• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

SMASHING LAB

GUIDES | LINUX | GEEKY STUFF

  • Nginx
  • Linux
  • Guide
  • Ubuntu
  • WordPress
  • Drones, My Hobby

20 Awesome Nmap Command Examples for Linux

By Imran Yousaf

Nmap (Network Mapper) is a free open source utility for scanning networks and auditing network security. Nmap uses a variety of different scanning methods (UDP, TCP, TCP SYN, FTP, ICMP, etc.), and also supports a large number of additional features.

Most nmap operations require root authority. When you run nmap on behalf of a normal user, a large number of functions will not be available.

Below you will find 20 basic examples of using the Nmap command. You will learn how to use Nmap from the command line in Linux to find active hosts on the network and scan open ports.

You will learn how to remotely determine the operating system using TCP/IP stack footprints and how to find out the version of the software running on a remote server.

You will find out how to use Nmap to perform a hidden scan, how to determine the firewall and how to change the MAC address.

Good advice: Do you want to keep anonymity? Learn how to use PROXY from the command line in Linux. Read more →

1. Scan One Host or IP Address

Scan Single IP Address :

1
$ nmap 192.168.1.1

Scan the server by Host Name :

1
$ nmap server.testhost.com

Enlarge Detail of the scan results:

1
2
$ nmap -v server.testhost.com
$ nmap -vv server.testhost.com

2. Scanning Multiple IP Addresses

Scan Multiple IP Addresses :

1
2
$ nmap 192.168.1.1 192.168.1.2 192.168.1.3
$ namp 192.168.1.1,2,3

Scan Subnet :

1
2
$ nmap 192.168.1.0/24
$ nmap 192.168.1. *

Scan IP Address Range (192.168.1.0 – 192.168.1.200):

1
$ nmap 192.168.1.0-200

3. Search for Active Computers on the Web

Thing Tip: Scan the network with just one command ping! Find all active computers! Read more →

Scan a network in search of Active Hosts :

1
$ nmap -sn 192.168.1.0/24

4. Scanning Host List from File

Scanning the list of hosts / networks from the File :

1
$ nmap -iL input.txt

File format:

1
2
3
4
5
6
7
8
9
10
# Entries can be submitted in any of the formats with which they work
# Nmap from the command line (IP addresses, hostnames, CIDR, IPv6, or octet
# ranges). Records should be separated by one or more spaces, tabs
# or a newline.
 
$ cat input.txt
server.testhost.com
192.168.1.0/24
192.168.2.1,2,3
192.168.3.0-200

5. Excluding IP / Hosts / Networks from Scanning

Exclude Targets from scanning Nmap:

1
2
3
$ nmap 192.168.1.0/24 --exclude 192.168.1.1
$ nmap 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.5
$ nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3

Exclude List of hosts taken from the file:

1
$ nmap 192.168.1.0/24 --excludefile exclude.txt

The format of the file with the excluded hosts is similar to the above.

6. Scanning for Specific Ports

Scan One Port :

1
$ nmap -p 80 192.168.1.1

Scan Multiple Ports :

1
$ nmap -p 80,443 192.168.1.1

Scan Port Range :

1
$ nmap -p 80-1000 192.168.1.1

Scan All Ports :

1
$ nmap -p "*" 192.168.1.1

Scan the most common Ports :

1
2
$ nmap --top-ports 5 192.168.1.1
$ nmap --top-ports 10 192.168.1.1

7. Defining Supported IP Protocols

Determine which IP Protocols (TCP, UDP, ICMP, etc.) supports the host being scanned:

1
$ nmap -sO 192.168.1.1

8. Scanning TCP / UDP Ports

Scan all TCP Ports :

1
$ nmap -sT 192.168.1.1

Scan certain TCP Ports :

1
$ nmap -p T: 80 192.168.1.1

Scan all UDP Ports :

1
$ nmap -sU 192.168.1.1

Scan certain UDP Ports :

1
$ nmap -p U: 53 192.168.1.1

Combining scanning of different ports:

1
$ nmap -p U: 53,79,113, T: 21-25,80,443,8080 192.168.1.1

9. Quick Scan

Enable Quick Scan Mode :

1
$ nmap -F 192.168.1.1

* Scans a smaller number of ports than with an ordinary scan.

