nmap Command in Linux: Port Scan, Service Detection & Examples

Nmap (Network Mapper) is a powerful open-source command-line tool used for network discovery and security auditing in Linux. It helps administrators identify active hosts, open ports, running services, operating systems, and potential vulnerabilities on a network.

In this guide, we will explore the most useful Nmap commands in Linux with practical examples and a quick cheat sheet to help you perform host discovery, port scanning, and network analysis efficiently.

Nmap Command Quick Cheat Sheet

The following Nmap cheat sheet provides a quick reference for the most commonly used Nmap commands and options in Linux. These commands help perform host discovery, port scanning, service detection, operating system identification, and security auditing.

Nmap basic command reference table

Task	Command
Scan a host	`nmap 192.168.1.1`
Scan hostname	`nmap example.com`
Scan multiple hosts	`nmap 192.168.1.1 192.168.1.2`
Scan subnet	`nmap 192.168.1.0/24`
Scan IP range	`nmap 192.168.1.1-50`
Scan hosts from file	`nmap -iL targets.txt`
Random target scanning	`nmap -iR 10`
List targets without scanning	`nmap -sL 192.168.1.0/24`

Host discovery commands

Task	Command
Discover live hosts	`nmap -sn 192.168.1.0/24`
Ping sweep network	`nmap -sn 10.0.0.0/24`
Skip host discovery	`nmap -Pn target`
Use ICMP echo requests	`nmap -PE target`
Use TCP SYN ping	`nmap -PS target`
Use UDP ping	`nmap -PU target`

Port scanning commands

Task	Command
Scan default 1000 ports	`nmap target`
Scan specific port	`nmap -p 80 target`
Scan multiple ports	`nmap -p 22,80,443 target`
Scan port range	`nmap -p 1-1000 target`
Scan all ports	`nmap -p- target`
Scan UDP ports	`sudo nmap -sU target`
Scan TCP ports	`nmap -sT target`

Common scan types

Scan Type	Command
TCP SYN scan	`sudo nmap -sS target`
TCP connect scan	`nmap -sT target`
UDP scan	`sudo nmap -sU target`
Ping scan	`nmap -sn target`
Idle scan	`sudo nmap -sI zombie target`

Service and OS detection

Task	Command
Detect service versions	`nmap -sV target`
Detect operating system	`sudo nmap -O target`
Aggressive scan	`sudo nmap -A target`
OS guess mode	`sudo nmap --osscan-guess target`
Enable traceroute	`nmap --traceroute target`

Firewall and security scanning

Task	Command
Detect firewall	`sudo nmap -sA target`
ACK scan	`sudo nmap -sA target`
FIN scan	`sudo nmap -sF target`
Null scan	`sudo nmap -sN target`
Xmas scan	`sudo nmap -sX target`
Fragment packets	`sudo nmap -f target`
Use decoy addresses	`sudo nmap -D RND:10 target`

Performance and timing options

Task	Command
Fast scan	`nmap -F target`
Timing template (aggressive)	`nmap -T4 target`
Timing template (paranoid)	`nmap -T0 target`
Limit scan rate	`nmap --max-rate 100 target`
Limit retries	`nmap --max-retries 2 target`

Output and reporting commands

Task	Command
Verbose output	`nmap -v target`
Very verbose	`nmap -vv target`
Save output to file	`nmap -oN scan.txt target`
Save output in XML	`nmap -oX scan.xml target`
Save output in all formats	`nmap -oA scan target`
Show open ports only	`nmap --open target`

Nmap scripting engine (NSE)

Task	Command
Run default scripts	`nmap -sC target`
Run vulnerability scripts	`nmap --script vuln target`
Run safe scripts	`nmap --script safe target`
Run all scripts	`nmap --script all target`
Run specific script	`nmap --script http-title target`

Advanced network analysis

Task	Command
Show packet trace	`nmap --packet-trace target`
Debug scan process	`nmap -d target`
Show network interfaces	`nmap --iflist`
Enable IPv6 scanning	`nmap -6 target`
Set host timeout	`nmap --host-timeout 30s target`

Example practical scans

Scenario	Command
Quick network scan	`nmap 192.168.1.0/24`
Detect services and OS	`sudo nmap -A target`
Scan web server ports	`nmap -p 80,443 target`
Full port scan	`nmap -p- target`
Vulnerability scan	`nmap --script vuln target`

Understanding Nmap Command in Linux

Nmap (Network Mapper) is a powerful open-source network scanning tool used for network discovery and security auditing. It allows administrators to identify active hosts, detect open ports, determine running services, and analyze network security configurations.

