How to scan ports with Nmap: a practical guide
Learn how to scan TCP and UDP ports with Nmap: install, port selection, SYN vs connect scans, version detection, NSE scripts, and output formats.
Nmap is the de facto standard for discovering which ports a host exposes and what services run behind them. This guide walks through the commands you will actually use, from a first scan to version detection and scripting. Throughout, replace <target> with a hostname or IP you are authorized to test.
A note on legality and ethics
Port scanning touches systems you may not own. Only scan hosts and networks you own or have explicit written authorization to test. Unauthorized scanning can breach computer-misuse and anti-hacking laws, and even a "harmless" scan can trip intrusion-detection systems and get you blocked. When in doubt, get permission in writing first.
Installing Nmap
Nmap ships for Linux, macOS, and Windows.
# Debian / Ubuntu
sudo apt install nmap
# macOS (Homebrew)
brew install nmap
# Verify
nmap --version
Your first scan
The simplest invocation scans the 1,000 most common TCP ports:
nmap <target>
This quickly tells you whether classics like port 22 (SSH), port 80 (HTTP), and port 443 (HTTPS) are open. For a Windows host you will often also see port 445 (SMB) and port 3389 (RDP).
Selecting which ports to scan
Use -p to target specific ports, ranges, or all 65,535:
# Specific ports
nmap -p 22,80,443 <target>
# A range
nmap -p 1-1024 <target>
# Every port
nmap -p- <target>
# The N most common ports
nmap --top-ports 100 <target>
If you only care about mail infrastructure, you might scan port 25 (SMTP), port 110 (POP3), port 143 (IMAP), and port 587 (submission) directly.
SYN scan vs connect scan
The default for privileged users is the SYN scan (-sS), also called a half-open scan. It sends a SYN, watches for SYN/ACK, and never completes the handshake, which makes it fast and relatively quiet:
sudo nmap -sS <target>
Without root privileges, Nmap falls back to the TCP connect scan (-sT), which completes a full handshake through the OS:
nmap -sT <target>
Use -sS when you can; use -sT when you cannot run as root.
Scanning UDP ports
Plenty of critical services are UDP-only. Use -sU to reach port 53 (DNS), port 123 (NTP), port 161 (SNMP), and port 69 (TFTP):
sudo nmap -sU --top-ports 50 <target>
UDP scans are slow because the protocol is connectionless, so cap the port count and be patient.
Version and service detection
Knowing a port is open is half the story; -sV probes the service to identify the software and version:
nmap -sV -p 22,443,3306 <target>
This is invaluable for fingerprinting databases such as port 3306 (MySQL), port 5432 (PostgreSQL), or port 6379 (Redis).
Aggressive scan
The -A flag bundles version detection, OS detection, traceroute, and default scripts into one command:
nmap -A <target>
It is noisy and slower, but it gives the richest single-shot picture of a host.
NSE: the Nmap Scripting Engine
The --script option runs Lua scripts for deeper checks. For example, enumerate SMB shares on port 139 and port 445, or probe a web app on port 8080:
# Safe default scripts
nmap -sC <target>
# A specific category
nmap --script vuln <target>
# A named script against LDAP on port 389
nmap -p 389 --script ldap-rootdse <target>
Saving your output
For reporting and tooling, save results in a structured format:
# Normal, XML, and grepable in one pass
nmap -oA scan-results <target>
# Just XML (great for importing into other tools)
nmap -oX scan.xml <target>
Conclusion
Nmap scales from a one-word command to a deeply scriptable reconnaissance platform. Start with a default scan, narrow with -p, choose -sS or -sU for the transport, add -sV to fingerprint services, and reach for --script when you need detail. To look up any number you encounter, browse all ports on PortsDB. And always remember the golden rule: only scan what you are authorized to scan.