Skip to main content
HashnodeArcanaArcana

Command Palette

Search for a command to run...

Host discovery and port scanning through Network-Mapper (Nmap)

Basic guide to mapping network infrastructure

Updated
Host discovery and port scanning through Network-Mapper (Nmap)
G
Girisha Anamala
N
Next Tech Lab
Part of seriesArtemis

Introduction

Imagine being dropped into an unfamiliar network, no documentation, no IP list, no idea what devices are online or what services are running. Whether you're a cybersecurity student, a network admin, or a penetration tester, this situation is common. How do you map the network, discover live hosts, and identify open ports and services? That’s where Nmap comes in.

In this blog, we’ll walk through the first part of Nmap scanning. Starting from target specification, we’ll explore how Nmap performs host discovery, chooses a scan technique. In the later blogs I’ll cover port selection and how we can detect services, operating systems, and even potential vulnerabilities using Nmap.

Nmap Workflow: Step-by-Step Process

Nmap is short for Network Mapper. It is an open-source Linux command-line tool. Let’s understand how Nmap works. Below is the structured workflow:

Basic Syntax:

nmap [Port] [Scan Type] [scan timings] {Target specification}

1. Target Specification

Before Nmap can scan anything, it needs to know what to scan. This step tells Nmap the specific systems, IP addresses, domain names, or entire networks you want to scan.

First it converts any domain names (such as example.com) into their corresponding IP addresses using DNS resolution. Next, it interprets IP ranges and CIDR notations to generate a comprehensive list of all the IP addresses to be scanned. If you have specified any exclusions using the --exclude option, Nmap will remove those addresses from the list. Finally, the resulting set of IPs is passed on to the Host Discovery phase, where Nmap determines which hosts are actually online and responsive.

Examples:

  • Single IP: nmap 192.168.1.1

  • IP range: nmap 192.168.1.1-10

  • CIDR(subnet) notation: nmap 192.168.1.0/24

  • Domain name: nmap example.com

2. Host Discovery

Host discovery is a way to find out which devices (hosts) are alive or reachable on the network before scanning ports. With this function, we can determine the online status of the target host. This is done by sending ARP request packets to all systems within the network. If a device responds with its MAC address, Nmap shows the message “Host is up.”

There are various techniques based on the characteristics of a network. I have mentioned few important scans below.

  • Ping scan

    It is a network scanning technique used to discover live host within a specific IP range. A series of ICMP echo requests messages or ARP request packets to all systems within the network.

    1. Syntax-

ICMP Scan

ICMP is the protocol used by the ping command. Nmap can send different types of ICMP packets to check host availability. Below are few examples.

Syntax-

Example-

  • The -PE(sends a standard Echo Request), -PP(sends a request to get the host’s current time), and -PM(sends a Netmask Request to retrieve its subnet mask).These specialized ICMP types help Nmap detect live hosts even if basic ping (Echo Request) is blocked by firewalls or filters.

  • PS/PA-Port List

    The (-PS) option in Nmap is used to send TCP SYN packets to specified ports of target hosts to determine if the host is up. If ICMP ping (-PE) is blocked (common in firewalled environments), TCP SYN pings via (-PS) can still find live hosts.

    It is useful in stealthier scans, because a SYN probe doesn't complete a full connection.

    Syntax-

    1. This command will send TCP SYN probes to ports to 80, 3389 and 445

3. Port Scan Techniques

Through Host discovery we get to know the live host. Now to check which ports are open or closed on the live hosts discovered we do port scanning. Below are the various types of ports and their respective commands.

#Port TypeNmap Command ExampleExplanation
1Single Portnmap 1.2.3.4 -p 80Scan only port 80
2Sequential Port Rangenmap 1.2.3.4 -p 20-30Scan ports from 20 to 30
3Specific Portsnmap 1.2.3.4 -p 80,22,111Scan only specified ports
4Service Specificnmap 1.2.3.4 -p httpScan ports by service name (e.g., http = 80)
5Protocol Specificnmap 1.2.3.4 -p T:22,U:53Scan TCP port 22 and UDP port 53
6All Portsnmap 1.2.3.4 -p-Scan all 65535 ports

When scanning ports with Nmap, the results typically include different port statuses, each revealing something about the target:

  • Open: An application is actively listening for connections on this port.

  • Closed: The port is reachable, but no application is listening on it.

  • Filtered: Nmap cannot determine whether the port is open because a firewall, router, or other network device is blocking the probe.

  • Unfiltered: The port is accessible, but Nmap cannot determine whether it is open or closed.

  • When the system has blocked the host discovery ports use nmap -pn <target ip>. This skips the host discovery scanning and only performs the port scanning. If we want a comprehensive information about all the ports we use fast scanning profile option. This allows us to scan the most common ports. nmap -Pn -F <target ip>

  1. Scanning Specific Ports(-P)

    If you want to check a specific port on a machine or range of machines, you can use this syntax:

If you want to scan port 80 (commonly used for websites), you'd type the above command.

  1. TCP Connect Scan (-sT) - Full-Open Scan

    We use this method when we do not have root privileges and while testing for full service availability, not just whether the port is open. System Admins / Blue Team: may use -sT during open checks from a safe environment.

    Since it performs a complete TCP handshake (SYN → SYN/ACK → ACK), the scan is more detectable and can be slower.

    Syntax:

SYN Scan (-sS) -Half-Open Scan

We use this technique when we have root privileges and you want to avoid being detected by the target system’s IDS or Firewall. Red Team / Pen Testers prefer -sS for stealth during recon.

Nmap sends the first SYN, receives the SYN/ACK, but then doesn't send the final ACK. Instead of completing the handshake Nmap replies with a RST to avoid making a full connection. it leaves the connection half-open , that’s why this scan is stealthy and faster since it is less likely to be logged on the target.

Syntax

5. Scanning UDP Ports(-sU)

Some services like DNS(Port 53), SNMP (Port 161) only run on UDP. UDP is a connectionless protocol. It doesn’t establish a connection before sending data. It just sends the packet straight to the target. The syntax is: nmap -sU

  1. If you want to scan multiple UDP ports or range of UDP ports then use –p flag to address the range of port. Syntax: nmap -p1-500 -sU <target>

    If we want all the UDP ports-Syntax: nmap -sU -p- <target>

Conclusion

That wraps up Part 1 of our Nmap series. We covered the essentials like how to specify your targets, discover live hosts, and scan ports using various techniques like TCP connect, SYN, and UDP scans. With these basics in place, you're ready to start exploring what services are actually running on those open ports.

Artemis

Part 2 of 12

The May '25 series marks our first public showcase—an inside look at the ideas, experiments, and projects we're building. These blogs are dense, thoughtful, and a signal to the world: NTL is here, and we’re just getting started.

Up next

Smarter Chains: Machine Learning in Decentralized Ecosystems

Applying Machine Learning Techniques to Enhance Smart Contracts, DAOs, and Decentralized Applications on the Blockchain

More from this blog

A

Arcana

29 posts

“Within the arcana of the mind, wisdom unfolds beyond the visible.” The official publication of Next Tech Lab-AP