System administrators, security professionals, and penetration testers widely use Nmap to monitor network activity and detect vulnerabilities.

What is Nmap and how it works

Nmap works by sending specially crafted packets to target systems and analyzing their responses. Based on the responses received, Nmap can determine various details about the target system.

Nmap can identify:

Active hosts on the network
Open or closed ports
Running services
Operating systems
Firewall configurations

By analyzing this information, administrators can understand the security posture of their network.

Nmap architecture and scanning techniques

Nmap uses several scanning techniques to collect network information. These techniques rely on different types of packet probes and response analysis.

Common scanning techniques include:

TCP SYN scanning – stealth scanning technique
TCP connect scanning – full TCP connection scanning
UDP scanning – scanning UDP services
Ping scanning – identifying active hosts

These techniques allow Nmap to gather detailed network information while adapting to different network conditions.

Difference between Nmap scan types

Different scan types are used depending on the objective of the scan.

Scan Type	Description
Host discovery	Identifies active hosts on the network
Port scanning	Detects open ports on hosts
Service detection	Identifies services running on ports
OS detection	Determines operating system of target
Firewall detection	Identifies packet filtering mechanisms

Each scan type provides specific insights that help administrators analyze network security.

Installing Nmap in Linux

Most Linux distributions include Nmap in their default package repositories. This allows administrators to install the tool quickly using the system package manager.

Install Nmap on Ubuntu and Debian

On Debian-based systems such as Ubuntu, you can install Nmap using the apt package manager.

bash

sudo apt update
sudo apt install nmap

Install Nmap on RHEL, CentOS and Rocky Linux

On Red Hat based systems, you can install Nmap using the dnf or yum package manager.

bash

sudo dnf install nmap

bash

sudo yum install nmap

Install Nmap on Kali Linux

Kali Linux is widely used for penetration testing and security auditing. Nmap is usually preinstalled in Kali Linux.

If it is not installed, you can install it using:

bash

sudo apt install nmap

Verify Nmap installation in Linux

After installing Nmap, verify that it is installed correctly by running:

bash

nmap --version

Example output:

text

Nmap version 7.94
https://nmap.org

You can also view the help page to see available options.

bash

nmap --help

This confirms that Nmap is installed and ready to use for network scanning.

Discover Hosts in a Network

Scan a single host using Nmap

To scan a single host, provide the IP address or hostname to the nmap command. Nmap will check the host and report open ports and services.

bash

nmap 192.168.1.10

This command scans the most common 1000 TCP ports on the target host.

Scan multiple hosts with Nmap

You can scan multiple hosts in a single command by listing them separated by spaces.

bash

nmap 192.168.1.10 192.168.1.11 192.168.1.12

This is useful when you want to scan a few specific systems in a network.

Scan a subnet using Nmap

To scan an entire subnet, use CIDR notation.

bash

nmap 192.168.1.0/24

This command scans all 256 IP addresses in the subnet.

Discover live hosts in a network

Sometimes you only want to identify which hosts are active without scanning ports. Use the ping scan option.

bash

nmap -sn 192.168.1.0/24

This command performs host discovery and reports which systems are online.

Perform ping sweep using Nmap

A ping sweep checks which hosts are alive in a network range.

bash

nmap -sn 10.0.0.1-100

This command identifies all active systems between IP address 10.0.0.1 and 10.0.0.100.

