How to Use the nmap Command

Published on

8 min read

Check Open Ports in Linux

Nmap is a powerful network scanning tool for security audits and penetration testing. It is one of the essential tools used by network administrators to troubleshooting network connectivity issues and port scanning .

Nmap can also detect the Mac address, OS type , service version, and much more.

This article explains the basics of how to use the nmap command to perform various network tasks.

Installing Nmap

Nmap is a multi-platform program that can be installed on all major operating systems. It was initially released as a Linux-only tool, and later it was ported to other systems such as BSD, Windows, and macOS.

If you prefer a GUI over the command line, Nmap also has a graphical user interface called Zenmap .

The official binary packages are available for download from the Nmap download page .

The installation procedure is straightforward and varies according to your operating system.

Installing Nmap on Ubuntu and Debian

Nmap is available from the default Ubuntu and Debian repositories. To install it, run:

sudo apt updatesudo apt install nmap

Installing Nmap on CentOS and Fedora

On CentOS and other Red Hat derivatives run:

sudo dnf install nmap

Installing Nmap on macOS

macOS users can install Nmap by downloading the “.dmg” installation package from the Nmap site or via Homebrew:

brew install nmap

Installing Nmap on Windows

The Windows version of Nmap has some limitations, and it is generally a little slower than the UNIX version.

The easiest option to install Nmap on Windows is to download and run the self-installation exe file.

You can run Nmap on Windows either from the command line or by launching the Zenmap program. For more information about how to use Nmap on Windows, check the post-install usage instructions .

Using Nmap

Nmap is typically used to audit network security, network mapping, identify open ports, and search for online devices.

The simplified syntax of the nmap command is as follows:

nmap [Options] [Target...]

The most basic example of using Nmap is to scan a single target as a standard user without specifying any options:

nmap scanme.nmap.org

When invoked as a non-root user that does not have raw packet privileges, nmap runs TCP connect scan. The (-sT) is turned on by default in unprivileged mode.

The output will look something like this, including basic information about the scan and a list of open and filtered TCP ports.

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 20:19 CET
Nmap scan report for cast.lan (192.168.10.121)
Host is up (0.048s latency).
Not shown: 981 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open     pop3
143/tcp  open     imap
443/tcp  open     https
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
1025/tcp open     NFS-or-IIS
1080/tcp open     socks
8080/tcp open     http-proxy
8081/tcp open     blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

The most popular scan option is the TCP SYN scan (-sS) that is faster than the connect option and works against all compliant TCP stacks.

-sS is turned on by default when nmap is invoked as a user with administrative privileges:

sudo nmap 192.168.10.121

For more detailed output, use the increase the verbosity with -v or -vv:

sudo nmap -vv 192.168.10.121

To perform a UDP scan, invoke the command with the (-sU) option as a root user:

sudo nmap -sU 192.168.10.121

For a complete list of port scanning methods, visit the Nmap documentation page .

Nmap also supports IPv6 addresses. To specify an IPv6 host use the -6 option:

sudo nmap -6 fd12:3456:789a:1::1

Specifying Target Hosts

Nmap treats all arguments that are not options as target hosts.

Arguments are considered options if they begin with a single or double dash (-, --).

The simplest option is to pass one or more target addresses or domain names:

nmap 192.168.10.121 host.to.scan

You can use the CIDR notation to specify a network range:

nmap 192.168.10.0/24

To specify an octet range use the dash character. For example, to scan 192.168.10.1, 192.168.11.1, and 192.168.12.1:

nmap 192.168.10-12.1

Another character you can use to specify the targets is the comma. The following command targets the same hosts as the one above:

nmap 192.168.10,11,12.1

You can combine all forms:

nmap 10.8-10.10,11,12.0/28  192.168.1-2.100,101

To make sure you specified the correct hosts before scanning, use the list scan option (-sL), which only lists the targets without running a scan:

nmap -sL 10.8-10.10,11,12.0/28  192.168.1-2.100,101

If you want to exclude targets that are included in the range you specified, use the --exclude option:

nmap 10.8-10.10,11,12.0/28 --exclude 10.10.12.12

Specifying and Scanning Ports

By default, Nmap performs a quick scan for the 1000 most popular ports. These ports are not the first 1000 consecutive ports, but the 1000 most commonly used ports ranging from 1 to 65389.

