Nmap (Network Mapper) is a powerful open-source command-line tool used for network discovery and security auditing in Linux. It helps administrators identify active hosts, open ports, running services, operating systems, and potential vulnerabilities on a network.
In this guide, we will explore the most useful Nmap commands in Linux with practical examples and a quick cheat sheet to help you perform host discovery, port scanning, and network analysis efficiently.
Nmap Command Quick Cheat Sheet
The following Nmap cheat sheet provides a quick reference for the most commonly used Nmap commands and options in Linux. These commands help perform host discovery, port scanning, service detection, operating system identification, and security auditing.
Nmap basic command reference table
| Task | Command |
|---|---|
| Scan a host | nmap 192.168.1.1 |
| Scan hostname | nmap example.com |
| Scan multiple hosts | nmap 192.168.1.1 192.168.1.2 |
| Scan subnet | nmap 192.168.1.0/24 |
| Scan IP range | nmap 192.168.1.1-50 |
| Scan hosts from file | nmap -iL targets.txt |
| Random target scanning | nmap -iR 10 |
| List targets without scanning | nmap -sL 192.168.1.0/24 |
Host discovery commands
| Task | Command |
|---|---|
| Discover live hosts | nmap -sn 192.168.1.0/24 |
| Ping sweep network | nmap -sn 10.0.0.0/24 |
| Skip host discovery | nmap -Pn target |
| Use ICMP echo requests | nmap -PE target |
| Use TCP SYN ping | nmap -PS target |
| Use UDP ping | nmap -PU target |
Port scanning commands
| Task | Command |
|---|---|
| Scan default 1000 ports | nmap target |
| Scan specific port | nmap -p 80 target |
| Scan multiple ports | nmap -p 22,80,443 target |
| Scan port range | nmap -p 1-1000 target |
| Scan all ports | nmap -p- target |
| Scan UDP ports | sudo nmap -sU target |
| Scan TCP ports | nmap -sT target |
Common scan types
| Scan Type | Command |
|---|---|
| TCP SYN scan | sudo nmap -sS target |
| TCP connect scan | nmap -sT target |
| UDP scan | sudo nmap -sU target |
| Ping scan | nmap -sn target |
| Idle scan | sudo nmap -sI zombie target |
Service and OS detection
| Task | Command |
|---|---|
| Detect service versions | nmap -sV target |
| Detect operating system | sudo nmap -O target |
| Aggressive scan | sudo nmap -A target |
| OS guess mode | sudo nmap --osscan-guess target |
| Enable traceroute | nmap --traceroute target |
Firewall and security scanning
| Task | Command |
|---|---|
| Detect firewall | sudo nmap -sA target |
| ACK scan | sudo nmap -sA target |
| FIN scan | sudo nmap -sF target |
| Null scan | sudo nmap -sN target |
| Xmas scan | sudo nmap -sX target |
| Fragment packets | sudo nmap -f target |
| Use decoy addresses | sudo nmap -D RND:10 target |
Performance and timing options
| Task | Command |
|---|---|
| Fast scan | nmap -F target |
| Timing template (aggressive) | nmap -T4 target |
| Timing template (paranoid) | nmap -T0 target |
| Limit scan rate | nmap --max-rate 100 target |
| Limit retries | nmap --max-retries 2 target |
Output and reporting commands
| Task | Command |
|---|---|
| Verbose output | nmap -v target |
| Very verbose | nmap -vv target |
| Save output to file | nmap -oN scan.txt target |
| Save output in XML | nmap -oX scan.xml target |
| Save output in all formats | nmap -oA scan target |
| Show open ports only | nmap --open target |
Nmap scripting engine (NSE)
| Task | Command |
|---|---|
| Run default scripts | nmap -sC target |
| Run vulnerability scripts | nmap --script vuln target |
| Run safe scripts | nmap --script safe target |
| Run all scripts | nmap --script all target |
| Run specific script | nmap --script http-title target |
Advanced network analysis
| Task | Command |
|---|---|
| Show packet trace | nmap --packet-trace target |
| Debug scan process | nmap -d target |
| Show network interfaces | nmap --iflist |
| Enable IPv6 scanning | nmap -6 target |
| Set host timeout | nmap --host-timeout 30s target |
Example practical scans
| Scenario | Command |
|---|---|
| Quick network scan | nmap 192.168.1.0/24 |
| Detect services and OS | sudo nmap -A target |
| Scan web server ports | nmap -p 80,443 target |
| Full port scan | nmap -p- target |
| Vulnerability scan | nmap --script vuln target |
Understanding Nmap Command in Linux
Nmap (Network Mapper) is a powerful open-source network scanning tool used for network discovery and security auditing. It allows administrators to identify active hosts, detect open ports, determine running services, and analyze network security configurations.
