Introduction to nmap command
Nmap (Network Mapper) is an open-source command-line tool in Linux for network exploration and security auditing. It uses raw IP packets to determine hosts, services, operating systems, packet filters/firewalls, and other open ports running on the network. Network and system administrators can use this tool to scan networks and monitor host and service uptime.
How to install nmap
You can install nmap tool from the default package management repositories in any Linux distribution.
To install nmap on CentOS, Fedora and RHEL
$ sudo yum install nmap
To install nmap on Ubuntu and Debian
$ sudo apt-get install nmap
Different examples to use nmap command
Most of the nmap
commands can be executed without root privileges. In this article, you will learn to use the nmap
command to scan the networks from the following examples:
1. nmap command to scan a system using hostname
nmap
command allows you to scan a system using the hostname. It displays all open ports, services, and MAC addresses on the system.
$ nmap hostname
Sample Output:
2. nmap command to scan using IP address
An IP address is a unique address for identifying the devices on the internet or local network. You can scan a system by using an IP address with nmap
command.
$ nmap IP_address
Sample Output:
3. Scan multiple hosts using nmap command
Scanning multiple hosts with nmap
command is pretty easy. You have to separate the hostnames or IP addresses with a space. You can also scan hostnames and IP addresses together.
$ nmap host1 host2 host3
Sample Output:
4. nmap command to scan a range of IP address
nmap
command allows you to scan a specific range of IP addresses. For example, if you have to scan IP addresses from 104.143.9.110 - 104.143.9.120, you can use:
$ nmap 104.143.9.110-120
Sample Output:
5. Scan a whole subnet using nmap command
nmap
command allows scanning a whole subnet by using * in IP address.
$ nmap 104.143.9.*
Sample Output:
It displays the scan report for all hosts that are live or up.
6. nmap command to get detailed information about the remote machine
You can use -v
option to get more detailed information about the remote machines. Basically, it displays all the process information.
$ nmap -v
Sample Output:
7. nmap command to exclude some hosts
--exclude
option is used to exclude a specific address when performing a scan of multiple IP addresses.
$ nmap --exclude
Sample Output:
As we can see in the output, it only scanned 20 IP addresses instead of 21. You can also exclude multiple IP addresses.
8. nmap command to scan hosts from a file
You can scan all listed hosts in a file using nmap
command. It is useful when you have a large number of hosts stored in a file.
$ nmap -iL filename
Sample Output:
9. Scan aggressively using the nmap command
-A
option performs an aggressive scan to get more information such as OS detection, version detection, script scanning, and traceroute. You will need root permission to execute this command.
$ sudo npm -A
Sample Output:
10. nmap command to perform OS detection
You can also get OS information using -O
or --osscan-guess
 option.
$ sudo nmap -O
OR
$ sudo nmap --osscan-guess
Sample Output:
11. nmap command to scan for version detection
-sV
option enables version detection and checks for services versions running on the remote hosts.
nmap -sV
Sample Output:
12. nmap command to do a fast scan
-F
option allows you to do a fast scan on the system. It scans fewer ports than the default scan.
$ nmap -F
Sample Output:
13. nmap command to find live hosts in the network
-sP
option skips port scanning and checks for live hosts in the network.
$ nmap -sP
Sample Output:
14. nmap command to scan and detect firewall
-sA
option is used to find out if any firewall or packet filters are used by the hosts.
$ sudo nmap -sA
Sample Output:
15. nmap command to check if the host is protected by a firewall
You can use -PN
option to check if the host is protected by firewall or packet filters.
$ sudo nmap -PN
Sample Output:
16. nmap command to scan without randomizing
By default, Nmap randomizes the scanned port order. -r
option allows scanning sequentially (sorted from lowest to highest).
$ nmap -r
Sample Output:
17. Scan a specific port using nmap command
You can specify a port using -p
option to scan with nmap
command.
$ nmap -p NUM host
Sample Output:
You can also scan for multiple ports using -p
option.
18. nmap command to scan a UDP port
You can specify a UDP port using -sU
option. It prints the scan report for UDP port only.
$ sudo nmap -sU NUM
Sample Output:
19. Scan a specific range of ports using nmap command
You can specify a range of ports with -p
option to scan using nmap
command. It scans for all the available ports between the specified range.
$ nmap -p numX-numY
Sample Output:
20. nmap command to show host and port state reasons
--reason
option shows the reasons for each host is up or down.
$ nmap --reason
Sample Output:
21. Show only open ports using nmap command
--open
option filters the list of ports and show only open ports in the output.
$ npm --open
Sample Output:
22. nmap command to list interfaces and routes
--iflist
option prints the interface list and system routes as detected by nmap. It is useful to debug routing problems and device mischaracterization.
$ nmap --iflist
Sample Output:
23. nmap command to enable IPv6 scanning
-6
option enables IPv6 scanning with nmap command. You must specify IPv6 address in order to perform IPv6 scanning. Otherwise, it will fail to resolve the address.
$ nmap -6 IPv6_address
Sample Output:
24. nmap command to treat all hosts as online
-Pn
option treats the hosts as online even if it is not.
$ nmap -Pn
Sample Output:
25. Prints all the packets sent and received with nmap command
--packet-trace
option shows all the packets sent and received on the network.
$ nmap --packet-trace
Sample Output:
26. nmap command to enable host timeout
--host-timeout
allows you to specify a scanning time in seconds. nmap
command stops scanning the target after that time.
$ nmap --host-timeout
Sample Output:
27. List the targets only using nmap command
When you are required to list the targets only to scan, you can use -sL
option.
$ nmap -sL
Sample Output:
28. Trace hop path to each host with nmap command
--traceroute
option allows you to trace hop path to each host.
$ sudo nmap --traceroute
Sample Output:
29. nmap command to scan random targets
You can specify the maximum number of IP addresses you wish to scan using -iR
option. It scans the specified number of random IP addresses. The number 0
is used to set the unlimited number of IP addresses.
$ nmap -iR NUM
Sample Output:
30. nmap command to disable port scanning
-sn
option does not perform a port scan after host discovery. It only prints out the list of hosts that responded to the scan. It is also called a "ping scan".
$ nmap -sn
Sample Output:
Conclusion
These are the most used nmap
command examples in Linux. It is a powerful tool that is also used by hackers. You can use this tool to get detailed information on the network, find the number of ports available on the network, detect OS and services and get the list of live hosts.
What's Next
6 simple methods to check if ipv6 is enabled in Linux
Further Reading