The nmap port scanner can be used by attackers to determine which ports are open on a remote system, and which services are running on those. Recent versions are even capable of fingerprinting the exact application and version number running, allowing an attacker to fine-tune their attack to such a system.
But nmap was not designed for this purpose, it was designed to help the network administrator prevent attacks by doing the same thing; checking their network for points of weakness.
When setting up servers, firewalls or other network-connected systems, I always run an nmap scan on the “finished” system, and then lock down anything which appears that doesn’t need to be accessed from the outside world. On a Linux system, for instance, X11 and services such as MySQL may listen on TCP ports, but there is often no need for a remote system to connect into these services. In such a situation, firewall rules allowing only localhost (127.0.0.1) to access these ports prevents them showing in any subsequent nmap scans (provided the scans are from a remote machine!).
Nmap supports many scan types, designed to obtain information about the network (ping sweep scanning, for instance), the open ports (TCP connect, UDP and half-open, or stealth, (SYN) scanning), and the operating system and services running (OS and service fingerprinting).
Each scan type provided by nmap can give the system administrator useful information, and by thinking along the same lines as an attacker, the administrator can often close off parts of the network, lock down services on accessible systems, and generally reduce the avenues of attack. Nmap is an essential tool in highlighting which of these avenues are open in the first place, allowing an administrator to block potential attackers before they become a problem.