System administrators, security professionals, and penetration testers widely use Nmap to monitor network activity and detect vulnerabilities.
What is Nmap and how it works
Nmap works by sending specially crafted packets to target systems and analyzing their responses. Based on the responses received, Nmap can determine various details about the target system.
Nmap can identify:
- Active hosts on the network
- Open or closed ports
- Running services
- Operating systems
- Firewall configurations
By analyzing this information, administrators can understand the security posture of their network.
Nmap architecture and scanning techniques
Nmap uses several scanning techniques to collect network information. These techniques rely on different types of packet probes and response analysis.
Common scanning techniques include:
- TCP SYN scanning – stealth scanning technique
- TCP connect scanning – full TCP connection scanning
- UDP scanning – scanning UDP services
- Ping scanning – identifying active hosts
These techniques allow Nmap to gather detailed network information while adapting to different network conditions.
Difference between Nmap scan types
Different scan types are used depending on the objective of the scan.
| Scan Type | Description |
|---|---|
| Host discovery | Identifies active hosts on the network |
| Port scanning | Detects open ports on hosts |
| Service detection | Identifies services running on ports |
| OS detection | Determines operating system of target |
| Firewall detection | Identifies packet filtering mechanisms |
Each scan type provides specific insights that help administrators analyze network security.
Installing Nmap in Linux
Most Linux distributions include Nmap in their default package repositories. This allows administrators to install the tool quickly using the system package manager.
Install Nmap on Ubuntu and Debian
On Debian-based systems such as Ubuntu, you can install Nmap using the apt package manager.
sudo apt update
sudo apt install nmapInstall Nmap on RHEL, CentOS and Rocky Linux
On Red Hat based systems, you can install Nmap using the dnf or yum package manager.
sudo dnf install nmapOR
sudo yum install nmapInstall Nmap on Kali Linux
Kali Linux is widely used for penetration testing and security auditing. Nmap is usually preinstalled in Kali Linux.
If it is not installed, you can install it using:
sudo apt install nmapVerify Nmap installation in Linux
After installing Nmap, verify that it is installed correctly by running:
nmap --versionExample output:
Nmap version 7.94
https://nmap.orgYou can also view the help page to see available options.
nmap --helpThis confirms that Nmap is installed and ready to use for network scanning.
Discover Hosts in a Network
Scan a single host using Nmap
To scan a single host, provide the IP address or hostname to the nmap command. Nmap will check the host and report open ports and services.
nmap 192.168.1.10This command scans the most common 1000 TCP ports on the target host.
Scan multiple hosts with Nmap
You can scan multiple hosts in a single command by listing them separated by spaces.
nmap 192.168.1.10 192.168.1.11 192.168.1.12This is useful when you want to scan a few specific systems in a network.
Scan a subnet using Nmap
To scan an entire subnet, use CIDR notation.
nmap 192.168.1.0/24This command scans all 256 IP addresses in the subnet.
Discover live hosts in a network
Sometimes you only want to identify which hosts are active without scanning ports. Use the ping scan option.
nmap -sn 192.168.1.0/24This command performs host discovery and reports which systems are online.
