INITIALIZING SCANNER...
← All Labs Overview Commands Live Scanner Threat Intel Solution
Hacky CTF /tools / Nmap
Recon Beginner CEH · OSCP · PNPT · eJPT 🔴 Live Scanner

Nmap Network Mapper

The world's most powerful open-source network scanner. Discover hosts, open ports, running services, OS versions, and vulnerabilities. Every penetration test starts with Nmap. Includes a live online port scanner — scan any domain or IP instantly.

⏱ 45 min ★ 4.9 rating ✓ 3,842 completions 🅾 100 points
🔴 Try Live Scanner View Commands Download Nmap ↗
Lab Details
ToolNmap 7.94+
DifficultyBeginner
Duration~45 Minutes
OSLinux / Windows / Mac
CategoryReconnaissance
Points100 pts
CertsCEH · OSCP · PNPT
Live Scanner🔴 Included
CostFREE
🔴 Launch Live Scanner
No signup · No VM · Browser-based
Overview Scenario Commands Hints 🔴 Live Scanner Threat Intel Related Solution
What is Nmap?
Tool overview & real-world usage

Nmap (Network Mapper) is a free, open-source tool for network discovery and security auditing. Created by Gordon Lyon in 1997, it has become the de facto standard for network reconnaissance in penetration testing, vulnerability assessment, and network inventory management.

Nmap sends raw IP packets to determine which hosts are available on the network, what services those hosts are running, what operating systems are in use, what type of firewalls are deployed, and dozens of other characteristics. Every professional penetration test starts here.

Host discovery & ping sweep
TCP/UDP port scanning
Service & version detection (-sV)
OS fingerprinting (-O)
NSE vulnerability scripts
Output formatting for reports
Real-World Scenario
Your mission — read before starting
💬 MISSION BRIEFING

You are a junior penetration tester at a cybersecurity firm. Your client, AcmeCorp, has commissioned an external network assessment. They have provided written authorization to test their IP range 192.168.1.0/24.

Your first task is the Reconnaissance Phase: discover live hosts, enumerate open ports, identify running services, and detect any potentially vulnerable versions. Document all findings for the penetration test report.

