Table of Contents
Introduction to nmap command
Nmap (Network Mapper) is an open-source command-line tool in Linux for network exploration and security auditing. It uses raw IP packets to determine hosts, services, operating systems, packet filters/firewalls, and other open ports running on the network. Network and system administrators can use this tool to scan networks and monitor host and service uptime.
How to install nmap
You can install nmap tool from the default package management repositories in any Linux distribution.
To install nmap on CentOS, Fedora and RHEL
$ sudo yum install nmap
To install nmap on Ubuntu and Debian
$ sudo apt-get install nmap
Different examples to use nmap command
Most of the
nmap commands can be executed without root privileges. In this article, you will learn to use the
nmap command to scan the networks from the following examples:
1. nmap command to scan a system using hostname
nmap command allows you to scan a system using the hostname. It displays all open ports, services, and MAC addresses on the system.
$ nmap hostname
2. nmap command to scan using IP address
An IP address is a unique address for identifying the devices on the internet or local network. You can scan a system by using an IP address with
$ nmap IP_address
3. Scan multiple hosts using nmap command
Scanning multiple hosts with
nmap command is pretty easy. You have to separate the hostnames or IP addresses with a space. You can also scan hostnames and IP addresses together.
$ nmap host1 host2 host3
4. nmap command to scan a range of IP address
nmap command allows you to scan a specific range of IP addresses. For example, if you have to scan IP addresses from 188.8.131.52 - 184.108.40.206, you can use:
$ nmap 220.127.116.11-120
5. Scan a whole subnet using nmap command
nmap command allows scanning a whole subnet by using * in IP address.
$ nmap 104.143.9.*
It displays the scan report for all hosts that are live or up.
6. nmap command to get detailed information about the remote machine
You can use
-v option to get more detailed information about the remote machines. Basically, it displays all the process information.
$ nmap -v
7. nmap command to exclude some hosts
--exclude option is used to exclude a specific address when performing a scan of multiple IP addresses.
$ nmap --exclude
As we can see in the output, it only scanned 20 IP addresses instead of 21. You can also exclude multiple IP addresses.
8. nmap command to scan hosts from a file
You can scan all listed hosts in a file using
nmap command. It is useful when you have a large number of hosts stored in a file.
$ nmap -iL filename
9. Scan aggressively using the nmap command
-A option performs an aggressive scan to get more information such as OS detection, version detection, script scanning, and traceroute. You will need root permission to execute this command.
$ sudo npm -A
10. nmap command to perform OS detection
You can also get OS information using
$ sudo nmap -O
$ sudo nmap --osscan-guess
11. nmap command to scan for version detection
-sV option enables version detection and checks for services versions running on the remote hosts.
12. nmap command to do a fast scan
-F option allows you to do a fast scan on the system. It scans fewer ports than the default scan.
$ nmap -F
13. nmap command to find live hosts in the network
-sP option skips port scanning and checks for live hosts in the network.
$ nmap -sP
14. nmap command to scan and detect firewall
-sA option is used to find out if any firewall or packet filters are used by the hosts.
$ sudo nmap -sA
15. nmap command to check if the host is protected by a firewall
You can use
-PN option to check if the host is protected by firewall or packet filters.
$ sudo nmap -PN
16. nmap command to scan without randomizing
By default, Nmap randomizes the scanned port order.
-r option allows scanning sequentially (sorted from lowest to highest).
$ nmap -r
17. Scan a specific port using nmap command
You can specify a port using
-p option to scan with
$ nmap -p NUM host
You can also scan for multiple ports using
18. nmap command to scan a UDP port
You can specify a UDP port using
-sU option. It prints the scan report for UDP port only.
$ sudo nmap -sU NUM
19. Scan a specific range of ports using nmap command
You can specify a range of ports with
-p option to scan using
nmap command. It scans for all the available ports between the specified range.
$ nmap -p numX-numY
20. nmap command to show host and port state reasons
--reason option shows the reasons for each host is up or down.
$ nmap --reason
21. Show only open ports using nmap command
--open option filters the list of ports and show only open ports in the output.
$ npm --open
22. nmap command to list interfaces and routes
--iflist option prints the interface list and system routes as detected by nmap. It is useful to debug routing problems and device mischaracterization.
$ nmap --iflist
23. nmap command to enable IPv6 scanning
-6 option enables IPv6 scanning with nmap command. You must specify IPv6 address in order to perform IPv6 scanning. Otherwise, it will fail to resolve the address.
$ nmap -6 IPv6_address
24. nmap command to treat all hosts as online
-Pn option treats the hosts as online even if it is not.
$ nmap -Pn
25. Prints all the packets sent and received with nmap command
--packet-trace option shows all the packets sent and received on the network.
$ nmap --packet-trace
26. nmap command to enable host timeout
--host-timeout allows you to specify a scanning time in seconds.
nmap command stops scanning the target after that time.
$ nmap --host-timeout
27. List the targets only using nmap command
When you are required to list the targets only to scan, you can use
$ nmap -sL
28. Trace hop path to each host with nmap command
--traceroute option allows you to trace hop path to each host.
$ sudo nmap --traceroute
29. nmap command to scan random targets
You can specify the maximum number of IP addresses you wish to scan using
-iR option. It scans the specified number of random IP addresses. The number
0 is used to set the unlimited number of IP addresses.
$ nmap -iR NUM
30. nmap command to disable port scanning
-sn option does not perform a port scan after host discovery. It only prints out the list of hosts that responded to the scan. It is also called a "ping scan".
$ nmap -sn
These are the most used
nmap command examples in Linux. It is a powerful tool that is also used by hackers. You can use this tool to get detailed information on the network, find the number of ports available on the network, detect OS and services and get the list of live hosts.