Perform ping sweep using Nmap
A ping sweep checks which hosts are alive in a network range.
nmap -sn 10.0.0.1-100This command identifies all active systems between IP address 10.0.0.1 and 10.0.0.100.
Perform Basic Port Scanning
Scan default 1000 ports using Nmap
By default, Nmap scans the most commonly used 1000 ports on the target system.
nmap 192.168.1.10This provides a quick overview of open services on the system.
Scan a specific port on a host
You can scan a specific port using the -p option.
nmap -p 80 192.168.1.10This command checks whether port 80 is open on the target system.
Scan multiple ports using Nmap
Multiple ports can be scanned by separating them with commas.
nmap -p 22,80,443 192.168.1.10This command scans SSH, HTTP, and HTTPS ports.
Scan a range of ports
A port range can be scanned using the dash symbol.
nmap -p 20-100 192.168.1.10This command scans ports between 20 and 100.
Scan all ports in a host
To scan all available TCP ports (1–65535), use the following command.
nmap -p- 192.168.1.10This performs a complete port scan of the system.
Identify Services and Versions
Detect running services on a host
To identify services running on open ports, use service detection.
nmap -sV 192.168.1.10This command probes open ports to determine which services are running.
Detect service versions using Nmap
Service version detection helps identify the software version of running services.
nmap -sV example.comIdentify open services on remote servers
You can combine port scanning and service detection.
nmap -p 80,443 -sV example.comThis command identifies web services running on the server.
Detect application versions running on ports
To gather more information about services and applications, run an aggressive scan.
sudo nmap -A 192.168.1.10This command performs OS detection, service detection, script scanning, and traceroute.
Detect Operating System and Network Information
Detect operating system using Nmap
Operating system detection can be performed using the -O option.
sudo nmap -O 192.168.1.10Nmap compares response signatures to identify the most likely operating system.
Perform aggressive scan using Nmap
Aggressive scanning enables several detection techniques simultaneously.
sudo nmap -A 192.168.1.10This command performs OS detection, service detection, script scanning, and traceroute.
Identify device type on network
Nmap can sometimes identify device types such as routers, printers, or servers.
nmap -A 192.168.1.10This helps understand the role of systems within the network.
Perform traceroute using Nmap
Traceroute reveals the network path between your system and the target host.
nmap --traceroute 192.168.1.10This can help diagnose routing issues.
Advanced Scanning Techniques
Nmap supports several advanced scanning techniques that help bypass firewalls and gather deeper network insights.
TCP SYN scan using Nmap
The SYN scan is one of the most commonly used scanning techniques.
sudo nmap -sS 192.168.1.10It is often referred to as a stealth scan because it does not complete the TCP handshake.
TCP connect scan
TCP connect scan performs a full TCP handshake and is used when SYN scanning is not permitted.
nmap -sT 192.168.1.10This scan works without root privileges.
UDP scan using Nmap
UDP scanning identifies services running on UDP ports.
sudo nmap -sU 192.168.1.10This scan can detect services such as DNS, DHCP, and SNMP.
Stealth scan techniques
Stealth scans attempt to avoid detection by firewalls or intrusion detection systems.
sudo nmap -sF 192.168.1.10Other stealth scans include NULL scan (-sN) and Xmas scan (-sX).
Scan using custom port lists
You can specify custom port lists for targeted scans.
nmap -p 21,22,80,443 192.168.1.10This command scans common FTP, SSH, HTTP, and HTTPS ports.
Bypass Firewall and Security Filters
Detect firewall using Nmap
You can use an ACK scan to determine whether a firewall is filtering packets.
sudo nmap -sA 192.168.1.10This scan does not determine open ports but helps identify whether a firewall is present and filtering traffic.
Scan hosts behind firewall
If a firewall blocks ICMP ping requests, Nmap may mark the host as down. You can skip host discovery to force Nmap to scan the target.
nmap -Pn 192.168.1.10This option treats the host as online and performs the scan even if ping responses are blocked.
