Beginner’s reference guide to NMAP command

Network Mapper or NMAP command open source security tool & is said to be the best port scanner. It is mainly used for auditing the network security & for penetration testing. Nmap command displays the exposed ports/services on the target system & also provide some other information like OS version etc.

One other function on Nmap is Network Discovery, hence the name “Network Mapper”. There are a number of options that can be used with Nmap command. In this tutorial, we will discuss some important Nmap commands that will help us identify the vulnerable services in the network , which can than be addressed.

(Recommended Read: NETSTAT Command: Learn to use netstat with examples)

NMAP command

Installation

Usually Nmap command is installed by default on all Linux machines but if that’s not the case than we can install it the default package manager. For example,

RHEL/CentOS

$ yum install nmap

Ubuntu/Mint/Debain

$ apt-get install nmap

Fedora

$ dnf install nmap

Scanning an IP/Multiple IPs

To scan a single system on our network, open terminal & execute the following command,

$ nmap 192.168.1.100

For multiple IPs, we can either mention all the IPs,

$ nmap 192.168.1.100 192.168.1.200

Or we can also mention a range,

$ nmap 192.168.1.100-110

For scanning a full subnet,

$ nmap 192.168.1.0/24

Or we can also mention a file with list of the IP addresses with options ‘iL’,

$ nmap –iL ips.txt

where 'ips.txt' is the file containing all the IP addresses. Similarly, we can also scan a system with it’s host name,

$ nmap mail.linuxtechlab.com

Port scanning

For scanning a single port of a machine, we can mention the port number along with option ‘p’,

$ nmap –p 22 192.168.1.100

Or for scanning a range of ports, use

$ nmap –p 100-1000 192.168.1.100

For scanning all the ports i.e. 65535 ports, run the following command,

$ nmap –p- 192.168.1.100

For scanning 100 most common ports, used option ‘F’ with nmap command,

$ nmap –F 192.168.1.100

This scan is also known as fast scan.

Ping a device (Host discovery)

To ping a device to check whether it’s up or not, we will use options ‘sP’,

$ nmap –sP 192.168.1.0/24

This is also known as host discovery.

TCP port scan

To perform a scan of all TCP ports, use the options ‘sT’ with nmap command,

$ nmap –sT 192.168.1.100

UDP port scan

To run the port scanning for all UDP ports, use the options ‘sU’ with nmap command,

$ nmap –sU 192.168.1.100

OS & service scan

To find out only the operating system of a system, we can use ‘O’ option,

$ nmap –O 192.168.1.100

To check the Operating system & all the services running on the system, use option ‘A’ with nmap command,

$ nmap –A 192.168.1.100

Show all host interfaces & routes

To get all the interfaces on host system & all the routes of the system, use the option ‘iflist’,

$ nmap --iflist

Scan a firewall protected system

To scan a system that has been protected by firewall, we can use the options ‘PN’ with nmap command,

$ nmap –PN 192.168.1.100

Redirecting output to a file

To redirect the output collected to a text file, use the option ‘oN’ along with the filename,

$ nmap –oN output.txt 192.168.1.100

To redirect output to an XML file, we will use options ‘-X’,

$ nmap –oX output.xml 192.168.1.100

We can also use the redirect symbols to redirect output to a file,

$ nmap 192.168.1.100 > output.txt

These are only some of the functionalities that we can use with nmap & we have only touched upon the surface. Nmap command is fairly extensible & a big topic to cover in single tutorial. We will add another tutorial with advanced nmap command usage.

If you have not found the nmap command functionality that you require, you can refer to help for nmap command.

$ nmap --help

With this we end our tutorial, please feel free to send in any questions or queries using the comment box below.