In this tutorial you’ll fined 20 basic examples of Nmap command usage.
You’ll see how to use Nmap from the Linux command line to find active hosts on a network and scan for the opened ports.
You’ll learn how to determine a remote operation system using TCP/IP stack fingerprinting and how to discover what version of software is running on a remote host.
I’ll also show how to use Nmap for stealthy scanning, how to detect firewalls and spoof MAC address.
Cool Tip: Want to stay anonymous? Learn how to use PROXY on the Linux command line. Read more →
1. Scan a Single Host or an IP Address
Scan a Single IP Address:
$ nmap 192.168.1.1
Scan a Host Name:
$ nmap server.shellhacks.com
Increase Verbosity Level:
$ nmap -v server.shellhacks.com $ nmap -vv server.shellhacks.com
2. Scan Multiply IP Addresses
Scan Multiple IP Addresses:
$ nmap 192.168.1.1 192.168.1.2 192.168.1.3 $ namp 192.168.1.1,2,3
Scan a Subnet:
$ nmap 192.168.1.0/24 $ nmap 192.168.1.*
Scan a Range of IP Addresses (192.168.1.0 – 192.168.1.200):
$ nmap 192.168.1.0-200
3. Scan Network for Active Computers
Cool Tip: Scan the network with the
ping command only! Discover all the active computers in your LAN! Read more →
Scan for Active Hosts on a network:
$ nmap -sn 192.168.1.0/24
4. Scan a List of Hosts From Input File
Scan hosts/networks from the Input File:
$ nmap -iL input.txt
Format of the input file:
# Entries can be in any of the formats accepted by Nmap on the command line # (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated # by one or more spaces, tabs, or newlines. $ cat input.txt server.shellhacks.com 192.168.1.0/24 192.168.2.1,2,3 192.168.3.0-200
5. Exclude IP/Hosts/Networks From Nmap Scan
Exclude Targets from Nmap scan:
$ nmap 192.168.1.0/24 --exclude 192.168.1.1 $ nmap 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.5 $ nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3
Exclude List of hosts from a file:
$ nmap 192.168.1.0/24 --excludefile exclude.txt
Format of the exclude file is the same as format of the input file shown above.
6. Scan For Specific Ports
Scan for a Single Port:
$ nmap -p 80 192.168.1.1
Scan for Several Ports:
$ nmap -p 80,443 192.168.1.1
Scan for a Port Range:
$ nmap -p 80-1000 192.168.1.1
Scan for All Ports:
$ nmap -p "*" 192.168.1.1
Scan for top most Common Ports:
$ nmap --top-ports 5 192.168.1.1 $ nmap --top-ports 10 192.168.1.1
7. Determine Supported IP Protocols
Determine which IP Protocols (TCP, UDP, ICMP, etc.) are supported by target host:
$ nmap -sO 192.168.1.1
8. Scan For TCP/UDP Ports
Scan for All TCP Ports:
$ nmap -sT 192.168.1.1
Scan for Particular TCP Ports:
$ nmap -p T:80 192.168.1.1
Scan for All UDP Ports:
$ nmap -sU 192.168.1.1
Scan for Particular UDP Ports:
$ nmap -p U:53 192.168.1.1
Combine scanning of different ports:
$ nmap -p U:53,79,113,T:21-25,80,443,8080 192.168.1.1
9. Perform a Fast Scan
Enable Fast Mode:
$ nmap -F 192.168.1.1
* Scan fewer ports than the default scan.
10. Display the Reason a Port is in a Particular State
Display the Reason why Nmap thinks that a port is in a particular state:
$ nmap --reason 192.168.1.1
11. Show Only Open Ports
Show Only Open Ports (or possibly open):
$ nmap --open 192.168.1.1
12. OS Detection
One of Nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting.
Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.
After performing dozens of tests, Nmap compares the results to its database and prints out the OS details if there is a match.
Turn on OS Detection:
$ nmap -O 192.168.1.1
13. Service Version Detection
Turn on Version Detection:
$ nmap -sV 192.168.1.1
* Discover what version of software is running on a remote host.
14. Firewall Detection
Find out if a host is protected by any Packet Filters or Firewall:
$ nmap -sA 192.168.1.1
15. MAC Address Spoofing
Spoof your MAC Address:
$ nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1
Spoof your MAC Address with a Random MAC:
$ nmap --spoof-mac 0 192.168.1.1
16. Scan a Firewall For Security Vulnerabilities
These three scan types exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports.
When scanning systems compliant with this RFC, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open.
As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK.
TCP Null Scan:
$ nmap -sN 192.168.1.1
* Don’t set any bits (TCP flag header is 0).
TCP Fin Scan:
$ nmap -sF 192.168.1.1
* Set just the TCP FIN bit.
TCP Xmas Scan:
$ nmap -sX 192.168.1.1
* Set the FIN, PSH and URG flags (lighting the packet up like a Christmas tree).
17. Stealthy Scan
Cool Tip: Stay anonymous during port scanning! Use
ProxyChains! Safe and easy penetration testing! Read more →
TCP SYN Scan:
$ nmap -sS 192.168.0.1
* Well known as a half-open scanning, as it doesn’t open a full TCP connection.
18. Disable Host Discovery (No Ping)
Don’t ping host before scanning:
$ nmap -Pn 192.168.1.1
19. Disable DNS Resolution
Cool Tip: Need to improve security of the Linux system? Encrypt DNS traffic and get the protection from DNS spoofing! Read more →
Never do reverse DNS Resolution on the active IP addresses it finds:
$ nmap -n 192.168.1.1
20. Save Output of Nmap Scan to a File
Save output of Nmap scan to a TEXT File:
$ nmap 192.168.1.1 > output.txt $ nmap -oN output.txt 192.168.1.1
Save output of Nmap scan to an XML File:
$ nmap -oX output.xml 192.168.1.1