Nmap TCP Port Scan Tutorial

Nmap is the most popular port scanner out there – and with good reason. It has a lot of functionality, and you can really tweek it to your needs!
The pitfall with the nmap port scanner however, is that the whole thing can seem a bit daunting at first – there are a lot of options, and it is not easy to know which options to use for different situations.

That is what this nmap tutorial is about – the most used options of the nmap port scanner, as well as when to use them.

Please keep in mind that we’ll only cover the basic use cases of nmap – for further documentation, check out the nmap docs.

If you’re looking to develop your own simple port scanner, check out this article. 😉

Installing nmap

If you already have nmap install, feel free to skip to the next section!
You can also fast forward if you’re running Kali, which provides nmap out-of-the-box. 🙂

The nmap tool is available for all major operating systems – namely Linux, Windows and MacOS. Simply head on over to the nmap download page, and download the correct source / binary.

Many of the popular Linux distributions do also contain the source repository for nmap. Simply type this into your terminal, and hit enter:

sudo apt-get install nmap

If you get an error, don’t worry. Simply download via the nmap download page as described above.

Before we get started with the actual port scanning, you must have an actual IP-address to scan. Since we’re only doing some testing here, your local gateway will do just fine (there might also be some legal implications if you’re scanning external target without permission)

Finding the IP address of your local gateway is a simple task.

On Linux, simply type this into the terminal and hit enter:

ip route | grep default

Similarly on Windows, open up the command prompt and type the following:

ipconfig | findstr /i "Gateway"

Finally, on Mac, you just need to type this into the terminal:

netstat -nr | grep default

Now that we have our target IP, we’re ready to run our first nmap scan.

Default nmap scan

The easiest way to get started with nmap, is to perform the default nmap scan. The command for the default nmap scan is simply nmap [IP-address].


Remember that you’ll have to swap out with the IP address of your local gateway.

Since we’re running this scan on the local network, it should finish quickly. When the scan is done, you’ll see a three-column result listing, where the columns are PORT, STATE and SERVICE.

The PORT column simply shows the port number and protocol.
The STATE shows the current state of that port – typically either OPEN or FILTERED.
Finally, the SERVICE column tells you which service is currently running on the corresponding port – keep in mind that this is only an educated guess from nmap, but it tends to be quite accurate.

The output you got should provide you with some valuable information – namely which ports are open on your local gateway.

The default nmap scan will perform either a CONNECT or SYN scan as default, which can be performed quickly, scanning thousands of ports in a short time span.

As I mentioned earlier, nmap has a lot of options, so let’s have a look at them.

Options for nmap scan

To list out the most common available options for nmap, simply type nmap into your terminal, and hit enter.

As you can see, there are a lot options.

One of the most used nmap options is the service identification, which is performed by appending -sV after the nmap command.

nmap -sV -p1-65535 -v

This command will perform a service identification scan against –, using either a CONNECT or SYN scan. The choice between CONNECT or SYN is dependent on your privileges – if you have root privileges, it will run a SYN scan, and a CONNECT scan otherwise.
If you’re running Linux, simply type sudo before the scan command to perform the scan with root privileges.

sudo nmap -sV -p1-65535 -v

The service identification scan will run against port 1 – 65 535, which is defined by the -p option.

The trailing -v option stands for verbose – meaning you’ll get more information output in your console during the scan.

After the scan has finished, nmap will list out the open ports on your scanned targets, as well as which services are running on those ports.
Note that the determination of the service is signature-based. Said in other words, it is only an indication that the service is running on that port.

Difference between CONNECT and SYN scan

As mentioned, the default tcp scan type for nmap is either CONNECT or SYN. But what are the differences?

Before we can understand the differences between those two scans, we need to understand the three way TCP handshake.

When a TCP connection is established between two parties, they have to initialize the connection.
The connection is initialized by performing a handshake, consisting of three parts: SYN, SYN-ACK, and finally ACK.

To understand the TCP handshake, let’s explain it with a basic example; connecting to a web server.

  • Step 1, SYN: The first step of the TCP handshake is SYN step. The client will send a TCP SYN request to the server. In our example, this is done when you navigate to a web site. Your browser will automatically send a TCP SYN request to the web server (ignoring DNS lookup etc).
  • Step 2, SYN-ACK: The server will then respond to the client with a SYN-ACK packet. In the web server example, this means that the web server will send a SYN-ACK back to your machine.
  • Step 3, ACK: The client will then respond to the SYN-ACK with an ACK. Said in other words, the web browser will return an ACK back to the web server.

TCP three way handshake nmap

The nmap CONNECT and SYN scans are now starting to make a little more sense.

The SYN scan will simply send the first SYN request to the server, but never respond with the last ACK. Said in other words, the scan will request a connection with the first SYN, but it will not initialize the connection by sending the last ACK. This is why the SYN scan is also referred to as half-open scanning.

The CONNECT scan however, unlike the SYN scan, will initialize the connection – just as a normal web browser would do with a web server. This indicates that the CONNECT scan is more resource heavy, and louder.

Open, Closed and Filtered

Now that we know how the basic nmap scans are performed, we can have a look at how nmap actually determines whether a port is open, closed or filtered.


Nmap will report the port back as being open if a SYN-ACK is received from the target after the initial SYN is sent by nmap.
If we think about, this makes perfect sense – the target responded to our request to initialize a TCP connection, meaning the target is open to the world on the given port!


The closed status indicates that there is no service running on the given port. Note that closed is not the same as not responding.
If nmap reports back with a port being closed, it actually means that the host is responding to the nmap probes – but there’s no service responding to handle the TCP requests.


A port is being considered filtered if nmap can’t determine if it is open or closed, because the packets are being filtered before they reach the target port. One common reason for this is firewall filtering.


This was a short introduction to the nmap port scanner tool. There’s alot more you can do with this wonderful tool, so be sure to check out the nmap website for further reference.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *