How to Use Nmap to Find Network Blind Spots and Vulnerabilities

Your network is constantly evolving. New devices connect, services spin up, ports open, and vulnerabilities emerge often without IT’s knowledge. Network vulnerabilities like this are what allowed the WannaCry ransomware attack to spread to over 200,000 computers in over 150 countries. It even hit multi-million-dollar companies like FedEx and critical essential services like the UK’s National Health Service (NHS).

The question isn’t whether your network has blind spots, but how many you can find and which ones you can afford to leave unaddressed.

Network discovery tools like Nmap help IT teams answer critical questions: What’s actually running on our network? Which services are exposed? Are there unauthorized devices? What vulnerabilities exist in our infrastructure?

Here’s everything you need to know about getting started with Nmap and running your first comprehensive scans.

» Operate your network on Wifi? Here are the best Wifi 6E routers

What is Nmap?

Nmap (Network Mapper) is an open-source network scanning tool that works across Windows, Linux, and macOS environments. Originally developed for security auditing and network discovery, it’s become the industry standard for IT teams who need reliable, flexible visibility into their infrastructure.

Whether you’re running scans from a Windows workstation, a Linux server, or a Mac laptop, Nmap provides consistent functionality with platform-specific considerations you’ll need to understand.

Nmap can discover and probe multiple network elements that directly map to core business security needs. It can do the following:

• Identify live hosts by IP and MAC address
• Scan both TCP and UDP ports to find what’s open
• Detect running services and their specific versions
• Fingerprint operating systems to understand your infrastructure composition

Beyond basic network discovery, Nmap’s NSE (Nmap Scripting Engine) extends detection to protocols like SNMP, SMB, and HTTP, can identify common vulnerabilities, and even probe firewall and intrusion detection system behavior.

» Not sure? Here’s why you need network monitoring software

What to know and do before using Nmap

While Nmap is powerful, you should anticipate several scanning limitations that affect result quality.

It’s becoming increasingly difficult to maintain visibility over network infrastructure because of multi-cloud architectures and remote work, according to NetWitness. Additionally, a survey of 2,700 IT managers found that 45% of organizations cannot identify nearly half of their network traffic.

This means:

• Encrypted services like HTTPS or SSH restrict visibility into payload content, making it difficult to identify vulnerabilities beyond detecting the open port or protocol
• Evasive firewalls and intrusion detection or prevention systems may block, throttle, or misinterpret scan traffic, leading to incomplete or misleading results
• Rate limiting, packet filtering, and deep packet inspection can further distort findings
• Large networks or cloud-based assets often generate false positives or timeouts due to latency and load balancing

To mitigate these issues, businesses should combine Nmap with authenticated vulnerability scanners for deeper analysis, schedule scans during maintenance windows to reduce interference, and maintain accurate whitelisting and asset inventories to improve result reliability.

The challenge isn’t just running scans. It’s running them in a way that provides accurate, actionable intelligence without disrupting operations or triggering false alarms. That requires preparation, the right approach, and understanding how to work within your specific network environment.

» Don’t miss our overview on how IT asset discovery helps IT departments

How environment affects your scanning approach

Different network environments require different Nmap planning and configuration strategies. A one-size-fits-all approach won’t work across cloud, on-premises, and hybrid infrastructures.

Here are the differences:

• On-premises networks: These offer the most control. You typically have direct access to network segments, can coordinate with firewall administrators, and have fewer restrictions on scan timing and intensity. However, you’ll still need to navigate internal security controls and avoid disrupting production systems.
• Cloud environments: These introduce new complexities. Cloud providers often implement rate limiting, security groups, and network ACLs that can block or throttle scan traffic. You may need to coordinate with cloud security teams, ensure your scanner IPs are whitelisted, and understand that cloud-based assets might behave differently due to load balancing and dynamic IP allocation. Some cloud providers explicitly prohibit certain types of scanning without prior notification.
• Hybrid environments: These combine the challenges of both. You’ll need separate scanning strategies for on-premises infrastructure versus cloud workloads, and you must account for connectivity between environments. VPN tunnels, cross-cloud networking, and multi-region deployments all affect how scans should be configured and interpreted.

In all environments, start conservatively with less aggressive scan timing, validate results against known assets, and gradually increase scan coverage as you understand how your specific infrastructure responds.

» Here are some ways cloud innovation enhances IT management

Essential preparations before scanning

Before running any Nmap scan, you should take several critical preparatory steps to ensure effective and compliant scanning. Skipping these steps can lead to legal issues, blocked scans, or unintentional service disruptions.

Here’s what to keep in mind:

• Authorization comes first: You must obtain explicit authorization from management or network owners before scanning. Unauthorized scanning can violate internal policies or even legal regulations like the Computer Fraud and Abuse Act.
• Verify permissions and access: Confirm you have administrative permissions and the necessary network access rights to avoid blocked probes or false negatives. Review change control procedures and inform stakeholders to prevent confusion or accidental service disruptions during scan windows.
• Update network documentation: Network topology maps, IP whitelists, and firewall configurations should be updated to allow scan traffic. Without this preparation, your scans may be blocked by the very security controls you’re trying to audit.

