20 Awesome Nmap Command Examples

In this tutorial you'll fine 20 basic examples of Nmap command usage.

You'll see how to use Nmap from the Linux command line to find active hosts on a network and perform scan for open ports.

You'll learn how to determine a remote operation system using TCP/IP stack fingerprinting and how to discover what version of software is running on a remote host.

I'll also show how to use Nmap for stealthy scanning, how to detect firewalls and spoof MAC address.

1. Scan a Single Host or an IP Address

Scan a Single IP Address :

$ nmap

Scan a Host Name :

$ nmap server.shellhacks.com

Increase Verbosity Level :

$ nmap -v server.shellhacks.com
$ nmap -vv server.shellhacks.com

2. Scan Multiply IP Addresses

Scan Multiple IP Addresses :

$ nmap
$ namp,2,3

Scan a Subnet :

$ nmap
$ nmap 192.168.1.*

Scan a Range of IP Addresses ( - :

$ nmap

3. Scan Network for Active Computers

Scan for Active Hosts on a network :

$ nmap -sn

Read more : Finding Active Computers in Local Network

4. Scan a List of Hosts From Input File

Scan hosts/networks from the Input File :

$ nmap -iL input.txt

Format of the input file :

# Entries can be in any of the formats accepted by Nmap on the command line
# (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated
# by one or more spaces, tabs, or newlines.

$ cat input.txt

5. Exclude IP/Hosts/Networks From Nmap Scan

Exclude Targets from Nmap scan :

$ nmap --exclude
$ nmap --exclude
$ nmap --exclude,2,3

Exclude List of hosts from a file :

$ nmap --excludefile exclude.txt

Format of the exclude file is the same as format of the input file shown above.

6. Scan For Specific Ports

Scan for a Single Port :

$ nmap -p 80

Scan for Several Ports :

$ nmap -p 80,443

Scan for a Port Range :

$ nmap -p 80-1000

Scan for All Ports :

$ nmap -p "*"

Scan for top most Common Ports :

$ nmap --top-ports 5
$ nmap --top-ports 10

7. Determine Supported IP Protocols

Determine which IP Protocols (TCP, UDP, ICMP, etc.) are supported by target host :

$ nmap -sO

8. Scan For TCP/UDP Ports

Scan for All TCP Ports :

$ nmap -sT

Scan for Particular TCP Ports :

$ nmap -p T:80

Scan for All UDP Ports :

$ nmap -sU

Scan for Particular UDP Ports :

$ nmap -p U:53

Combine scanning of different ports :

$ nmap -p U:53,79,113,T:21-25,80,443,8080

9. Perform a Fast Scan

Enable Fast Mode :

$ nmap -F

* Scan fewer ports than the default scan.

10. Display the Reason a Port is in a Particular State

Display the Reason why Nmap thinks that a port is in a particular state :

$ nmap --reason

11. Show Only Open Ports

Show Only Open Ports (or possibly open) :

$ nmap --open

12. OS Detection

Turn on OS Detection :

$ nmap -O

* Determine remote operation system using TCP/IP stack fingerprinting.

13. Service Version Detection

Turn on Version Detection :

$ nmap -sV

* Discover what version of software is running on a remote host.

14. Firewall Detection

Find out if a host is protected by any Packet Filters or Firewall :

$ nmap -sA

15. MAC Address Spoofing

Spoof your MAC Address :

$ nmap --spoof-mac 00:11:22:33:44:55

Spoof your MAC Address with a Random MAC :

$ nmap --spoof-mac 0

16. Scan a Firewall For Security Vulnerabilities

TCP Null Scan :

$ nmap -sN

* Don't set any bits (TCP flag header is 0).

TCP Fin Scan :

$ nmap -sF

* Set just the TCP FIN bit.

TCP Xmas Scan :

$ nmap -sX

* Set the FIN, PSH and URG flags (lighting the packet up like a Christmas tree).

17. Stealthy Scan

TCP SYN Scan :

$ nmap -sS

* Well known as a half-open scanning, as it doesn't open a full TCP connection.

Read more : Anonymous Port Scanning : Nmap + Tor + ProxyChains

18. Disable Host Discovery (No Ping)

Don't ping host before scanning :

$ nmap -Pn

19. Disable DNS Resolution

Never do reverse DNS Resolution on the active IP addresses it finds :

$ nmap -n

20. Save Output of Nmap Scan to a File

Save output of Nmap scan to a TEXT File :

$ nmap > output.txt
$ nmap -oN output.txt

Save output of Nmap scan to an XML File :

$ nmap -oX output.xml