Fragment packets to bypass firewall
Some firewalls analyze packet sizes to detect scanning activities. Fragmenting packets can sometimes bypass basic packet filtering rules.
sudo nmap -f 192.168.1.10This option breaks the scan packets into smaller fragments, making them harder for some firewalls to analyze.
Scan using decoy addresses
Decoy scanning hides the real source of the scan by using multiple spoofed IP addresses.
sudo nmap -D RND:10 192.168.1.10This command uses 10 random decoy IP addresses to disguise the real scanning source.
Scan Networks Faster
Large network scans can take a long time. Nmap includes several performance options to speed up scans or control scanning behavior.
Perform fast scan using Nmap
The fast scan option checks fewer ports than the default scan.
nmap -F 192.168.1.10This significantly reduces scan time by scanning only the most common ports.
Limit scan rate for stealth scanning
You can control the packet sending rate to avoid overwhelming the network or triggering security systems.
nmap --max-rate 100 192.168.1.10This command limits the scan to 100 packets per second.
Scan hosts using parallel scanning
Nmap automatically scans multiple hosts in parallel to improve performance.
nmap 192.168.1.1-50This command scans multiple hosts simultaneously, reducing the total scanning time.
Control scan timing templates
Nmap provides predefined timing templates to control scan speed.
nmap -T4 192.168.1.10Common timing options include:
| Timing Template | Description |
|---|---|
-T0 | Paranoid scan (very slow) |
-T2 | Polite scan |
-T3 | Normal scan |
-T4 | Aggressive scan |
-T5 | Very aggressive scan |
Use Nmap with Input Files
When scanning large networks, it is often easier to store target hosts in a file and scan them automatically.
Scan hosts from a file
You can scan hosts listed in a text file using the -iL option.
nmap -iL targets.txtEach line in the file should contain a hostname or IP address.
Example file:
192.168.1.10
192.168.1.11
192.168.1.12Scan IP ranges from file input
The input file can also contain IP ranges or subnet definitions.
Example:
192.168.1.0/24
10.0.0.1-50Then run the scan:
nmap -iL network_targets.txtAutomate large scale scanning
Using input files allows administrators to automate network scanning tasks.
nmap -iL targets.txt -oN scan_results.txtThis command scans all targets in the file and saves the results for later analysis.
Filter and Format Nmap Output
Show only open ports in Nmap
To display only open ports in the scan results, use the --open option.
nmap --open 192.168.1.10This helps focus on active services rather than closed ports.
Display scan reasons in Nmap output
You can display the reason why a port is considered open or closed.
nmap --reason 192.168.1.10This provides additional diagnostic information in the output.
Save scan results to file
To save the scan results in a normal text file format, use:
nmap -oN scan.txt 192.168.1.10This allows you to review results later or share them with others.
Export Nmap output in XML format
XML output is useful when integrating Nmap results with other tools or scripts.
nmap -oX scan.xml 192.168.1.10Convert Nmap results for reporting
You can save scan results in multiple formats simultaneously using the -oA option.
nmap -oA scan_report 192.168.1.10This command generates:
- Normal output (
.nmap) - XML output (
.xml) - Grepable output (
.gnmap)
Troubleshoot Network with Nmap
Detect unreachable hosts
If a system is not responding to requests, you can perform host discovery to determine whether the system is online.
nmap -sn 192.168.1.0/24This command scans the subnet and reports which hosts are active. If a host does not appear in the results, it may be offline or blocked by a firewall.
Identify blocked ports
Blocked ports can prevent services from functioning properly. You can scan a host to identify open, closed, or filtered ports.
nmap -p 1-1000 192.168.1.10The scan results will show whether ports are open, closed, or filtered, helping determine if a firewall or security rule is blocking access.
Debug network routing issues
Routing problems can cause connectivity failures between systems. Nmap can help detect such issues using packet tracing.
nmap --packet-trace 192.168.1.10This command shows all packets sent and received during the scan, which helps administrators diagnose network routing problems.
Trace network paths to hosts
You can trace the network path between your system and the target host.
nmap --traceroute 192.168.1.10Traceroute reveals the intermediate routers and network hops involved in reaching the destination.
