30 nmap command examples in Linux [Cheat Sheet]

Introduction to nmap command

Nmap (Network Mapper) is an open-source command-line tool in Linux for network exploration and security auditing. It uses raw IP packets to determine hosts, services, operating systems, packet filters/firewalls, and other open ports running on the network. Network and system administrators can use this tool to scan networks and monitor host and service uptime.

 

How to install nmap

You can install nmap tool from the default package management repositories in any Linux distribution.

Advertisement

To install nmap on CentOS, Fedora and RHEL

$ sudo yum install nmap

To install nmap on Ubuntu and Debian

$ sudo apt-get install nmap

 

Different examples to use nmap command

Most of the nmap commands can be executed without root privileges. In this article, you will learn to use the nmap command to scan the networks from the following examples:

1. nmap command to scan a system using hostname

nmap command allows you to scan a system using the hostname. It displays all open ports, services, and MAC addresses on the system.

$ nmap hostname

Sample Output:

nmap command to scan a system using hostname

 

2. nmap command to scan using IP address

An IP address is a unique address for identifying the devices on the internet or local network. You can scan a system by using an IP address with nmap command.

Advertisement
$ nmap IP_address

Sample Output:

nmap command to scan using IP address

 

3. Scan multiple hosts using nmap command

Scanning multiple hosts with nmap command is pretty easy. You have to separate the hostnames or IP addresses with a space. You can also scan hostnames and IP addresses together.

$ nmap host1 host2 host3

Sample Output:

nmap command to scan multiple hosts

 

4. nmap command to scan a range of IP address

nmap command allows you to scan a specific range of IP addresses. For example, if you have to scan IP addresses from 104.143.9.110 - 104.143.9.120, you can use:

$ nmap 104.143.9.110-120

Sample Output:

nmap command to scan a specific range of ip address

 

5. Scan a whole subnet using nmap command

nmap command allows scanning a whole subnet by using * in IP address.

$ nmap 104.143.9.*

Sample Output:

nmap command to scan whole subnet

It displays the scan report for all hosts that are live or up.

Advertisement

nmap command to scan whole subnets

 

6. nmap command to get detailed information about the remote machine

You can use -v option to get more detailed information about the remote machines. Basically, it displays all the process information.

$ nmap -v

Sample Output:

nmap command to get more detailed information about the remote machines

7. nmap command to exclude some hosts

--exclude option is used to exclude a specific address when performing a scan of multiple IP addresses.

$ nmap --exclude 

Sample Output:

nmap command to exclude hosts

As we can see in the output, it only scanned 20 IP addresses instead of 21. You can also exclude multiple IP addresses.

 

8. nmap command to scan hosts from a file

You can scan all listed hosts in a file using nmap command. It is useful when you have a large number of hosts stored in a file.

$ nmap -iL filename

Sample Output:

nmap command to scan hosts from a file

 

9. Scan aggressively using the nmap command

-A option performs an aggressive scan to get more information such as OS detection, version detection, script scanning, and traceroute. You will need root permission to execute this command.

$ sudo npm -A 

Sample Output:

nmap command to scan aggressively

 

10. nmap command to perform OS detection

You can also get OS information using -O or --osscan-guess option.

$ sudo nmap -O

OR

$ sudo nmap --osscan-guess

Sample Output:

nmap command to detect os

 

11. nmap command to scan for version detection

-sV option enables version detection and checks for services versions running on the remote hosts.

nmap -sV

Sample Output:

nmap command to detect version

 

12. nmap command to do a fast scan

-F option allows you to do a fast scan on the system. It scans fewer ports than the default scan.

$ nmap -F

Sample Output:

nmap command to do fast scan

 

13. nmap command to find live hosts in the network

-sP option skips port scanning and checks for live hosts in the network.

$ nmap -sP 

Sample Output:

nmap command to find live hosts

 

14. nmap command to scan and detect firewall

-sA option is used to find out if any firewall or packet filters are used by the hosts.

