Nmap Port Scan Guide: Commands, Types & Best Practices

This nmap port scan guide exists because most small businesses have open ports they don’t know about — and attackers do. Every device on your network communicates through ports, and any port left open without a good reason is a potential entry point for someone who shouldn’t be there.

Nmap (Network Mapper) is the industry-standard free tool security professionals use to discover exactly what’s exposed on any network. It’s been around since 1997, it’s trusted by everyone from solo IT consultants to Fortune 500 security teams, and it’s completely free to use. If you want to understand what your network actually looks like from the outside, Nmap is where you start.

This guide covers everything a small business owner or non-specialist needs to get up and running: how to install Nmap, what the scan results mean, which commands to use, and how to avoid common mistakes that could cause problems on your own network.

What Is Nmap and Why Does It Matter for Small Businesses?

Nmap is an open-source network exploration and security auditing tool. At its core, it sends packets to your network and listens to what comes back — telling you which devices are online, which ports are open, what services are running, and sometimes what operating system a device is using.

For small businesses, that information is genuinely valuable. You might think your firewall is blocking everything it should — but have you actually checked? Nmap lets you verify instead of assume.

Here’s what small businesses typically use Nmap for:

• Building a network inventory (knowing every device and service on your network)
• Testing firewall rules to confirm they’re actually working
• Closing unused ports on servers and cloud infrastructure
• Spotting unauthorized devices or services that shouldn’t be running
• Preparing for security audits or compliance reviews

Nmap runs on Windows, macOS, and Linux. It’s free to download at nmap.org, and it has a large, active community behind it. You don’t need to be a penetration tester to find it useful — basic scans are straightforward and provide immediate insight into your network’s exposure. If you’re also thinking about broader network security policies for your team, see our guide on small business network security basics.

Understanding Nmap Port States

When Nmap scans a port, it doesn’t just return “open” or “closed.” It classifies each port into one of six states. Understanding these states is the difference between acting on useful information and drawing the wrong conclusions from your scan results.

Here’s what each state means in plain language:

• Open: A service is actively accepting connections on this port. This is the primary security concern — open ports are exactly what attackers look for.
• Closed: The port is accessible but no service is listening. It responds to Nmap’s probes, so Nmap knows it’s reachable — it’s just not doing anything right now.
• Filtered: A firewall or other device is blocking Nmap’s probes, so the tool can’t determine whether the port is open or closed. This isn’t necessarily bad, but it may indicate firewall gaps worth investigating.
• Unfiltered: The port is accessible and Nmap can reach it, but it can’t determine whether the port is open or closed. This state typically appears during ACK scans.
• Open|Filtered: Nmap received no response and can’t distinguish between open and filtered. Common in UDP scans, where silence is ambiguous.
• Closed|Filtered: Similar ambiguity — Nmap can’t determine whether the port is closed or filtered.

For most small business security checks, your focus should be on open ports. Every open port should have a legitimate reason to exist. If you can’t explain why a port is open, that’s a red flag worth following up on.

How to Install Nmap on Linux, Windows, and macOS

Getting Nmap installed is straightforward regardless of which operating system you’re using. Here’s how to do it on each platform.

Linux: Use your distribution’s package manager. On Ubuntu or Debian, run sudo apt install nmap. On CentOS or RHEL, use sudo yum install nmap. You can also compile from source using the files available at nmap.org if you need the latest version.

Windows: Download the self-installer from nmap.org/download.html. The installer walks you through setup in a few clicks. During installation, you’ll also have the option to install Zenmap, a graphical user interface that makes Nmap much more approachable for beginners.

macOS: If you use Homebrew, run brew install nmap in your terminal. Alternatively, download the official .dmg package from nmap.org and install it like any other Mac application.

Zenmap is worth mentioning separately because it genuinely lowers the barrier to entry. Instead of memorizing command-line flags, you can select scan types from a dropdown menu and see results displayed visually. If you’re new to Nmap, starting with Zenmap on Windows is a perfectly reasonable approach before moving to the command line.

Essential Nmap Commands You Need to Know — A Practical Nmap Port Scan Guide

The best way to learn Nmap is to run real scans. Before you scan your own network, Nmap provides a public test target at scanme.nmap.org — it’s maintained specifically for this purpose and you’re permitted to scan it.

Here are the core commands every user should know:

• Default scan: nmap <target> — Scans the top 1,000 most commonly used TCP ports. This is the right starting point for any new scan.
• Fast scan: nmap -F <target> — Limits the scan to the top 100 ports. Useful when you want quick results and don’t need comprehensive coverage.
• All ports scan: nmap -p- <target> — Scans all 65,535 TCP ports. Takes longer but leaves nothing hidden.
• Targeted ports: nmap -p 80,443,22 <target> — Scans only the ports you specify. Efficient when you know exactly what you’re checking.
• Port range: nmap -p 1-1024 <target> — Scans a defined range of ports, useful for checking well-known service ports.
• Ping scan (host discovery): nmap -sn 192.168.1.0/24 — Discovers which hosts are online on a network without probing any ports. Ideal for getting a device inventory on a large network.

A few ports are particularly important for small businesses to check. Port 3389 (Remote Desktop Protocol) exposed to the internet is a common ransomware entry point. Port 445 (SMB) has been exploited in attacks like WannaCry. Port 22 (SSH) should only be accessible to authorized users. If any of these are open when they shouldn’t be, that’s an immediate remediation priority. You can also check out our article on firewall configuration for small businesses for guidance on closing these exposures.

Nmap Scan Types Explained

Nmap doesn’t scan in just one way. Different scan types use different techniques, and choosing the right one depends on what you’re trying to learn and what permissions you have. Here’s a breakdown of the main options.

