Nmap

Nmap (Network Mapper) is the world’s most widely used network reconnaissance and security auditing tool. It operates by crafting and transmitting raw IP packets to target hosts and analyzing the responses, supporting over a dozen scan techniques. TCP SYN stealth scanning sends a SYN packet and interprets the response without completing a full TCP handshake, allowing fast, less-logged enumeration. UDP, FIN, Xmas, NULL, and ACK scans provide additional options for evading firewall rules or probing stateless services. Nmap classifies each port as open, closed, filtered, or unfiltered, and can sweep entire subnets in seconds on a LAN.

Beyond port discovery, Nmap performs OS detection by analyzing quirks in a target’s TCP/IP stack implementation — examining initial TTL, window size, TCP options ordering, and ICMP response behavior against a database of thousands of OS fingerprints. Service version detection probes open ports with protocol-specific payloads to identify exact application names and version strings. The Nmap Scripting Engine (NSE) extends this dramatically: written in Lua, it includes over 600 built-in scripts categorized as discovery, auth, brute, vuln, exploit, and more, enabling operators to automate CVE checks, enumerate SMB shares, test SSL configurations, and detect malware backdoors in a single scan pass.

First published in a 1997 Phrack Magazine article, Nmap has been continuously developed for nearly three decades and is used by penetration testers, system administrators, and defenders worldwide. It ships with Zenmap (a cross-platform GUI), Ncat (a modern netcat replacement), Ndiff (scan comparison tool), and Nping (packet generation tool), making it a comprehensive network analysis suite rather than a single utility.