10. Show the Causes of the Port State

Show the Reason why Nmap thinks that the port is in a certain state:

1
$ nmap --reason 192.168.1.1

11. Show Only Open Ports

Show Only Open Ports (or possibly open):

1
$ nmap --open 192.168.1.1

12. Definition of the OS

One of the most well-known Nmap functionality is the remote OS definition based on the TCP / IP stack operation analysis.

Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.

After conducting a lot of tests, Nmap compares the results with its database and, when finding matches, displays information about the OS.

Enable OS Definition :

1
$ nmap -O 192.168.1.1

13. Definition of the Service Version

Enable Service Version Definition :

1
$ nmap -sV 192.168.1.1

* Defines the versions of programs running on a remote server.

14. Discovering the Firewall

Find out if the computer is protected by any Batch Filters or Firewall :

1
$ nmap -sA 192.168.1.1

15. Substitution of MAC Addresses

Substitute MAC Address :

1
$ nmap --spoof-mac 00: 11: 22: 33: 44: 55 192.168.1.1

Substitute MAC Address Random MAC :

1
$ nmap --spoof-mac 0 192.168.1.1

16. Firewall scanning on Vulnerability

These three types of scanning use an inconspicuous loophole in TCP RFC to split ports into open and closed ports.

When an RFC compliant system is scanned, any packet that does not contain the set SYN, RST, or ACK bit will cause the RST to be sent in response if the port is closed or does not result in any response if the port is open.

Because none of these bits is set, then any combination of the three remaining (FIN, PSH and URG) will be correct.

TCP Null scan:

1
$ nmap -sN 192.168.1.1

* No bits are set (Flags in TCP header 0).

TCP Fin scanning:

1
$ nmap -sF 192.168.1.1

* Only TCP FIN bit is set.

TCP Xmas scanning:

1
$ nmap -sX 192.168.1.1

* FIN, PSH and URG flags are installed (the package lights up like a Christmas tree).

17. Hidden Scan

Tip: Keep anonymity while scanning ports! Use Nmap+ Tor+ ProxyChains! Safe and simple penetration testing! Read more →

TCP SYN scan:

1
$ nmap -sS 192.168.0.1

* Known as scanning using half-open connections, since it does not detach complete TCP connections.

18. Disable Host Detection (No Ping)

Do not ping hosts before scanning:

1
$ nmap -Pn 192.168.1.1

19. Disabling DNS Usage

Tip: Do you need to increase security in Linux? Encrypt DNS traffic to protect against spoofing! Read more →

Never reverse the DNS name resolution for each detected active IP address:

1
$ nmap -n 192.168.1.1

20. Saving Nmap Scan Results to a File

Save the Nmap scan result to a Text File :

1
2
$ nmap 192.168.1.1> output.txt
$ nmap -oN output.txt 192.168.1.1
Save the Nmap scan result to XML File :
1
$ nmap -oX output.xml 192.168.1.1

Some more articles you might also be interested in …

  • Crontab Examples: Running Cron Jobs in Linux
  • How to Save the Output of the Command Terminal…
  • How to Convert JPG to PDF in Linux
  • Top 5 Linux Distributions for Programmers
  • How to Shutdown Linux System from a Terminal
  • How to Avoid Accidental File Deletion in Linux
  • Simple, Reliable and Convenient Monitoring of Linux Servers
  • How To Dual Boot Linux/Ubuntu and Windows 10…
  • How to Install LAMP Stack (Linux, Apache, MySQL,…
Tweet
Pin
Share
0 Shares

Filed Under: Guide

Primary Sidebar

  • Twitter
  • Facebook
  • Google+

Recent Posts

  • How to install Nextcloud on CentOS 8
  • How to install Zabbix on openSUSE Leap 15.1
  • How to Easily Configure Your Domain’s Email Account with Gmail?
  • Tails 4.4 OS Released with Tor Browser 9.0.6
  • How to Convert JPG to PDF in Linux

Subscribe to our Newsletter

Useful articles, tips and videos about creating and promoting websites to your mail



* required field


  • Contact Us
  • Privacy Policy
  • About Us

Copyright © 2021. Smashing Lab