. Run every scan type from Section 4 against it
3. Run sudo nmap -sV -sC --script vuln
4. Note the vsftpd 2.3.4 finding in the output
5. Open Metasploit → use exploit/unix/ftp/vsftpd_234_backdoor → run
This single exercise connects Nmap directly to your first real shell — the most important skill chain in ethical hacking.

⚡ What to learn next — continue your path

  1. Metasploit — exploit what Nmap finds — take your scan output and turn open service versions into working shells. Full Metasploit tutorial →
  2. Burp Suite — web application scanning — once Nmap reveals web services, Burp Suite is the tool to attack them. Burp Suite tutorial for beginners →
  3. Top 20 Kali Linux commands — Nmap is command #1. See the complete toolkit. Top 20 Kali Linux commands →
  4. Bug bounty hunting — use Nmap for recon on in-scope targets. Bug bounty beginners guide →
12. Frequently asked questions
What is Nmap used for?

Nmap is used for network discovery and security auditing. It identifies live hosts, discovers open ports, detects running services and their versions, fingerprints operating systems, and runs vulnerability-detection scripts. It is used by penetration testers, system administrators, and security researchers worldwide on every major platform.

Is Nmap legal to use?

Nmap itself is completely legal software. Running it against your own systems or systems you have explicit written permission to test is legal. Scanning unauthorised systems is illegal in most countries and can result in criminal charges. Always get written permission before scanning any network you do not own.

What is the best Nmap scan for beginners?

The best starting scan is nmap -sV -sC . The -sV flag detects service versions and -sC runs default scripts that reveal common misconfigurations. This single command gives you port states, service names, versions, and script output — everything you need to begin a penetration test.

How do I scan all ports with Nmap?

Use nmap -p- . By default Nmap only scans the 1000 most common ports. The -p- flag scans all 65535 ports. This is slower but essential for finding services running on non-standard ports. Speed it up with --min-rate 5000 -T4.

What is the difference between a SYN scan and a TCP connect scan?

A SYN scan (-sS) sends a SYN packet and never completes the TCP handshake — making it faster and stealthier. A TCP connect scan (-sT) completes the full three-way handshake, is more detectable, but does not require root privileges. Use SYN scan in labs, TCP connect when running without root.

How do I detect the operating system with Nmap?

Use sudo nmap -O for OS detection. Nmap compares TCP/IP stack responses against a database of 2,600+ OS fingerprints. For more complete results, use sudo nmap -A which combines OS detection, version scanning, script scanning, and traceroute all in one command.

How do I make Nmap faster?

Three ways: use -T4 on local networks, add --min-rate 5000 to force a fast send rate, and use the two-phase method — first -p- to find all open ports quickly, then a targeted -sV -sC only on the open ports. This combination is faster than any single combined scan.

About the author Written by the HOC Team at Hackers Online Club — a cybersecurity community with 15+ years of ethical hacking education, tool coverage, and infosec news trusted by security students, bug bounty hunters, and professional penetration testers since 2010. Learn more about HOC →
Previous Article
Top 20 Kali Linux Commands

Top 20 Kali Linux Commands Every Hacker Must Know (2026)

byPriyanshu Sahay