$ sudo nmap -sA 

Sample Output:

nmap command to detect a firewall

 

15. nmap command to check if the host is protected by a firewall

You can use -PN option to check if the host is protected by firewall or packet filters.

$ sudo nmap -PN

Sample Output:

nmap command to check if the host is protected by a firewall

 

16. nmap command to scan without randomizing

By default, Nmap randomizes the scanned port order. -r option allows scanning sequentially (sorted from lowest to highest).

$ nmap -r 

Sample Output:

nmap command to scan without randomizing

 

17. Scan a specific port using nmap command

You can specify a port using -p option to scan with nmap command.

$ nmap -p NUM host

Sample Output:

nmap command to scan specific port

You can also scan for multiple ports using -p option.

nmap ommand to scan for multiple ports

 

18. nmap command to scan a UDP port

You can specify a UDP port using -sU option. It prints the scan report for UDP port only.

$ sudo nmap -sU NUM

Sample Output:

nmp command to scan udp port

 

19. Scan a specific range of ports using nmap command

You can specify a range of ports with -p option to scan using nmap command. It scans for all the available ports between the specified range.

$ nmap -p numX-numY 

Sample Output:

nmap command to scan a range of ports

 

20. nmap command to show host and port state reasons

--reason option shows the reasons for each host is up or down.

$ nmap --reason

Sample Output:

nmap command to show host and port state reasons

 

21. Show only open ports using nmap command

--open option filters the list of ports and show only open ports in the output.

$ npm --open

Sample Output:

nmap command to show open ports only

 

22. nmap command to list interfaces and routes

--iflist option prints the interface list and system routes as detected by nmap. It is useful to debug routing problems and device mischaracterization.

$ nmap --iflist

Sample Output:

nmap command to print interfaces and routes

 

23. nmap command to enable IPv6 scanning

-6 option enables IPv6 scanning with nmap command. You must specify IPv6 address in order to perform IPv6 scanning. Otherwise, it will fail to resolve the address.

$ nmap -6 IPv6_address

Sample Output:

nmap command to enable ipv6 scanning

 

24. nmap command to treat all hosts as online

-Pn option treats the hosts as online even if it is not.

$ nmap -Pn

Sample Output:

nmap command to treat all hosts as online

 

25. Prints all the packets sent and received with nmap command

--packet-trace option shows all the packets sent and received on the network.

$ nmap --packet-trace

Sample Output:

nmap command to show all packets sent and received

 

26. nmap command to enable host timeout

--host-timeout allows you to specify a scanning time in seconds. nmap command stops scanning the target after that time.

$ nmap --host-timeout

Sample Output:

nmap command to give up on target after host timeout

 

27. List the targets only using nmap command

When you are required to list the targets only to scan, you can use -sL option.

$ nmap -sL

Sample Output:

nmap command to list the targets to scan

 

28. Trace hop path to each host with nmap command

--traceroute option allows you to trace hop path to each host.

$ sudo nmap --traceroute

Sample Output:

nmap command to trace hop path to each host

 

29. nmap command to scan random targets

You can specify the maximum number of IP addresses you wish to scan using -iR option. It scans the specified number of random IP addresses. The number 0 is used to set the unlimited number of IP addresses.

$ nmap -iR NUM 

Sample Output:

nmap command to scan random ip address

 

30. nmap command to disable port scanning

-sn option does not perform a port scan after host discovery. It only prints out the list of hosts that responded to the scan.  It is also called a "ping scan".

$ nmap -sn 

Sample Output:

nmap command to disable port scan

 

Conclusion

These are the most used nmap command examples in Linux. It is a powerful tool that is also used by hackers. You can use this tool to get detailed information on the network, find the number of ports available on the network, detect OS and services and get the list of live hosts.

 

What's Next

6 simple methods to check if ipv6 is enabled in Linux

 

Further Reading

man page for nmap command

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment