20 Awesome Nmap Command Examples in Linux

Nmap stands for Network Mapper, it is a free and open-source network discovery and reconnaissance tool used for host discovery and collecting detailed information about a host. Written in C, C++ and Python and Initially released in September 1997, nmap has become an integral tool for cybersecurity and digital forensic professionals who rely on it to reveal detailed information about target hosts and unearth potential vulnerabilities. Nmap reveals information such as Active hosts on a network, open ports, OS and service detection, and performing stealth scans to mention just a few.

In this guide, we highlight some of the handy Nmap commands that you can use to retrieve as much information as you can from host systems.

How to install nmap

Before we look at various ways in which the nmap command can be used, let’s check out how you can install this useful command-line tool. The universal and easiest way to install nmap is using snap packages. Snaps are prebuilt software packages that ship with libraries and dependencies. They are readily available in all major Linux distros. You can find tons of snaps in snapstore. However, before installing Nmap from snap packages, you need to first enable the snapd daemon. This will enable you to download and install snap packages.

To install Nmap using snaps, run the command below.

$ sudo snap install nmap

Alternatively, you can choose to go with installing Nmap using package managers unique to each family of Linux distribution.

For Ubuntu & Debian

For Ubuntu/Debian/Mint based distributions use the APT package manager as shown.

$ sudo apt -y install nmap

For CentOS 8 / RHEL 8 / Fedora 22 and later version

For CentOS 8 / RHEL 8 and Fedora 22 and later use the dnf package manager.

$ sudo dnf -y install nmap

For CentOS 7 & RHEL 7

For CentOS 7 / RHEL 7 and earlier versions use the yum package manager.

$ sudo yum -y install nmap

For Arch Linux / Manjaro

For Arch-based systems, use the pacman package manager as shown.

$ sudo pacman -S nmap

Having looked at the installation of nmap, let’s now proceed and see 20 awesome nmap command examples in Linux

1) Nmap command for scanning a single host

In its basic form, the nmap command can be used to scan a single host without passing any arguments. The syntax is as shown:

$ nmap target-ip

For example;

$ nmap 192.168.2.102

Alternatively, instead of specifying the IP address, you can specify the domain name as shown:

$ nmap scanme.nmap.org

2)  Scan multiple hosts

Scanning multiple hosts at a go comes particularly in handy for extensive networks where you want to scan several hosts at once. It’s a convenient way of scanning hosts in a single command instead of scanning each host separately. For instance, you can scan 10 or more hosts or an entire subnet as you work on something else. There are different ways of going about this.

Firstly, you can specify multiple IP address or domains in a row separated by a space as shown;

$ nmap 192.168.2.1 192.168.2.103

Rather than typing the IP addresses in full, you can separate the endings with a comma as shown.

$ nmap 192.168.2.1,102,103

Also, you can specify a range of IP addresses using a hyphen. For example, the command below scans hosts from 192.168.2.1 to 192.168.2.100

$ nmap 192.168.2.1-100

3)  Scan a subnet with nmap

Additionally, you can use a wildcard to scan an entire subnet as shown:

$ nmap 192.168.2.*
OR
$ nmap 192.168.2.0/24

To refine the scan and only discover live hosts in a subnet, use the -sP option as shown.

$ nmap -sP 192.168.2.*

4)  Get more information with verbose option

To get more robust output during the nmap scan, use the -v option. This option prints out the details of the scan such as the nature of the scan and open ports that are discovered.

$ nmap -v 192.168.2.1

5)  Exclude hosts from a Nmap scan

When scanning a range of hosts, you may decide to exclude a single host from the scan. To achieve this, use the –exclude option. In the example below, we have excluded the host 192.168.2.20 from being scanned.

$ nmap 192.168.2.0/24 --exclude 192.168.2.20

To exclude multiple hosts from the Nmap scan , specify the hosts to be excluded in a file and link the command to the file as shown:

$ nmap 192.168.2.* --excludefile exclude.txt

The above command excludes all the hosts contained in the exclude.txt file.

6)  Perform a fast scan

As the name suggests, you can perform a much faster scan using nmap by passing the -F flag as shown:

$ nmap -F 173.82.202.201

A disclaimer though – This scan yields fewer ports than the ordinary scan.

