20 Awesome Nmap Command Examples for Linux

Nmap (Network Mapper) is a free open source utility for scanning networks and auditing network security. Nmap uses a variety of different scanning methods (UDP, TCP, TCP SYN, FTP, ICMP, etc.), and also supports a large number of additional features.

Most nmap operations require root authority. When you run nmap on behalf of a normal user, a large number of functions will not be available.

Below you will find 20 basic examples of using the Nmap command. You will learn how to use Nmap from the command line in Linux to find active hosts on the network and scan open ports.

You will learn how to remotely determine the operating system using TCP/IP stack footprints and how to find out the version of the software running on a remote server.

You will find out how to use Nmap to perform a hidden scan, how to determine the firewall and how to change the MAC address.

Good advice: Do you want to keep anonymity? Learn how to use PROXY from the command line in Linux. Read more →

1. Scan One Host or IP Address

Scan Single IP Address :

Scan the server by Host Name :

Enlarge Detail of the scan results:

2. Scanning Multiple IP Addresses

Scan Multiple IP Addresses :

Scan Subnet :

Scan IP Address Range (192.168.1.0 – 192.168.1.200):

3. Search for Active Computers on the Web

Thing Tip: Scan the network with just one command ping! Find all active computers! Read more →

Scan a network in search of Active Hosts :

4. Scanning Host List from File

Scanning the list of hosts / networks from the File :

File format:

5. Excluding IP / Hosts / Networks from Scanning

Exclude Targets from scanning Nmap:

Exclude List of hosts taken from the file:

The format of the file with the excluded hosts is similar to the above.

6. Scanning for Specific Ports

Scan One Port :

Scan Multiple Ports :

Scan Port Range :

Scan All Ports :

Scan the most common Ports :

7. Defining Supported IP Protocols

Determine which IP Protocols (TCP, UDP, ICMP, etc.) supports the host being scanned:

8. Scanning TCP / UDP Ports

Scan all TCP Ports :

Scan certain TCP Ports :

Scan all UDP Ports :

Scan certain UDP Ports :

Combining scanning of different ports:

9. Quick Scan

Enable Quick Scan Mode :

* Scans a smaller number of ports than with an ordinary scan.

10. Show the Causes of the Port State

Show the Reason why Nmap thinks that the port is in a certain state:

11. Show Only Open Ports

Show Only Open Ports (or possibly open):

12. Definition of the OS

One of the most well-known Nmap functionality is the remote OS definition based on the TCP / IP stack operation analysis.

Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.

After conducting a lot of tests, Nmap compares the results with its database and, when finding matches, displays information about the OS.

Enable OS Definition :

13. Definition of the Service Version

Enable Service Version Definition :

* Defines the versions of programs running on a remote server.

14. Discovering the Firewall

Find out if the computer is protected by any Batch Filters or Firewall :

15. Substitution of MAC Addresses

Substitute MAC Address :

Substitute MAC Address Random MAC :

16. Firewall scanning on Vulnerability

These three types of scanning use an inconspicuous loophole in TCP RFC to split ports into open and closed ports.

When an RFC compliant system is scanned, any packet that does not contain the set SYN, RST, or ACK bit will cause the RST to be sent in response if the port is closed or does not result in any response if the port is open.

Because none of these bits is set, then any combination of the three remaining (FIN, PSH and URG) will be correct.

TCP Null scan:

* No bits are set (Flags in TCP header 0).

TCP Fin scanning:

* Only TCP FIN bit is set.

TCP Xmas scanning:

* FIN, PSH and URG flags are installed (the package lights up like a Christmas tree).

17. Hidden Scan

Tip: Keep anonymity while scanning ports! Use Nmap+ Tor+ ProxyChains! Safe and simple penetration testing! Read more →

TCP SYN scan:

* Known as scanning using half-open connections, since it does not detach complete TCP connections.

18. Disable Host Detection (No Ping)

Do not ping hosts before scanning:

19. Disabling DNS Usage

Tip: Do you need to increase security in Linux? Encrypt DNS traffic to protect against spoofing! Read more →

Never reverse the DNS name resolution for each detected active IP address:

20. Saving Nmap Scan Results to a File

Save the Nmap scan result to a Text File :

Save the Nmap scan result to XML File :