Perform Security Audits with Nmap
Identify vulnerable services
You can use the Nmap scripting engine to check for vulnerabilities.
nmap --script vuln 192.168.1.10This command runs vulnerability detection scripts to identify common security weaknesses.
Scan for exposed ports
Scanning for open ports helps identify services accessible from the network.
nmap -p- 192.168.1.10This command scans all 65535 ports on the target host.
Discover unauthorized hosts
Administrators can periodically scan networks to detect unauthorized or unknown devices.
nmap -sn 192.168.1.0/24This command lists all active devices in the subnet, helping detect unauthorized systems.
Monitor network services
You can monitor services running on servers by performing periodic scans.
nmap -sV 192.168.1.10This command detects services and versions running on open ports, helping identify outdated or vulnerable applications.
Nmap vs Other Network Scanning Tools
Nmap vs Netcat
Netcat is a lightweight networking utility used for debugging and testing network connections. While Netcat can check open ports, it lacks advanced scanning capabilities available in Nmap.
| Feature | Nmap | Netcat |
|---|---|---|
| Port scanning | Yes | Limited |
| OS detection | Yes | No |
| Service detection | Yes | No |
| Security auditing | Yes | No |
Nmap vs Masscan
Masscan is designed for extremely fast internet-scale scanning. However, it does not provide detailed service detection like Nmap.
| Feature | Nmap | Masscan |
|---|---|---|
| Scan speed | Moderate | Extremely fast |
| Service detection | Yes | No |
| OS detection | Yes | No |
| Large-scale scanning | Limited | Excellent |
Nmap vs Nessus
Nessus is a vulnerability scanning tool designed for automated security assessments. Nmap focuses on network discovery and scanning rather than full vulnerability analysis.
| Feature | Nmap | Nessus |
|---|---|---|
| Network discovery | Yes | Yes |
| Port scanning | Yes | Yes |
| Vulnerability scanning | Limited | Advanced |
| Security reporting | Basic | Detailed |
When to use each tool
Different tools serve different purposes depending on the network analysis requirements.
- Nmap – best for network discovery and port scanning
- Netcat – useful for quick network debugging
- Masscan – ideal for extremely fast scanning of large networks
- Nessus – used for advanced vulnerability scanning and security auditing
Frequently Asked Questions
1. What is Nmap in Linux?
Nmap (Network Mapper) is an open source command line tool used for network discovery and security auditing. It helps identify hosts, open ports, running services, operating systems, and firewall configurations on a network.2. What is the Nmap command used for?
The Nmap command is used to scan networks, discover live hosts, detect open ports, identify running services, and perform security auditing on systems connected to a network.3. How do you scan a host using Nmap?
You can scan a host using the command nmap followed by the IP address or hostname, for example nmap 192.168.1.10. This command identifies open ports and services running on the target host.4. Is Nmap available on Linux and Kali Linux?
Yes, Nmap is available on most Linux distributions including Ubuntu, Debian, CentOS, Rocky Linux, and Kali Linux. It can be installed using the default package manager.5. Can Nmap detect operating systems?
Yes, Nmap can perform operating system detection using the -O option, which analyzes network responses to identify the operating system running on the target host.Summary
The Nmap command is one of the most powerful tools in Linux for network discovery, port scanning, and security auditing. It allows administrators and security professionals to identify active hosts, detect open ports, determine running services, and even identify the operating system used by remote systems.
In this guide, we explored multiple Nmap command examples and scenarios, including host discovery, port scanning, service detection, firewall bypass techniques, and network troubleshooting. We also covered advanced scanning techniques, performance tuning, and output formatting options that help analyze scan results efficiently.
Using these Nmap commands and cheat sheet references, you can perform effective network analysis, troubleshoot connectivity issues, and strengthen network security by identifying exposed services and potential vulnerabilities.
Official Documentation
For more detailed information about Nmap commands and advanced scanning techniques, refer to the official documentation.
