30 nmap command examples in Linux [Cheat Sheet] | GoLinuxCloud (2024)

Introduction to nmap command

Nmap (Network Mapper) is an open-source command-line tool in Linux for network exploration and security auditing. It uses raw IP packets to determine hosts, services, operating systems, packet filters/firewalls, and other open ports running on the network. Network and system administrators can use this tool to scan networks and monitor host and service uptime.

How to install nmap

You can install nmap tool from the default package management repositories in any Linux distribution.

To install nmap on CentOS, Fedora and RHEL

$ sudo yum install nmap

To install nmap on Ubuntu and Debian

$ sudo apt-get install nmap

Different examples to use nmap command

Most of the nmap commands can be executed without root privileges. In this article, you will learn to use the nmap command to scan the networks from the following examples:

1. nmap command to scan a system using hostname

nmap command allows you to scan a system using the hostname. It displays all open ports, services, and MAC addresses on the system.

$ nmap hostname

Sample Output:

2. nmap command to scan using IP address

An IP address is a unique address for identifying the devices on the internet or local network. You can scan a system by using an IP address with nmap command.

$ nmap IP_address

Sample Output:

3. Scan multiple hosts using nmap command

Scanning multiple hosts with nmap command is pretty easy. You have to separate the hostnames or IP addresses with a space. You can also scan hostnames and IP addresses together.

$ nmap host1 host2 host3

Sample Output:

4. nmap command to scan a range of IP address

nmap command allows you to scan a specific range of IP addresses. For example, if you have to scan IP addresses from 104.143.9.110 - 104.143.9.120, you can use:

$ nmap 104.143.9.110-120

Sample Output:

5. Scan a whole subnet using nmap command

nmap command allows scanning a whole subnet by using * in IP address.

$ nmap 104.143.9.*

Sample Output:

It displays the scan report for all hosts that are live or up.

6. nmap command to get detailed information about the remote machine

You can use -v option to get more detailed information about the remote machines. Basically, it displays all the process information.

$ nmap -v

Sample Output:

7. nmap command to exclude some hosts

--exclude option is used to exclude a specific address when performing a scan of multiple IP addresses.

$ nmap --exclude 

Sample Output:

As we can see in the output, it only scanned 20 IP addresses instead of 21. You can also exclude multiple IP addresses.

8. nmap command to scan hosts from a file

You can scan all listed hosts in a file using nmap command. It is useful when you have a large number of hosts stored in a file.

$ nmap -iL filename

Sample Output:

9. Scan aggressively using the nmap command

-A option performs an aggressive scan to get more information such as OS detection, version detection, script scanning, and traceroute. You will need root permission to execute this command.

$ sudo npm -A 

Sample Output:

10. nmap command to perform OS detection

You can also get OS information using -O or --osscan-guessoption.

$ sudo nmap -O

OR

$ sudo nmap --osscan-guess

Sample Output:

11. nmap command to scan for version detection

-sV option enables version detection and checks for services versions running on the remote hosts.

nmap -sV

Sample Output:

12. nmap command to do a fast scan

-F option allows you to do a fast scan on the system. It scans fewer ports than the default scan.

$ nmap -F

Sample Output:

13. nmap command to find live hosts in the network

-sP option skips port scanning and checks for live hosts in the network.

$ nmap -sP 

Sample Output:

14. nmap command to scan and detect firewall

-sA option is used to find out if any firewall or packet filters are used by the hosts.

$ sudo nmap -sA 

Sample Output:

15. nmap command to check if the host is protected by a firewall

You can use -PN option to check if the host is protected by firewall or packet filters.

$ sudo nmap -PN

Sample Output:

16. nmap command to scan without randomizing

By default, Nmap randomizes the scanned port order. -r option allows scanning sequentially (sorted from lowest to highest).

$ nmap -r 

Sample Output:

17. Scan a specific port using nmap command

You can specify a port using -p option to scan with nmap command.

$ nmap -p NUM host

Sample Output:

You can also scan for multiple ports using -p option.

18. nmap command to scan a UDP port

You can specify a UDP port using -sU option. It prints the scan report for UDP port only.

$ sudo nmap -sU NUM

Sample Output:

19. Scan a specific range of ports using nmap command

You can specify a range of ports with -p option to scan using nmap command. It scans for all the available ports between the specified range.

$ nmap -p numX-numY 

Sample Output:

20. nmap command to show host and port state reasons

--reason option shows the reasons for each host is up or down.

$ nmap --reason

Sample Output:

21. Show only open ports using nmap command

--open option filters the list of ports and show only open ports in the output.

$ npm --open

Sample Output:

22. nmap command to list interfaces and routes

--iflist option prints the interface list and system routes as detected by nmap. It is useful to debug routing problems and device mischaracterization.

$ nmap --iflist

Sample Output:

23. nmap command to enable IPv6 scanning

-6 option enables IPv6 scanning with nmap command. You must specify IPv6 address in order to perform IPv6 scanning. Otherwise, it will fail to resolve the address.

$ nmap -6 IPv6_address

Sample Output:

24. nmap command to treat all hosts as online

-Pn option treats the hosts as online even if it is not.

$ nmap -Pn

Sample Output:

25. Prints all the packets sent and received with nmap command

--packet-trace option shows all the packets sent and received on the network.

$ nmap --packet-trace

Sample Output:

26. nmap command to enable host timeout

--host-timeout allows you to specify a scanning time in seconds. nmap command stops scanning the target after that time.

$ nmap --host-timeout

Sample Output:

27. List the targets only using nmap command

When you are required to list the targets only to scan, you can use -sL option.

$ nmap -sL

Sample Output:

28. Trace hop path to each host with nmap command

--traceroute option allows you to trace hop path to each host.

$ sudo nmap --traceroute

Sample Output:

29. nmap command to scan random targets

You can specify the maximum number of IP addresses you wish to scan using -iR option. It scans the specified number of random IP addresses. The number 0 is used to set the unlimited number of IP addresses.

$ nmap -iR NUM 

Sample Output:

30. nmap command to disable port scanning

-sn option does not perform a port scan after host discovery. It only prints out the list of hosts that responded to the scan. It is also called a "ping scan".

$ nmap -sn 

Sample Output:

Conclusion

These are the most used nmap command examples in Linux. It is a powerful tool that is also used by hackers. You can use this tool to get detailed information on the network, find the number of ports available on the network, detect OS and services and get the list of live hosts.

What's Next

6 simple methods to check if ipv6 is enabled in Linux

Further Reading

man page for nmap command

Views: 585