Some of this tool’s best features are that it’s open-source, free, multi-platform and receives constant updates each year. It also has a big plus: it’s one of the most complete host and network and port scanners available. It includes a large set of options to enhance your scanning and mapping tasks, and brings with it an incredible community and comprehensive documentation to help you understand this tool from the very start. Nmap can be used to:
- Create a complete computer network map.
- Find remote IP addresses of any hosts.
- Get the OS system and software details.
- Detect open ports on local and remote systems.
- Audit server security standards.
- Find vulnerabilities on remote and local hosts.
It was mentioned in the Top 20 OSINT Tools article we published, and today we’ll explore a little bit more about this essential security tool with some practical terminal-based Nmap commands.
What is Nmap?
As we’ve said before, Nmap is a network scanner utility used for port mapping, host discovery and vulnerability scanning. Most of its functions are based on using IP packet analysis to detect and identify remote hosts, operating systems and services.
Nmap is used by large companies as well as smaller-sized organizations for port auditing, host monitoring, penetration testing and similar tasks.
Even with Nmap constantly being updated with new features since decades, its core function remains as a port scanner, helping users gather data by sending packets to local or remote ports. This is done by waiting for packet responses to determine if ports are closed, open or filtered.
The most popular method of using Nmap is via the terminal (command-line console), by performing a Nmap full scan command, but we’ll take a look into more examples below.
How To Use Nmap
Nmap is pretty easy to use if you’re familiar with command-line interfaces. As it’s already installed on most Linux/Unix-based distributions, you just have to execute the ‘nmap’ command from any terminal, and that’s it. It will display several options for you. Advanced users will also be able to use Nmap along with other system scripts and automated tasks in order to maximize the powers of this tool.
Nmap port scan command
One of the most basic Nmap commands for a scan is the nmap port scan command:
nmap -p 80 X.X.X.X
That’s how you use Nmap.
How To Install Nmap on Linux, Windows and Mac
What happens if your operating system doesn’t include Nmap? No worries, let’s see how to install it. While the installation process can differ a bit depending on the OS you are using, in most cases (MacOS and Windows) our recommendation is to get the latest release from the Nmap website’s download page.
Installing Nmap on Linux
Open the terminal and run the following commands to get Nmap installed:
- CentOS/Fedora: sudo dnf install nmap
- Ubuntu/Debian: sudo apt-get install nmap
That’s it. Nmap is now installed on Linux.
Installing Nmap on Windows
Once you download the installer, execute it and install it. The automated installer should take care of configuring Nmap for you in mere seconds.
Installing Nmap on MacOS
Mac users also have a full automated installer. Just run Nmap-
Nmap Command Examples - Full Tutorial
Let’s get to know a few useful command-line based best Nmap scans that can be performed.
1. Basic Nmap Scan against IP or host
Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:
This kind of scans, such as the Nmap scan host are perfect for your first steps when starting with Nmap.
2. Nmap Ping Scan
nmap -sp 192.168.5.0/24
The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps), and it’s the easiest way to detect hosts on any network.
The drawback of this ICMP-only type of scan is that remote hosts often block IP-based ping packets, so if you’re unable to get solid results, we recommend switching to ARP-based requests for your scan.
3. Scan specific ports or scan entire port ranges on a local or remote server
nmap -p 1-65535 localhost
In this example, we scanned all 65535 ports for our localhost computer.
Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below:
nmap -p 80,443 220.127.116.11
4. Scan multiple IP addresses
Let’s try to scan multiple IP addresses. For this you need to use this syntax:
nmap 18.104.22.168 22.214.171.124
You can also scan consecutive IP addresses:
nmap -p 126.96.36.199,2,3,4
This will scan
5. Scan IP ranges
You can also use Nmap to scan entire CIDR IP ranges, for example:
nmap -p 188.8.131.52/28
This will scan 14 consecutive IP ranges, from
An alternative is to simply use this kind of range:
You can even use wildcards to scan the entire C class IP range, for example:
This will scan 256 IP addresses from
If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below:
nmap -p 8.8.8.* --exclude 184.108.40.206
6. Scan the most popular ports
Using “–top-ports” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:
nmap --top-ports 20 192.168.1.106
Replace “20” with the desired number. Output example:
[root@securitytrails:~]nmap --top-ports 20 localhost Starting Nmap 6.40 ( http://nmap.org ) at 2018-10-01 10:02 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000016s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 25/tcp closed smtp 53/tcp closed domain 80/tcp filtered http 110/tcp closed pop3 111/tcp closed rpcbind 135/tcp closed msrpc 139/tcp closed netbios-ssn 143/tcp closed imap 443/tcp filtered https 445/tcp closed microsoft-ds 993/tcp closed imaps 995/tcp closed pop3s 1723/tcp closed pptp 3306/tcp closed mysql 3389/tcp closed ms-wbt-server 5900/tcp closed vnc 8080/tcp closed http-proxy
7. Scan hosts and IP addresses reading from a text file
In this case, Nmap is also useful to read files that contain hosts and IPs inside.
Let’s suppose you create a list.txt file that contains these lines inside:
192.168.1.106 cloudflare.com microsoft.com securitytrails.com
The “-iL” parameter lets you read from that file, and scan all those hosts for you:
nmap -iL list.txt
8. Save your Nmap scan results to a file
On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file:
nmap -oN output.txt securitytrails.com
Nmap has the ability to export files into XML format as well, see the next example:
nmap -oX output.xml securitytrails.com
9. Disabling DNS name resolution
If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter.