OBJECTIVES
01Discover all live hosts on 192.168.1.0/24
02Identify all open TCP/UDP ports on discovered hosts
03Detect service versions and OS fingerprints
04Run NSE vulnerability scripts against open ports
05Save output in a professional format for the report
Step-by-Step Commands
Execute in order — each step builds on the last
01
Host Discovery — Ping Sweep
Find all live hosts without triggering full port scan noise
bash
nmap -sn 192.168.1.0/24
-sn disables port scanning and only performs host discovery using ICMP echo, TCP SYN to port 443, TCP ACK to port 80. This is a "ping sweep" — fast and low-noise. Identify live targets before deep scanning.
02
Service & Version Detection
Identify what services are running on the target
bash
nmap -sV -sC 192.168.1.10
-sV probes open ports to determine service and version info. -sC runs default NSE scripts. Combined, these give rich service intelligence. Version info reveals the CVEs you can exploit.
03
Full Port Scan — All 65535 Ports
Services often hide on non-standard ports — scan everything
bash
nmap -p- -T4 192.168.1.10
-p- scans all 65535 TCP ports. -T4 sets aggressive timing. Services like SSH on port 2222 or web on 8443 are missed by default scans. Never skip this in a real engagement.
04
OS Detection + Full Recon (Master Command)
Everything in one shot — use this for real engagements
bash
sudo nmap -sV -sC -O -p- -T4 192.168.1.10 -oN recon.txt
-O OS fingerprinting (needs sudo). -oN saves human-readable output. This is the master recon command every penetration tester runs on every target. Save output — you need it for the report.
05
NSE Vulnerability Scripts
Automatically detect known CVEs and misconfigurations
bash
nmap --script vuln 192.168.1.10
The vuln NSE script category runs all vulnerability detection scripts against every open port. Finds EternalBlue, Heartbleed, misconfigured databases, anonymous FTP — automatically.
06
Final Complete Command
Everything combined — save XML for Metasploit import
bash — Complete Recon
sudo nmap -sV -sC -O -p- --script vuln -T4 192.168.1.10 -oN recon.txt -oX recon.xml
-oX saves XML for import into Metasploit (db_import recon.xml), OpenVAS, or report generators. This is your complete recon package for every professional engagement.
Lab Hints
Click to reveal one at a time
Hint 1 — Start with ping sweep
Always run nmap -sn first on the whole subnet before deep scanning individual hosts. Scanning all 65535 ports on a /24 subnet without knowing which hosts are alive would take hours.
Hint 2 — Version = CVEs
The most important Nmap flag is -sV. "Port 80 open, http" tells you almost nothing. "Apache 2.4.29" tells you about dozens of publicly known CVEs you can look up on NVD and exploit with Metasploit.
Hint 3 — OS detection needs root
-O requires sudo/root privileges. Without elevated privileges, Nmap cannot send the raw crafted TCP/IP packets needed for OS fingerprinting. Always prefix with sudo nmap when using -O.
Hint 4 — Always save output
Always use -oN report.txt and -oX report.xml. The XML file can be imported directly into Metasploit with db_import report.xml. It auto-populates all hosts and services into your msf database.
Hint 5 — MySQL exposed = CRITICAL
If Nmap finds MySQL (3306) or PostgreSQL (5432) accessible from the network, that is an immediate CRITICAL finding. Test for anonymous login: mysql -h TARGET -u root --password=. A blank root password is a direct path to data exfiltration.
Live Nmap Port Scanner
Real Nmap scan via HackerTarget API — scan any public IP or domain
NMAP ONLINE SCANNER Powered by HackerTarget Free API
This scanner runs real Nmap scans via the HackerTarget public API (free tier: 5 scans/day per IP). Only scan domains/IPs you own or have permission to test. Scans against unauthorized targets may be illegal. The scanner checks common TCP ports with -sV version detection.
Quick Select — Common Ports Checked in Free Scan:
21 FTP 22 SSH 23 Telnet 25 SMTP 80 HTTP 110 POP3 143 IMAP 443 HTTPS 445 SMB 3389 RDP 3306 MySQL 5432 Postgres 6379 Redis 8080 HTTP-Alt 8443 HTTPS-Alt
nmap-output — waiting for target
# Welcome to Hacky CTF Live Nmap Scanner # Powered by HackerTarget API (nmap -sV) # # Enter a target above and click "Quick Nmap Scan" # Try: scanme.nmap.org (official Nmap test target) # Try: 1.1.1.1 (Cloudflare DNS) # Try: 8.8.8.8 (Google DNS) # # Results will appear here in real Nmap format.
Nmap equivalent: nmap -sV <target>  ·  HackerTarget ↗
Free tier: 5 scans/day
Live Threat Intelligence
Lookup any IP or CVE discovered during your scan

Found an interesting IP or CVE during your Nmap scan? Look it up instantly with these live API widgets.

🌎 IP Geolocation
Paste an IP from your Nmap results to geolocate it.
🚫 CVE Lookup (NVD)
Try: CVE-2021-44228 (Log4Shell)  ·  CVE-2017-7679 (Apache)
🌐 DNS Lookup
Look up DNS records for any domain discovered during recon.
Lab Solution
Attempt the lab first — then reveal
Downloads
Nmap Cheat Sheet PDF All Commands .txt
Quick Reference
-sn  Ping sweep
-sV  Version detect
-sC  Default scripts
-O   OS detection
-p-  All 65535 ports
-T4  Aggressive timing
-oN  Normal output
-oX  XML output
--script vuln  Vuln scan
Get Certified
CEH v13 — EC-Council OSCP — Offensive Security PNPT — TCM Security eJPT — INE Security View All Courses →
Community
Join Discord Join Telegram