nmap for Your Own Network: What You Should Be Scanning

Port Scanning Your Own Stuff Isn’t a Crime

Unlike scanning someone else’s network (don’t do that), running nmap on your own home network is not only legal—it’s smart. You probably have 20 devices on your network that you forgot about, and at least half of them are running services you didn’t know were exposed.

That smart TV? Probably has a web server on port 8008. Your printer? 9100. Some random IoT doorbell? Who knows. Let’s find out what you’re actually running.

The Basics: What’s Alive?

First, discover what’s on your network:

nmap -sn 192.168.1.0/24

That -sn flag means “ping scan”—it finds hosts without doing a full port scan. Much faster. You’ll get something like:

Nmap scan report for 192.168.1.1
Host is up (0.0015s latency).
Nmap scan report for 192.168.1.15
Host is up (0.042s latency).
Nmap scan report for 192.168.1.42
Host is up (0.018s latency).

Now you know what’s awake. Some devices might not respond to ping, though—add -P0 to skip the ping check if you think something’s there but not responding.

The Real Scan: What Ports Are Open?

Pick an IP and see what it’s listening on:

nmap -p- 192.168.1.15

That -p- means “all 65,535 ports.” It’ll take a minute or so depending on the device. Better version:

nmap -p- -T4 192.168.1.15

The -T4 makes it faster (aggressive timing). You’ll see output like:

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
443/tcp   open  https
8080/tcp  open  http-proxy

Open ports = services listening. The SERVICE column is just nmap’s guess based on default port numbers. Don’t trust it blindly.

What You’re Actually Looking For

Want to be smarter about this? Use OS detection and version scanning:

nmap -A 192.168.1.15

The -A flag enables:

• OS detection (-O)
• Service version detection (-sV)
• Script scanning (-sC)
• Traceroute

This tells you actual versions of services, which means you can check CVEs:

Nmap scan report for 192.168.1.15
Host is up (0.018s latency).
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.6
443/tcp   open  https   Apache httpd 2.4.6

Now you know if any of those are vulnerable. (Apache 2.4.6 is ancient, by the way.)

Your Home Network Audit

Here’s what you actually want to scan on your own network:

# Everything with version detection:
nmap -sV --script vuln 192.168.1.0/24

That --script vuln flag runs vulnerability detection scripts against every open port it finds. Slowish, but you find actual problems:

80/tcp open  http    syn-ack ttl 64
| http-vuln-cve2014-3704:
|   CVE-2014-3704 Drupal Module SQL Injection
|_http-druln-enum: targets found

Common Home Network Discoveries

Your printer is running a web server on 9100 (you can disable that). That Raspberry Pi you forgot about is listening on SSH with a default password. Your NAS has an unpatched vulnerability in its web UI.

Most dangerous finding? Devices running old, unpatched versions of services. That’s where you act.

The Paranoid Scan (External Perspective)

Want to see what attackers see?

# From outside your network, scan your external IP:
nmap -p 22,80,443,8080 your.external.ip

If port forwarding is on, this tells you what’s exposed to the internet. Spoiler: you probably shouldn’t have SSH on 22 exposed to the world. Use a VPN or change the port.

Quick Reference: Flags That Matter

-p-              # All ports
-p 22,80,443     # Specific ports
-sV              # Version detection
-O               # OS detection
-A               # Aggressive (everything)
-T4              # Fast timing
-sn              # Ping scan only
--script vuln    # Check for vulnerabilities

Real Home Network Example

# Scan everything on your /24 with versions:
nmap -sV 192.168.1.0/24 > network_audit.txt

# Then scan your own devices aggressively:
for ip in 192.168.1.{15,20,42}; do
  echo "=== $ip ===" >> network_audit.txt
  nmap -A $ip >> network_audit.txt
done

Run that once a month. You’ll catch new devices, service upgrades, and occasionally something you need to shut down.

Real Vulnerability Example

Let’s say nmap shows:

80/tcp open  http    syn-ack

But you didn’t intentionally open a web server. What’s running?

# Get the actual service version:
nmap -sV 192.168.1.15

# Shows:
# 80/tcp open http Apache httpd 2.4.18

Apache 2.4.18 is EOL. Check for CVEs:

# Search online or use a tool:
curl https://cve.mitre.org/data/json/cves.json | jq '.[] | select(.name | contains("Apache 2.4.18"))'

You find a serious vulnerability. Now you know you need to patch it or shut down the service.

Without nmap, you never knew this was running.

Scanning Your Whole Subnet Regularly

Create a simple audit script:

#!/bin/bash
SUBNET="192.168.1.0/24"
LOGFILE="/var/log/network_audit.log"

echo "=== Network audit at $(date) ===" >> $LOGFILE
nmap -sV $SUBNET >> $LOGFILE 2>&1

# Email results:
mail -s "Network audit" admin@example.com < $LOGFILE

Run it weekly via cron:

# crontab -e:
0 2 * * 0 /home/user/network_audit.sh

Every Sunday at 2 AM, you get an email with what’s on your network and what’s changed since last week.

The Ethics

Important: Only scan networks you own or have explicit permission to scan. Scanning someone else’s network without authorization is illegal in most jurisdictions.

For your own network? Go nuts. Find everything. Fix the problems you discover.

Your home network is your responsibility. nmap is free and takes ten minutes. You either audit your own network or someone else does it for you. Pick one.