TCP SYN Scan (-sS): This is the default scan when you run Nmap with root or administrator privileges. It sends a SYN packet — the first step in a TCP handshake — but never completes the connection. This “half-open” approach is faster and stealthier than a full connection because it leaves less trace in application logs. Most security professionals use SYN scans by default.

TCP Connect Scan (-sT): When you run Nmap without root privileges, it falls back to this method. It completes the full three-way handshake, which makes it more detectable and slightly slower — but it works reliably without elevated permissions. If you’re running Nmap on Windows without administrator rights, this is what you’ll get.

UDP Scan (-sU): Many critical services run on UDP — DNS (port 53), SNMP (port 161), and DHCP (port 67/68) among them. UDP scanning is significantly slower than TCP because UDP is stateless: when a port is open, there’s often no response, leaving Nmap to wait and infer. Don’t skip UDP scans — they reveal services that TCP scans miss entirely.

Beyond these three, Nmap offers several specialized scan types:

• ACK Scan (-sA): Useful for mapping firewall rules rather than finding open ports. It tells you which ports are filtered versus unfiltered.
• Null, FIN, and Xmas Scans (-sN, -sF, -sX): These manipulate TCP flags in ways that some older firewalls don’t handle correctly, making them useful for evasion in certain environments. Less reliable against modern systems.
• SCTP INIT Scan (-sY): Targets SCTP, a protocol used in telecom and VoIP environments. Relevant if your business relies on those technologies.

Advanced Nmap Options: Timing, Evasion, and NSE Scripts

Once you’re comfortable with basic scans, a few advanced options dramatically expand what you can do with Nmap.

Timing Templates: Nmap’s -T flag controls scan speed, from -T0 (paranoid, extremely slow) to -T5 (insane, very aggressive). For most small business scans on your own network, -T4 is a good balance of speed and reliability. Avoid -T5 on production networks — it can overwhelm devices and cause connectivity issues. Use -T1 or -T2 if you want a quieter scan that’s less likely to trigger intrusion detection systems.

OS and Service Detection: Adding -A to any scan enables a powerful combination: OS detection, service version scanning, script scanning, and traceroute. The command nmap -A <target> gives you a much richer picture of what’s running and how it’s configured. It takes longer, but the extra detail is worth it when you’re doing a thorough audit.

Nmap Scripting Engine (NSE): This is where Nmap becomes genuinely powerful for vulnerability detection. The command nmap --script vuln <target> runs a collection of scripts that check for known vulnerabilities, misconfigurations, and security weaknesses. Nmap ships with over 600 scripts covering everything from detecting outdated software to identifying default credentials. The NSE documentation at nmap.org catalogs every available script.

Evasion Techniques: If you’re testing whether your own security tools detect scans, Nmap supports several evasion options. Decoys (-D) mix your real scan with fake source addresses. Fragmentation (-f) breaks packets into smaller pieces that some older firewalls struggle to reassemble. These techniques are useful for legitimate internal testing — not for scanning systems you don’t own.

Saving Output: Always save your scan results. Use -oX results.xml for machine-readable XML output or -oN results.txt for a plain text file you can read later. Documented scans are valuable for compliance records and for tracking how your network’s exposure changes over time.

How to Run Your First Nmap Scan Step by Step

If you’ve never run Nmap before, follow these steps to get your first scan done safely and correctly.

1. Install Nmap and verify the installation. After installing, open a terminal or command prompt and run nmap --version. You should see the version number and build information. If you get an error, the installation didn’t complete correctly.
2. Start with the safe test target. Run nmap scanme.nmap.org. This scans a host the Nmap project maintains specifically for testing. You’ll see real results without touching your own infrastructure or anyone else’s.
3. Scan your own network. Once you’re comfortable reading the output, run a default scan against your own IP address or local network range (e.g., nmap 192.168.1.1). Then escalate: add -A for deeper details, or -p- to scan every port.
4. Save your results. Add -oN results.txt to any scan to save the output: nmap -A 192.168.1.1 -oN results.txt. Review the file afterward and document anything unexpected.

Review the results methodically. For each open port, ask: Does this service need to be running? Does it need to be accessible from outside the network? If the answer to either question is no, that port is a remediation candidate.

Common Nmap Mistakes to Avoid

Even experienced users make errors with Nmap. These are the ones that matter most for small business owners.

Scanning networks you don’t own without permission. This is the most serious mistake you can make. Unauthorized port scanning may violate computer fraud laws — including the U.S. Computer Fraud and Abuse Act — regardless of your intentions. Always get written authorization before scanning any infrastructure you don’t personally own or manage. When in doubt, don’t scan it.

Skipping UDP scans. Most people run a TCP scan and call it done. But services like DNS, SNMP, and DHCP run on UDP, and they’re commonly overlooked — which is exactly why attackers target them. A thorough nmap port scan guide will always tell you: run UDP scans too, even though they’re slower.

Using aggressive timing on production networks. Running -T5 or even -T4 on a busy production network can generate enough traffic to slow down services or trigger alerts. Stick to -T3 (the default) or lower when scanning live business systems during business hours.

Ignoring filtered ports. A filtered result means a firewall is blocking the probe — but that doesn’t always mean everything is fine. Filtered ports can indicate misconfigured firewall rules or that a service is being protected but still running. Follow up with ACK scans or manual verification to understand what’s actually behind those filtered ports.

Never updating Nmap. New scripts, better OS fingerprinting, and updated service signatures are added regularly. Running an outdated version means missing recent vulnerability checks and detection improvements. Update through your package manager or nmap.org whenever a new version is released.