Nmap Commands with Examples

Nmap (Network Mapper,) is a free and opensource security tool used for network scanning. Some of the main features of Nmap are scan for open ports, service discovery and security, and vulnerability auditing.

Nmap is most commonly used via a command-line interface and is available for many different operating systems such as Ubuntu, CentOS, Redhat, Free BSD, and Mint.

In this tutorial, we are going to look at the some of the most frequently used Nmap command with some examples.

Install NMAP

Be default, nmap is not installed on most Linux distributions like Debian, Ubuntu, Hat, CentOS and Fedora. But its available on yum and apt repo for an easy install.

The following commands install nmap on Linux:

CentOS and Redhat based systems

$ sudo yum install nmap

On Ubuntu and Debian based systems

$ sudo apt-get install nmap

1. Scan Specific Host

To scan a specific host (this assumes that you already have the host's IP or hostname)  and reveal basic information, use the command:

$ nmap  IP-address

For example,

$ nmap
nmap command with examples

The command above is quick and generates output within a short time

You can also scan using the hostname instead of the IP address for example

$ nmap ubuntu-server
nmap hostname

To scan a range of IPs, use the syntax

$ nmap

The command will scan all hosts from IP to

scan a range of IP addresses

2. Perform a thorough scan on a system

You can reveal all the information about a host system using the -A flag as shown below. This will reveal all the information pertaining to the host system such as the underlying OS, open ports, services running and their versions, etc.

$ nmap  -A
nmap aggressive scan

From the output, you can see that the command performs os and service detection, giving you detailed information such as the type of service and its version, and the port it is running on.  The command usually takes a while to run but it is thorough and gives you all you need about the particular host system.

3. Scanning a particular port

To scan a specific port and check if it is open use the -p flag in the syntax below:

$ nmap  -p port_number IP-address

For example, to scan port 80 on a host system run:

$ nmap  -p 80
nmap check port number

To scan a range of ports, for example between 80-433 use the syntax:

$ nmap  -p 25-443
$ nmap -p 80,443
nmap a range of ports

4. Find Host service name and its version

To check basic information about the services running on a host, then  use the -sV flag as shown:

$ nmap  -sV
nmap command with examples

5. Scanning an entire network subnet

To scan devices in a network subnet, use the CIDR notation as shown

$ nmap
scan a subnet with nmap

6. Exclude specific host on Scan

As you perform a full network scan, you can choose to exclude a specific host using the --exclude flag . In the example below, we shall exclude our Kali Linux machine from being scanned.

$ nmap 192.168.43.* --exclude

nmap exclude scanning host

7. Display host interfaces and routes

To display interfaces and routes on a particular host use the --iflist flag as shown.

$ nmap --iflist

 Display host interfaces and routes

8. Scan Remote Host using TCP ACK and TCP Syn

At times, firewalls can block ICMP requests interfering with the scan results. In that case, we use the TCP syn (PS)  and TCP ACK (PA) to achieve the desired results.

$ nmap -PS
nmap TCP ACK syn
$ nmap -PA
nmap TCP PA

9. Scan to detect firewall settings

You can use the Nmap tool to perform a scan to show whether the firewall is open or not as shown

$ nmap  -sA
Scan if firewall is open or not

In the first instance, the firewall is disabled and therefore not running. (Ports are unfiltered). In the second instance, the firewall has been enabled and chances of discovering open ports will be minimal.

10. Scanning TCP or UDP ports

To scan TCP ports that are open on the host, use the -sT flag as shown:

$ nmap  -sT

nmap command with examples

To scan UDP ports, use the -sU flag

$ nmap  -sU

11.  Save scan results in a file

After you have completed your scan, you can save the results in a text file using the -oN flag and specifying the output file as shown below:

$ nmap  -oN scan.txt

The file will be created in your current working directory. To view the view simply use the cat command as shown:

$ cat results.txt
view output of cat command

Also, you can use the redirection symbol (>) greater than symbol to redirect the output to a different file for example,

$ nmap > output.txt

save output

12. Scan with a set of Nmap scripts

Nmap comes packed with numerous and powerful scripts that are used for vulnerability scanning and thereby pointing out weaknesses in a system. To get the location of NSE scripts simply run the command:

$ locate *nse
check location of NSE scripts

You can load an Nmap script using the --script option as shown.

$ nmap -sV --script=mysql-info.nse

To scan with the most default scripts use the syntax

$ nmap -sC
namp command with scripts

If you are looking for automation then NSE is the answer (NMAP Scripting Engine)


If you are looking for automation then NSE is the answer (NMAP Scripting Engine). To get help with commands on Nmap simply run $ nmap -h. And that's all we had for this topic. We do hope that you are comfortable using nmap command to scan your network and discover more details about your host systems.

Leave a Comment