How to perform specific scans through Nmap

Setting up Nmap is pretty easy regardless of which platform you’re on. Head to the Nmap website to download Nmap for Windows, Linux, and even macOS. The website will have the latest installation instructions for each OS.

Note: After installing Nmap and trying to open it, it might launch a GUI tool called Zenmap, which looks like this:

While this tool is perfectly fine and a great starting point for beginners, it’s not as flexible as the command-line utility that Nmap was designed for, which is more scriptable and automable. This guide will be looking at the command-line utility specifically.

If you want to verify that Nmap was installed properly, open an elevated version of Command Prompt, PowerShell, Terminal, then type this command: <nmap –version>

If you see a version number, then you’re good to go. After that, here are the specific scans you can run and the commands for executing them.

Basic host discovery: Finding what’s on your network

Host discovery (often called a “ping scan”) is the foundation of network visibility. It identifies which IP addresses have live hosts responding, giving you a map of active devices before diving into deeper analysis.

Nmap’s basic host discovery uses the <-sn> flag to detect live hosts without performing a full port scan. The command is simple: <nmap -sn 192.168.1.0/24> scans an entire subnet to see what’s active.

On Windows, you’ll need to run Nmap from an Administrator PowerShell or Command Prompt window. Windows requires Npcap (the modern WinPcap-compatible driver) to be installed because Windows networking limits raw packet sending by default. Without administrator rights and Npcap, Nmap cannot send the necessary probe packets. Don’t worry, the modern installation of Nmap should install Npcap by default.

On Linux and macOS, the same scan requires sudo privileges: <sudo nmap -sn 192.168.1.0/24>. macOS may prompt you for additional permissions, which you’ll need to agree to.

Note: In this example, we scanned the 192.168.0.0/24 subnet, which is one of the most common home and small business network ranges. The /24 notation means Nmap will scan 256 IP addresses (192.168.0.0 through 192.168.0.255).

Your network might use a different range. To find yours, run ipconfig (Windows) or ifconfig (Linux/macOS) and look for your ‘Default Gateway’ address. If your gateway is 192.168.1.1, scan 192.168.1.0/24. If it’s 10.0.0.1, scan 10.0.0.0/24.

TCP SYN scans: Identifying open ports quickly

A TCP SYN scan (-sS) is one of Nmap’s most popular techniques for identifying open ports. It sends SYN packets to target ports and analyzes the responses without completing the full TCP three-way handshake, making it faster and less detectable than a full connect scan.

On Windows, from an Administrator-level shell, run: <nmap -sS -p 1-65535 {target}>. Npcap enables the raw packet sending that Windows otherwise blocks. Without it, SYN scans simply won’t work. Don’t forget to replace {target} with the actual IP address you’re targeting!

Note: You might get an error message that reads “Host seems down. If it is really up, but blocking our ping probes, try -Pn”. Here’s what that looks like on Windows with the initial command and error adjustment. These scans normally take a long time, so we shortened the port range to 1-1000 for testing purposes.

On Linux, use sudo or root access: <sudo nmap -sS -p 1-65535 {target}>. Raw sockets are available via libpcap with the appropriate permissions.

On macOS, run: <sudo nmap -sS -p 1-65535 {target}>. You may also need to adjust the pf (packet filter) firewall settings if scans appear blocked.

In all environments, expect intrusion detection and prevention systems to flag SYN scans as potentially malicious reconnaissance. This is normal, just ensure proper authorization and communication with your stakeholders, security team, and employees.

UDP scans: Finding services that TCP misses

While TCP scans identify the majority of network services, many critical services run on UDP, including DNS (port 53), NTP (port 123), SNMP (port 161), and DHCP. UDP scanning is essential for complete network visibility, but it comes with unique challenges.

On Windows, from an Administrator-level shell, run: <nmap -sU -p 53,123 {target}>. UDP scans are inherently slow because many UDP services don’t respond to probes, and results often show open|filtered status, meaning Nmap can’t definitively determine if the port is open or simply filtered by a firewall. The same ping error and -Pn solution applies here.

On Linux and macOS, use sudo privileges: <sudo nmap -sU -p 53,123 {target}>. Both platforms use libpcap for raw socket access with elevated permissions.

Linux typically handles high-rate UDP probing more effectively due to fewer OS-level restrictions on raw packet sending. macOS may require explicit network permission dialogs and can have stricter pf firewall defaults that interfere with scan traffic.

You can improve UDP scan accuracy while compensating for limitations with the following changes:

Adding timing options

Adding a <-T> parameter with a value of 1 to 5 changes how long the scan takes and how IDS responds. Typically:

• -T0 = Paranoid (extremely slow, evades IDS)
• -T1 = Sneaky (very slow)
• -T2 = Polite (slow, less bandwidth)
• -T3 = Normal (default)
• -T4 = Aggressive (faster, recommended for reliable networks)
• -T5 = Insane (very fast, may miss results)

Adding <–max-retries X> tells the scan how many times it can retry. The default is 10, while a lower number is faster but less thorough, and a high number is slower but more accurate.

