Nmap (Network Mapper,) is a free and opensource security tool used for network scanning. Some of the main features of Nmap are scan for open ports, service discovery and security, and vulnerability auditing.
Nmap is most commonly used via a command-line interface and is available for many different operating systems such as Ubuntu, CentOS, Redhat, Free BSD, and Mint.
In this tutorial, we are going to look at the some of the most frequently used Nmap command with some examples.
Be default, nmap is not installed on most Linux distributions like Debian, Ubuntu, Hat, CentOS and Fedora. But its available on yum and apt repo for an easy install.
The following commands install nmap on Linux:
CentOS and Redhat based systems
$ sudo yum install nmap
On Ubuntu and Debian based systems
$ sudo apt-get install nmap
1. Scan Specific Host
To scan a specific host (this assumes that you already have the host's IP or hostname) and reveal basic information, use the command:
$ nmap IP-address
$ nmap 220.127.116.11
The command above is quick and generates output within a short time
You can also scan using the hostname instead of the IP address for example
$ nmap ubuntu-server
To scan a range of IPs, use the syntax
$ nmap 18.104.22.168-103
The command will scan all hosts from
IP 192.168.43.1 to 192.168.43.103
2. Perform a thorough scan on a system
You can reveal all the information about a host system using the
-A flag as shown below. This will reveal all the information pertaining to the host system such as the underlying OS, open ports, services running and their versions, etc.
$ nmap -A 22.214.171.124
From the output, you can see that the command performs os and service detection, giving you detailed information such as the type of service and its version, and the port it is running on. The command usually takes a while to run but it is thorough and gives you all you need about the particular host system.
3. Scanning a particular port
To scan a specific port and check if it is open use the -p flag in the syntax below:
$ nmap -p port_number IP-address
For example, to scan port 80 on a host system run:
$ nmap -p 80 192.168.43.103
To scan a range of ports, for example between 80-433 use the syntax:
$ nmap -p 25-443 192.168.43.13 or $ nmap -p 80,443 192.168.43.13
4. Find Host service name and its version
To check basic information about the services running on a host, then use the
-sV flag as shown:
$ nmap -sV 192.168.43.103
5. Scanning an entire network subnet
To scan devices in a network subnet, use the CIDR notation as shown
$ nmap 192.168.43.0/24
6. Exclude specific host on Scan
As you perform a full network scan, you can choose to exclude a specific host using the
--exclude flag . In the example below, we shall exclude our Kali Linux machine from being scanned.
$ nmap 192.168.43.* --exclude 192.168.43.8
7. Display host interfaces and routes
To display interfaces and routes on a particular host use the
--iflist flag as shown.
$ nmap 192.168.43.103 --iflist
8. Scan Remote Host using TCP ACK and TCP Syn
At times, firewalls can block ICMP requests interfering with the scan results. In that case, we use the TCP syn (PS) and TCP ACK (PA) to achieve the desired results.
$ nmap -PS 192.168.43.103
$ nmap -PA 192.168.43.103
9. Scan to detect firewall settings
You can use the Nmap tool to perform a scan to show whether the firewall is open or not as shown
$ nmap -sA 192.168.43.223
In the first instance, the firewall is disabled and therefore not running. (Ports are unfiltered). In the second instance, the firewall has been enabled and chances of discovering open ports will be minimal.
10. Scanning TCP or UDP ports
To scan TCP ports that are open on the host, use the
-sT flag as shown:
$ nmap -sT 192.168.43.103
To scan UDP ports, use the
$ nmap -sU 192.168.43.103
11. Save scan results in a file
After you have completed your scan, you can save the results in a text file using the -oN flag and specifying the output file as shown below:
$ nmap -oN scan.txt 192.168.43.103
The file will be created in your current working directory. To view the view simply use the cat command as shown:
$ cat results.txt
Also, you can use the redirection symbol (>) greater than symbol to redirect the output to a different file for example,
$ nmap 192.168.43.103 > output.txt
12. Scan with a set of Nmap scripts
Nmap comes packed with numerous and powerful scripts that are used for vulnerability scanning and thereby pointing out weaknesses in a system. To get the location of NSE scripts simply run the command:
$ locate *nse
You can load an Nmap script using the
--script option as shown.
$ nmap -sV --script=mysql-info.nse 192.168.43.103
To scan with the most default scripts use the syntax
$ nmap -sC 192.168.43.103
If you are looking for automation then NSE is the answer (NMAP Scripting Engine)
If you are looking for automation then NSE is the answer (NMAP Scripting Engine). To get help with commands on Nmap simply run
$ nmap -h. And that's all we had for this topic. We do hope that you are comfortable using nmap command to scan your network and discover more details about your host systems.