To scan for all ports from 1 through 65535, use the -p- option:

nmap -p- 192.168.10.121

Each port can be in one of the following states:

  • open - The program running on the port responds to request.
  • closed - No program runs on the port, and the host reply to requests.
  • filtered - The host doesn’t reply to the request.

Ports and port ranges are specified with the -p option.

For example, to scan only port 443, you would use the following command:

nmap -p 443 192.168.10.121

To specify more than one port, separate the target ports with a comma:

nmap -p 80,443 192.168.10.121

Port ranges can be specified with the dash symbol. For example, to scan all UDP ports ranging from 1 to 1024, you would run:

sudo nmap -sU -p 1-1024 192.168.10.121

All combined:

nmap -p 1-1024,8080,9000 192.168.10.121

Ports can also be specified using the port name. For example, to scan for port 22, ssh, you can use:

nmap -p ssh 192.168.10.121

Ping Scanning

To perform a ping scanning or host discovery, invoke the nmap command with the -sn option:

sudo nmap -sn 192.168.10.0/24

The -sn option tells Nmap only to discover online hosts and not to do a port scan. This is useful when you want to quickly determine which of the specified host are up and running.

Disabling DNS Name Resolution

Nmap’s default behavior is to perform reverse-DNS resolution for each discovered host, which increases the scan time.

When scanning large networks, it is a good idea to disable reverse-DNS resolution and speed up the scans. To do that, invoke the command with the -n option:

sudo nmap -n 192.168.10.0/16

OS, Service and Version Detection

Nmap can detect the remote host operating system using TCP/IP stack fingerprinting. To run OS detection, invoke the command with the -O option:

sudo nmap -O scanme.nmap.org

If Nmap can detect the host OS, it will print something like below:

...
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.4
Network Distance: 18 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.47 seconds

Typically, system services listen on standard ports that are well known and reserved for them. For example, if port 22 that corresponds to the SSH service is open, you’ll assume that an SSH server runs on the host. However, you cannot be absolutely sure because people can run services on whatever ports they want.

With service and version detection, Nmap will show you what program listens on the port and the program version.

To scan for service and version, use the -sV option:

sudo nmap -sV scanme.nmap.org
...
PORT      STATE    SERVICE      VERSION
19/tcp    filtered chargen
22/tcp    open     ssh          OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http         Apache httpd 2.4.7 ((Ubuntu))
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
9929/tcp  open     nping-echo   Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...

You can also scan for OS, Versions, and run traceroute in one command using the -A option:

sudo nmap -A 192.168.10.121

Nmap Output

By default, Nmap prints the information to standard output (stdout).

If you scan a large network or need the information for later usage, you can save the output to a file.

Nmap provides several output types. To save the output in normal format, use the -oN option followed by the file name:

sudo nmap -sU -p 1-1024 192.168.10.121 -oN output.txt

The most popular option is to save the output in XML format. To do so, use the -oX option:

sudo nmap -sU -p 1-1024 192.168.10.121 -oX output.xml

Another useful format is the grepable output, which can be parsed with the standard Unix tools like grep , awk and cut . The grepable output is specified with the -oG option:

sudo nmap -sU -p 1-1024 192.168.10.121 -oG output

Nmap Scripting Engine

One of the most powerful features of Nmap is its scripting engine. Nmap ships with hundreds of scripts , and you can also write your own scripts in the Lua language.

You can use scripts to detect malware and backdoors, perform brute-force attacks, and more.

For example, to check if a given host is compromised you can use:

nmap -sV --script http-malware-host scanme.nmap.org

Conclusion

Nmap is an open-source tool that is used primarily by network administrators to discover host and scan ports.

Please note that in some countries, it is not legal to scan networks without authorization.

If you have any questions or remarks, please leave a comment below.