Adding <–host-timeout Xm> tells the scan how many minutes it has to try before giving up.

Combining UDP with TCP scans and version detection

You can also perform both scans simultaneously with the <-sS> and <-sU> parameters in the same command.

Or you can get more info about services and help confirm what’s actually running by adding <-sV> to the command to probe open ports. This helps identify the software, version numbers, and sometimes additional details like operating system information.

Here’s an example command: <nmap -sU -sV -T4 –max-retries 3 -p 53,123,161 192.168.0.1>

What this does:

• -sU = UDP scan
• -sV = Version detection (reduces false positives)
• -T4 = Aggressive timing (faster)
• –max-retries 3 = Try up to 3 times per port
• -p 53,123,161 = Scan DNS, NTP, and SNMP ports

Here are some extra flags you can add include:

• Version detection intensity: <–version-intensity (0-9)> controls how aggressively Nmap probes services. Lower intensity is faster but less accurate.
• Version all: The <–version-all> flag tries every single probe, maximizing accuracy at the cost of scan time.
• NSE scripts: For richer results, combine version detection with <–script=banner> for simple banner grabbing or <-sV –script=vuln> to check for known vulnerabilities in detected versions.

OS fingerprinting: Understanding your infrastructure

Operating system fingerprinting helps IT teams understand the composition of their infrastructure, such as which devices are running Windows, Linux, macOS, or specialized embedded systems.

Nmap’s OS detection uses the <-O> flag to analyze subtle differences in how operating systems respond to network probes. It examines TCP/IP stack behavior, packet timing, and other characteristics to infer the target’s OS type and version.

On Windows, from an Administrator shell, run: <nmap -O {target}>. Results typically include the OS family (Windows, Linux, etc.), device type, and a confidence level for the match. If the scan doesn’t work, you may have to add extra parameters like a port scan <-sS>, which is more reliable but will likely take much longer.

If it still doesn’t work, add <–osscan-guess> to the command to force the shell to make its best guess.

On Linux and macOS, OS detection requires sudo privileges: <sudo nmap -O {target}>. Both platforms use libpcap to send raw packets natively.

Remember that confidence levels matter. Nmap reports OS fingerprinting confidence as a percentage. High confidence (90%+) is reliable for decision-making. Lower confidence suggests the target may be using uncommon configurations, aggressive firewalling, or OS fingerprinting evasion techniques.

Automating scans for recurring assessments

Manual scanning works for one-off assessments, but continuous network visibility requires automation. By scripting Nmap scans and scheduling them to run regularly, you can track changes over time, detect new devices, and maintain an up-to-date view of your infrastructure.

Step 1. Create your scan script

On Windows, you’ll need to create a document in Notepad (or similar text software; NOT Word), create your PowerShell script with all the parameters for the specific scan you want to automate, and save it somewhere where all devices on the network can access.

You should save it as “network-scan.ps1”. Note: the specific name isn’t that important, but “.ps1” is crucial because that tells the computer it’s a PowerShell script!

Here’s an example of what that might look like:

On Linux/macOS, you’ll need to create a Bash file called “network-scan.sh”. Again, the “.sh” is important.

» Did you know you can paste in PowerShell?

Step 2. Schedule the scan

On Windows, this can be done with the built-in tool called Task Scheduler. Follow these steps:

1. Open Task Scheduler

2. Click “Create Task”

3. Set the trigger (e.g., daily at 2 AM)

4. Set the action to run the desired PowerShell script

5. Lastly, make sure it’s set to run with the highest privileges

On Linux and macOS, you’ll have to use crontab:

1. Open the crontab editor by opening Terminal and typing <crontab -e>
2. Add this line: 0 2 * * * /usr/local/bin/network-scan.sh
3. Save and exit

This will set the scan to run every day at 2 AM. The “*” in that line tell the script to run every day and every month, but you can adjust it to run on specific times in the following ways:

• 1st star: Day of month (1-31)
• 2nd star: Month (1-12)
• 3rd star: Day of week (0-7)

Take Nmap scanning to the next level

Mastering Nmap gives you powerful network visibility, but scaling that capability across multiple networks requires significant automation overhead. Writing PowerShell or Bash scripts, configuring Task Scheduler or crontab, parsing XML outputs, and tracking changes over time means maintaining complex infrastructure just to keep scans running consistently.

Atera’s Network Discovery add-on eliminates the manual complexity. Instead of managing scheduled tasks and custom scripts across individual systems, Network Discovery runs continuously from Atera’s centralized platform. Unauthorized devices trigger automatic alerts, results integrate directly with Atera’s RMM and ticketing systems, and you can take immediate action without switching between tools. You can even deploy PowerShell scripts remotely across the network, which means running Nmap scans across endpoints without having to physically touch them. But for most networks, Network Discovery’s built-in capabilities eliminate the need for manual script deployment entirely.

For MSPs managing multiple client networks, this means unified visibility and control without maintaining separate automation infrastructure for each environment. The result is continuous, autonomous network discovery with the power of Nmap but without the operational overhead.

» Take control of your network with a free trial of Atera