Nmap (Network Mapper) is a free open source utility for scanning networks and auditing network security. Nmap uses a variety of different scanning methods (UDP, TCP, TCP SYN, FTP, ICMP, etc.), and also supports a large number of additional features.
Most nmap operations require root authority. When you run nmap on behalf of a normal user, a large number of functions will not be available.
Below you will find 20 basic examples of using the Nmap command. You will learn how to use Nmap from the command line in Linux to find active hosts on the network and scan open ports.
You will learn how to remotely determine the operating system using TCP/IP stack footprints and how to find out the version of the software running on a remote server.
You will find out how to use Nmap to perform a hidden scan, how to determine the firewall and how to change the MAC address.
Good advice: Do you want to keep anonymity? Learn how to use PROXY from the command line in Linux. Read more →
1. Scan One Host or IP Address
Scan Single IP Address :
$ nmap 192.168.1.1
Scan the server by Host Name :
$ nmap server.testhost.com
Enlarge Detail of the scan results:
$ nmap -v server.testhost.com
$ nmap -vv server.testhost.com
2. Scanning Multiple IP Addresses
Scan Multiple IP Addresses :
$ nmap 192.168.1.1 192.168.1.2 192.168.1.3
$ namp 192.168.1.1,2,3
Scan Subnet :
$ nmap 192.168.1.0/24
$ nmap 192.168.1. *
Scan IP Address Range (192.168.1.0 – 192.168.1.200):
$ nmap 192.168.1.0-200
3. Search for Active Computers on the Web
Thing Tip: Scan the network with just one command
ping! Find all active computers! Read more →
Scan a network in search of Active Hosts :
$ nmap -sn 192.168.1.0/24
4. Scanning Host List from File
Scanning the list of hosts / networks from the File :
$ nmap -iL input.txt
# Entries can be submitted in any of the formats with which they work
# Nmap from the command line (IP addresses, hostnames, CIDR, IPv6, or octet
# ranges). Records should be separated by one or more spaces, tabs
# or a newline.
$ cat input.txt
5. Excluding IP / Hosts / Networks from Scanning
Exclude Targets from scanning Nmap:
$ nmap 192.168.1.0/24 --exclude 192.168.1.1
$ nmap 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.5
$ nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3
Exclude List of hosts taken from the file:
$ nmap 192.168.1.0/24 --excludefile exclude.txt
The format of the file with the excluded hosts is similar to the above.
6. Scanning for Specific Ports
Scan One Port :
$ nmap -p 80 192.168.1.1
Scan Multiple Ports :
$ nmap -p 80,443 192.168.1.1
Scan Port Range :
$ nmap -p 80-1000 192.168.1.1
Scan All Ports :
$ nmap -p "*" 192.168.1.1
Scan the most common Ports :
$ nmap --top-ports 5 192.168.1.1
$ nmap --top-ports 10 192.168.1.1
7. Defining Supported IP Protocols
Determine which IP Protocols (TCP, UDP, ICMP, etc.) supports the host being scanned:
$ nmap -sO 192.168.1.1
8. Scanning TCP / UDP Ports
Scan all TCP Ports :
$ nmap -sT 192.168.1.1
Scan certain TCP Ports :
$ nmap -p T: 80 192.168.1.1
Scan all UDP Ports :
$ nmap -sU 192.168.1.1
Scan certain UDP Ports :
$ nmap -p U: 53 192.168.1.1
Combining scanning of different ports:
$ nmap -p U: 53,79,113, T: 21-25,80,443,8080 192.168.1.1
9. Quick Scan
Enable Quick Scan Mode :
$ nmap -F 192.168.1.1
* Scans a smaller number of ports than with an ordinary scan.
10. Show the Causes of the Port State
Show the Reason why Nmap thinks that the port is in a certain state:
$ nmap --reason 192.168.1.1
11. Show Only Open Ports
Show Only Open Ports (or possibly open):
$ nmap --open 192.168.1.1
12. Definition of the OS
One of the most well-known Nmap functionality is the remote OS definition based on the TCP / IP stack operation analysis.
Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.
After conducting a lot of tests, Nmap compares the results with its database and, when finding matches, displays information about the OS.
Enable OS Definition :
$ nmap -O 192.168.1.1
13. Definition of the Service Version
Enable Service Version Definition :
$ nmap -sV 192.168.1.1
* Defines the versions of programs running on a remote server.
14. Discovering the Firewall
Find out if the computer is protected by any Batch Filters or Firewall :
$ nmap -sA 192.168.1.1
15. Substitution of MAC Addresses
Substitute MAC Address :
$ nmap --spoof-mac 00: 11: 22: 33: 44: 55 192.168.1.1
Substitute MAC Address Random MAC :
$ nmap --spoof-mac 0 192.168.1.1
16. Firewall scanning on Vulnerability
These three types of scanning use an inconspicuous loophole in TCP RFC to split ports into open and closed ports.
When an RFC compliant system is scanned, any packet that does not contain the set SYN, RST, or ACK bit will cause the RST to be sent in response if the port is closed or does not result in any response if the port is open.
Because none of these bits is set, then any combination of the three remaining (FIN, PSH and URG) will be correct.
TCP Null scan:
$ nmap -sN 192.168.1.1
* No bits are set (Flags in TCP header 0).
TCP Fin scanning:
$ nmap -sF 192.168.1.1
* Only TCP FIN bit is set.
TCP Xmas scanning:
$ nmap -sX 192.168.1.1
* FIN, PSH and URG flags are installed (the package lights up like a Christmas tree).
17. Hidden Scan
Tip: Keep anonymity while scanning ports! Use
ProxyChains! Safe and simple penetration testing! Read more →
TCP SYN scan:
$ nmap -sS 192.168.0.1
* Known as scanning using half-open connections, since it does not detach complete TCP connections.
18. Disable Host Detection (No Ping)
Do not ping hosts before scanning:
$ nmap -Pn 192.168.1.1
19. Disabling DNS Usage
Tip: Do you need to increase security in Linux? Encrypt DNS traffic to protect against spoofing! Read more →
Never reverse the DNS name resolution for each detected active IP address:
$ nmap -n 192.168.1.1
20. Saving Nmap Scan Results to a File
Save the Nmap scan result to a Text File :
$ nmap 192.168.1.1> output.txt
$ nmap -oN output.txt 192.168.1.1
$ nmap -oX output.xml 192.168.1.1