[root@securitytrails:~]nmap -p 80 -n 220.127.116.11 Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03 Nmap scan report for 18.104.22.168 Host is up (0.014s latency). PORT STATE SERVICE 80/tcp filtered http
See the difference with a normal DNS-resolution enabled scan:
[root@securitytrails:~]nmap -p 80 22.214.171.124 Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03 Nmap scan report for google-public-dns-a.google.com (126.96.36.199) Host is up (0.014s latency). PORT STATE SERVICE 80/tcp filtered http
10. Scan + OS and service detection with fast execution
Using the “-A” parameter enables you to perform OS and service detection, and at the same time we are combining this with “-T4” for faster execution. See the example below:
nmap -A -T4 cloudflare.com
This is the output we got for this test:
11. Detect service/daemon versions
This can be done by using -sV parameters
nmap -sV localhost
As you can see here:
[root@securitytrails:~]nmap -sV localhost Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03 Nmap scan report for localhost (127.0.0.1) Host is up (0.000020s latency). Other addresses for localhost (not scanned): ::1 Not shown: 997 closed ports PORT STATE SERVICE VERSION 111/tcp open rpcbind 2-4 (RPC #100000) 631/tcp open ipp CUPS 2.2 902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds
12. Scan using TCP or UDP protocols
One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services. Let’s see some examples.
Standard TCP scanning output:
[root@securitytrails:~]nmap -sT 192.168.1.1 Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03 Nmap scan report for 192.168.1.1 Host is up (0.58s latency). Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http 1900/tcp open upnp 20005/tcp open btx 49152/tcp open unknown 49153/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
UDP scanning results using “-sU” parameter:
[root@securitytrails:~]nmap -sU localhost Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03 Nmap scan report for localhost (127.0.0.1) Host is up (0.000021s latency). Other addresses for localhost (not scanned): ::1 Not shown: 997 closed ports PORT STATE SERVICE 68/udp open|filtered dhcpc 111/udp open rpcbind 5353/udp open|filtered zeroconf
13. CVE detection using Nmap
One of Nmap’s greatest features that not all the network and systems administrators know about is something called “Nmap Scripting Engine” (known as NSE). This scripting engine allows users to use a pre-defined set of scripts, or write their own using Lua programming language.
Using Nmap scripts is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters:
nmap -Pn --script vuln 192.168.1.105
[root@securitytrails:~]nmap -Pn --script vuln 192.168.1.105 Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03 Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 188.8.131.52 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 192.168.1.105 Host is up (0.00032s latency). Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) 1900/tcp open upnp 20005/tcp open btx 49152/tcp open unknown 49153/tcp open unknown
As you can see, in this vulnerability test we were able to detect one CVE (Slowloris DOS attack).
14. Launching DOS with Nmap
Nmap features never seem to end, and thanks to the NSE, that even allows us to launch DOS attacks against our network testings.
In our previous example (#12) we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS attack in a forever loop:
nmap 192.168.1.105 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
15. Launching brute force attacks
NSE is really fascinating – it contains scripts for everything you can imagine. See the next three examples of BFA against WordPress, MSSQL, and FTP server:
WordPress brute force attack:
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105
Brute force attack against MS-SQL:
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105
FTP brute force attack:
nmap --script ftp-brute -p 21 192.168.1.105
16. Detecting malware infections on remote hosts
Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP. It also has a module to check for popular malware signs inside remote servers and integrates Google’s Safe Browsing and VirusTotal databases as well.
A common malware scan can be performed by using:
nmap -sV --script=http-malware-host 192.168.1.105
Or using Google’s Malware check:
nmap -p80 --script http-google-malware infectedsite.com
80/tcp open http |_http-google-malware.nse: Host is known for distributing malware.
Nmap is one of the most complete and accurate port scanners used by infosec professionals today. With it, you can perform simple port scan tasks or use its powerful scripting engine to launch DOS attacks, detect malware or brute force testings on remote and local servers.
Today we covered the top fifteen Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy.
Nmap has been one of the most popular port and network scanners for decades. Still, new users often have questions about how it works and its legal usage, and even look for other, similar software from time to time.
Is Nmap free?
Yes, Nmap is completely free for you to download and use. It’s also an open source (licensed) project, so you can inspect, modify, and enhance it to match your needs.
Is Nmap Legal?
Nmap is legal; however, that hinges entirely on the purpose the user has for using it. Scanning your own network is totally legal, but scanning third-party networks may get you into legal problems if you aren’t authorized, depending on the country and state in which you live.
There are many nuances to—and opinions about—port scanning legality. To help you avoid legal issues, we recommend reading the official implications detailed on the Nmap website’s legal issues page.
How Does it Work?
Nmap works by sending and receiving network packets, and checking against its fingerprint database and other methods, to quickly detect hosts and IP addresses over a network. It then performs analysis on the data to quickly respond with results on your console. Most Nmap scans will require you to perform them with root-based (admin) access on Linux and Unix. While on Windows, running Nmap with an administrator account is always a good practice.
Is there any other similar software like Nmap?
There are tons of alternatives to Nmap, including Masscan, Rustcan, and others. While some of this similar software offers faster scanning times, almost none of them offers as many options and high-quality results as an Nmap full scan does.
For most users, even the advanced ones, Nmap is enough. If you don’t like terminals, you can always take a look into ZenMap, the GUI-based version of Nmap.
If you also need to map domains, IPs and discover DNS zones, try our SecurityTrails toolkit, or grab a free API account today.