Scans performed with Nmap are divided into phases, and some of them may be skipped using different Nmap options. The scan phases of Nmap are:
Script pre-scanning: The pre-scanning phase is executed only when you use the
-sC
or--script
options; it attempts to retrieve additional host information via a collection of NSE scripts.Target enumeration: In this phase, Nmap parses the target (or targets) and resolves them into IP addresses.
Host discovery: This is the phase where Nmap determines whether the target (or targets) is online and in the network by performing the specified host discovery technique (or techniques). The
-Pn
option can be used to skip this phase.Reverse DNS resolution: In this phase, Nmap performs a reverse DNS lookup to obtain a hostname for each target. The
-R
argument can be used to force DNS resolution, and-n
can be used to skip it.Port scanning: During this phase, Nmap determines the state of the ports. It can be skipped using the
-sn
argument.Version detection: This phase is in charge of advanced version detection for the ports found open. It is executed only when the
-sV
argument is set.OS detection: In this phase, Nmap attempts to determine the operating system of the target. It is executed only when the
-O
option is present.Trace route: In this phase, Nmap performs a trace route to the targets. This phase runs only when the
--traceroute
option is set.Script scanning: In this phase, NSE scripts run depending on their execution rules.
Output: In this phase, Nmap formats all of the gathered information and returns it to the user in the specified format.
Script post-scanning: In this phase, NSE scripts with post-scan execution rules are evaluated and given a chance to run. If there are no post-scan NSE scripts in the default category, this phase will be skipped, unless specified with the
--script
argument.