Published: 19 October 2020    Last Updated: 03 November 2022

Before being able to determine if systems are vulnerable, it’s critical to first find as many active systems within the scope as possible and to accurately determine what services those systems expose. A common tool for use in network mapping is Nmap.

Before we start looking at the many, many, options that Nmap has, we'll take a look at a simple example. Nmap can be invoked with a target IP address and it will perform a default scan. If Nmap is invoked with administrative/root privileges it will perform a "half-open" SYN scan which is beneficial for its potential to be stealthier and faster than a "full" scan. A full-handshake scan can will be performed if administrative permissions are not granted, or optionally with the -sT flag.