Perform Basic Port Scanning

Scan default 1000 ports using Nmap

By default, Nmap scans the most commonly used 1000 ports on the target system.

bash

nmap 192.168.1.10

This provides a quick overview of open services on the system.

Scan a specific port on a host

You can scan a specific port using the -p option.

bash

nmap -p 80 192.168.1.10

This command checks whether port 80 is open on the target system.

Scan multiple ports using Nmap

Multiple ports can be scanned by separating them with commas.

bash

nmap -p 22,80,443 192.168.1.10

This command scans SSH, HTTP, and HTTPS ports.

Scan a range of ports

A port range can be scanned using the dash symbol.

bash

nmap -p 20-100 192.168.1.10

This command scans ports between 20 and 100.

Scan all ports in a host

To scan all available TCP ports (1–65535), use the following command.

bash

nmap -p- 192.168.1.10

This performs a complete port scan of the system.

Identify Services and Versions

Detect running services on a host

To identify services running on open ports, use service detection.

bash

nmap -sV 192.168.1.10

This command probes open ports to determine which services are running.

Detect service versions using Nmap

Service version detection helps identify the software version of running services.

bash

nmap -sV example.com

Identify open services on remote servers

You can combine port scanning and service detection.

bash

nmap -p 80,443 -sV example.com

This command identifies web services running on the server.

Detect application versions running on ports

To gather more information about services and applications, run an aggressive scan.

bash

sudo nmap -A 192.168.1.10

This command performs OS detection, service detection, script scanning, and traceroute.

Detect Operating System and Network Information

Detect operating system using Nmap

Operating system detection can be performed using the -O option.

bash

sudo nmap -O 192.168.1.10

Nmap compares response signatures to identify the most likely operating system.

Perform aggressive scan using Nmap

Aggressive scanning enables several detection techniques simultaneously.

bash

sudo nmap -A 192.168.1.10

This command performs OS detection, service detection, script scanning, and traceroute.

Identify device type on network

Nmap can sometimes identify device types such as routers, printers, or servers.

bash

nmap -A 192.168.1.10

This helps understand the role of systems within the network.

Perform traceroute using Nmap

Traceroute reveals the network path between your system and the target host.

bash

nmap --traceroute 192.168.1.10

This can help diagnose routing issues.

Advanced Scanning Techniques

Nmap supports several advanced scanning techniques that help bypass firewalls and gather deeper network insights.

TCP SYN scan using Nmap

The SYN scan is one of the most commonly used scanning techniques.

bash

sudo nmap -sS 192.168.1.10

It is often referred to as a stealth scan because it does not complete the TCP handshake.

TCP connect scan

TCP connect scan performs a full TCP handshake and is used when SYN scanning is not permitted.

bash

nmap -sT 192.168.1.10

This scan works without root privileges.

UDP scan using Nmap

UDP scanning identifies services running on UDP ports.

bash

sudo nmap -sU 192.168.1.10

This scan can detect services such as DNS, DHCP, and SNMP.

Stealth scan techniques

Stealth scans attempt to avoid detection by firewalls or intrusion detection systems.

bash

sudo nmap -sF 192.168.1.10

Other stealth scans include NULL scan (-sN) and Xmas scan (-sX).

Scan using custom port lists

You can specify custom port lists for targeted scans.

bash

nmap -p 21,22,80,443 192.168.1.10

This command scans common FTP, SSH, HTTP, and HTTPS ports.

Bypass Firewall and Security Filters

Detect firewall using Nmap

You can use an ACK scan to determine whether a firewall is filtering packets.

bash

sudo nmap -sA 192.168.1.10

This scan does not determine open ports but helps identify whether a firewall is present and filtering traffic.

Scan hosts behind firewall

If a firewall blocks ICMP ping requests, Nmap may mark the host as down. You can skip host discovery to force Nmap to scan the target.

bash

nmap -Pn 192.168.1.10

This option treats the host as online and performs the scan even if ping responses are blocked.