7)  Scan Active hosts in a network

This is more like a ping scan. It detects active hosts in a subnet.  To scan for active hosts, pass the -sn option followed by the IP address and the subnet. For example:

$ nmap -sn 192.168.2.0/24

8)  Scan hosts contained in a file

If you have a segmented network, especially one with VLANs, chances are that you have hosts in different subnets. An easy way of scanning them is by defining their IP addresses in a text file and passing the file as an argument using the -iL option.

$ nmap iL hosts.txt

Here’s a sample of the host file

$ cat hosts.txt
192.168.2.100
192.168.2.102
192.168.20.5-50

9)  Perform a scan to detect Firewall

Firewall detection is especially useful when performing vulnerability tests or ethical hacking. It allows the sysadmin to know if the firewall of the target host is enabled or not. To know the status of a firewall, use the -sA flag as shown.

$ nmap -sA 192.168.2.1

This initiates an ACK scan which examines whether packets can pass through unfiltered. Use the -n flag to prevent reverse DNS resolution on the target host.

10)  Perform OS detection with nmap

Nmap can also provide insights on the OS or operating system of the target system and also version detection. For OS detection pass the -O option as shown. We’re going to scan a cloud VPS hosted on a Linux system and see what nmap gives us.

NOTE: If you are a regular user, you need to invoke the sudo command as OS detection requires sudo privileges.

$ sudo nmap -O 173.82.202.201

Nmap does its very best to identify the OS and it’s version however, the results may not always represent an accurate result.

11)  Perform port scanning

One of the essential tasks on the nmap tool is scanning ports on a host system. You can cut to the chase and specify a port to be scanned using the -p flag followed by the port number as shown:

$ nmap -p 80 173.82.202.201

Additionally, you can scan for multiple ports by separating them using a comma as shown:

$ nmap -p 80,443 192.168.2.1

You can also define a range of ports to be scanned by separating them with a hyphen.

$ nmap -p 80-443 192.168.2.1

12)  Scan for TCP/UDP ports

You can narrow down to scanning ports which are either TCP or UDP. To scan TCP ports, use the -sT option as shown.

$ nmap -sT 173.82.202.201

For a particular TCP port, such as port 80,run:

$ nmap -p T:80 173.82.202.201

For UDP ports, use the -sU option.

$ nmap -sU 173.82.202.201

For a particular UDP port, such as port 69 execute:

$ nmap -p U:69 173.82.202.201

13)  Discover service version

When scanning for possible vulnerabilities, detecting running services and their versions as well as the ports they are listening on is crucial. This allows you to know which services can be leveraged by an attacker to compromise your system. Knowledge about service & port versions enables you to make a decision on whether to update the services to their latest versions or uninstall them altogether.

To gather services and port information use the -sV flag.

$ nmap -sV 173.82.202.201

14)  Perform a stealth scan

A nmap scan is usually ‘noisy’ and  leave footprints which can  be flagged by a robust IDS  ( intrusion detection system ) and eventually be traced back to you. To stay anonymous , you can perform a stealth scan using the  -sS option.

$ nmap -sS 173.82.202.201

15)  Determine supported IP protocols

You can retrieve information about the protocols supported by a target system (ICMP,TCP, UDP etc) using the -sO flag.

$ sudo nmap -sO 173.82.202.201

16)  Perform an aggressive scan

When the -A option is used, nmap gives very detailed scan results including open ports and versions of running services, OS detection and even performs a traceroute of the target host(s).

$ nmap -A 173.82.202.201

17)  Save nmap output to a file

By default, nmap prints out scan results on the terminal. But if you need to save the results on a text file for more analysis at your convenience, you can use the redirection operator as shown.

$ nmap 173.82.202.201 > scanme.txt

To verify that the scan results have been saved, use the cat command as shown.

$ cat scanme.txt

Additionally, you can pass the -oN option followed by the output file and the host.

$ nmap -oN scanme.txt scanme.nmap.org

18)  Print out the host interfaces and routes

Sometimes, you might find the need to find the host system’s interfaces and routes for debugging purposes. This can be easily achieved by passing the –iflist option.

$ nmap --iflist

19)  Get help with nmap

To satiate your curiosity on additional nmap options, use  the -h flag. This is synonymous with getting help with nmap commands.

$ nmap -h

20)  Check nmap version

To check the version of nmap you are using run the command:

$ nmap -v

Those are just 20 of the basic Nmap commands that you can use to enumerate various host systems. There are still plenty of nmap options that you can use to get refined details about the target system, but the examples we have listed are a good place to start from. We hope that this guide has been helpful in acquainting you with the nmap tool and various command examples.

Also Read : 9 tee Command Examples in Linux