Fragment packets to bypass firewall

Some firewalls analyze packet sizes to detect scanning activities. Fragmenting packets can sometimes bypass basic packet filtering rules.

bash

sudo nmap -f 192.168.1.10

This option breaks the scan packets into smaller fragments, making them harder for some firewalls to analyze.

Scan using decoy addresses

Decoy scanning hides the real source of the scan by using multiple spoofed IP addresses.

bash

sudo nmap -D RND:10 192.168.1.10

This command uses 10 random decoy IP addresses to disguise the real scanning source.

Scan Networks Faster

Large network scans can take a long time. Nmap includes several performance options to speed up scans or control scanning behavior.

Perform fast scan using Nmap

The fast scan option checks fewer ports than the default scan.

bash

nmap -F 192.168.1.10

This significantly reduces scan time by scanning only the most common ports.

Limit scan rate for stealth scanning

You can control the packet sending rate to avoid overwhelming the network or triggering security systems.

bash

nmap --max-rate 100 192.168.1.10

This command limits the scan to 100 packets per second.

Scan hosts using parallel scanning

Nmap automatically scans multiple hosts in parallel to improve performance.

bash

nmap 192.168.1.1-50

This command scans multiple hosts simultaneously, reducing the total scanning time.

Control scan timing templates

Nmap provides predefined timing templates to control scan speed.

bash

nmap -T4 192.168.1.10

Common timing options include:

Timing Template	Description
`-T0`	Paranoid scan (very slow)
`-T2`	Polite scan
`-T3`	Normal scan
`-T4`	Aggressive scan
`-T5`	Very aggressive scan

Use Nmap with Input Files

When scanning large networks, it is often easier to store target hosts in a file and scan them automatically.

Scan hosts from a file

You can scan hosts listed in a text file using the -iL option.

bash

nmap -iL targets.txt

Each line in the file should contain a hostname or IP address.

Example file:

text


168.1.10
168.1.11
168.1.12

Scan IP ranges from file input

The input file can also contain IP ranges or subnet definitions.

Example:

text

192.168.1.0/24
10.0.0.1-50

Then run the scan:

bash

nmap -iL network_targets.txt

Automate large scale scanning

Using input files allows administrators to automate network scanning tasks.

bash

nmap -iL targets.txt -oN scan_results.txt

This command scans all targets in the file and saves the results for later analysis.

Filter and Format Nmap Output

Show only open ports in Nmap

To display only open ports in the scan results, use the --open option.

bash

nmap --open 192.168.1.10

This helps focus on active services rather than closed ports.

Display scan reasons in Nmap output

You can display the reason why a port is considered open or closed.

bash

nmap --reason 192.168.1.10

This provides additional diagnostic information in the output.

Save scan results to file

To save the scan results in a normal text file format, use:

bash

nmap -oN scan.txt 192.168.1.10

This allows you to review results later or share them with others.

Export Nmap output in XML format

XML output is useful when integrating Nmap results with other tools or scripts.

bash

nmap -oX scan.xml 192.168.1.10

Convert Nmap results for reporting

You can save scan results in multiple formats simultaneously using the -oA option.

bash

nmap -oA scan_report 192.168.1.10

This command generates:

Normal output (.nmap)
XML output (.xml)
Grepable output (.gnmap)

Troubleshoot Network with Nmap

Detect unreachable hosts

If a system is not responding to requests, you can perform host discovery to determine whether the system is online.

bash

nmap -sn 192.168.1.0/24

This command scans the subnet and reports which hosts are active. If a host does not appear in the results, it may be offline or blocked by a firewall.

Identify blocked ports

Blocked ports can prevent services from functioning properly. You can scan a host to identify open, closed, or filtered ports.

bash

nmap -p 1-1000 192.168.1.10

The scan results will show whether ports are open, closed, or filtered, helping determine if a firewall or security rule is blocking access.

Debug network routing issues

Routing problems can cause connectivity failures between systems. Nmap can help detect such issues using packet tracing.

bash

nmap --packet-trace 192.168.1.10

This command shows all packets sent and received during the scan, which helps administrators diagnose network routing problems.

Trace network paths to hosts

You can trace the network path between your system and the target host.

bash

nmap --traceroute 192.168.1.10

Traceroute reveals the intermediate routers and network hops involved in reaching the destination.

Perform Security Audits with Nmap

Identify vulnerable services

You can use the Nmap scripting engine to check for vulnerabilities.

bash

nmap --script vuln 192.168.1.10

This command runs vulnerability detection scripts to identify common security weaknesses.

Scan for exposed ports

Scanning for open ports helps identify services accessible from the network.

bash

nmap -p- 192.168.1.10

This command scans all 65535 ports on the target host.

Discover unauthorized hosts

Administrators can periodically scan networks to detect unauthorized or unknown devices.

bash

nmap -sn 192.168.1.0/24

This command lists all active devices in the subnet, helping detect unauthorized systems.

Monitor network services

You can monitor services running on servers by performing periodic scans.

bash

nmap -sV 192.168.1.10

This command detects services and versions running on open ports, helping identify outdated or vulnerable applications.

Nmap vs Other Network Scanning Tools

Nmap vs Netcat

Netcat is a lightweight networking utility used for debugging and testing network connections. While Netcat can check open ports, it lacks advanced scanning capabilities available in Nmap.

Feature	Nmap	Netcat
Port scanning	Yes	Limited
OS detection	Yes	No
Service detection	Yes	No
Security auditing	Yes	No

Nmap vs Masscan

Masscan is designed for extremely fast internet-scale scanning. However, it does not provide detailed service detection like Nmap.

Feature	Nmap	Masscan
Scan speed	Moderate	Extremely fast
Service detection	Yes	No
OS detection	Yes	No
Large-scale scanning	Limited	Excellent

Nmap vs Nessus

Nessus is a vulnerability scanning tool designed for automated security assessments. Nmap focuses on network discovery and scanning rather than full vulnerability analysis.

Feature	Nmap	Nessus
Network discovery	Yes	Yes
Port scanning	Yes	Yes
Vulnerability scanning	Limited	Advanced
Security reporting	Basic	Detailed

When to use each tool

Different tools serve different purposes depending on the network analysis requirements.

Nmap – best for network discovery and port scanning
Netcat – useful for quick network debugging
Masscan – ideal for extremely fast scanning of large networks
Nessus – used for advanced vulnerability scanning and security auditing

Frequently Asked Questions

1. What is Nmap in Linux?

Nmap (Network Mapper) is an open source command line tool used for network discovery and security auditing. It helps identify hosts, open ports, running services, operating systems, and firewall configurations on a network.

2. What is the Nmap command used for?

The Nmap command is used to scan networks, discover live hosts, detect open ports, identify running services, and perform security auditing on systems connected to a network.

3. How do you scan a host using Nmap?

You can scan a host using the command nmap followed by the IP address or hostname, for example nmap 192.168.1.10. This command identifies open ports and services running on the target host.

4. Is Nmap available on Linux and Kali Linux?

Yes, Nmap is available on most Linux distributions including Ubuntu, Debian, CentOS, Rocky Linux, and Kali Linux. It can be installed using the default package manager.

5. Can Nmap detect operating systems?

Yes, Nmap can perform operating system detection using the -O option, which analyzes network responses to identify the operating system running on the target host.

Summary

The Nmap command is one of the most powerful tools in Linux for network discovery, port scanning, and security auditing. It allows administrators and security professionals to identify active hosts, detect open ports, determine running services, and even identify the operating system used by remote systems.

In this guide, we explored multiple Nmap command examples and scenarios, including host discovery, port scanning, service detection, firewall bypass techniques, and network troubleshooting. We also covered advanced scanning techniques, performance tuning, and output formatting options that help analyze scan results efficiently.

Using these Nmap commands and cheat sheet references, you can perform effective network analysis, troubleshoot connectivity issues, and strengthen network security by identifying exposed services and potential vulnerabilities.

Official Documentation

For more detailed information about Nmap commands and advanced scanning techniques, refer to the official documentation.