How to use NMAP

Nmap (or Nmapper) is a free and open-source network scanner used for analysis, security audits, and network exploration. You use it to discover hosts and services on a computer network by sending packets and analyzing the responses all in an easy-to-use manner. Let us take a look at how to use Nmap.

The Nmap port scanner can primarily determine:

  • Available hosts on the network
  • The operating system running on the hosts
  • Name and version of applications running on the hosts
  • Type of firewalls being used on the hosts
  • And much more
You may also want to read: Tools to scan for website problems.

How to install Nmap

Linux Installation

Run the following command to install it on Debian-based Linux distributions like Ubuntu, Linux Mint, and Kali Linux:

apt-get install nmap

Use the following command on Fedora-based distributions like CentOS and Red Hat Enterprise Linux (RHEL):

yum install nmap

You can also use Snap if you prefer using the following command:

sudo snap install nmap
You may get the following error when using Nmap installed with Snap: “Couldn’t open a raw socket. Error: Permission denied (13)“. If you do then run: “snap connect nmap:network-control“.

Mac OS Installation

Run the following command to install it on Mac with Homebrew:

brew install nmap

Windows Installation

Download installer from the nmap website and run the downloaded .exe file to install it.

There are a lot of options that we can use with the Nmap command. So, the type and amount of information we get depends on the options we use.

How to Get Help With Nmap

We can get the list of all the options we can use with Nmap by running the following command:


Nmap will then print a list of the various command options:

Nmap 7.80 ( )
Usage: nmap [Scan Type(s)] [Options] {target specification}
  Can pass hostnames, IP addresses, networks, etc.
  Ex:,,; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
  nmap -v -A
  nmap -v -sn
  nmap -v -iR 10000 -Pn -p 80

However, you can run the following command to get the complete documentation:

man nmap

Nmap Basics

A simple nmap command with no options can be run like this:




It is up to you whether you specify IP Address or Domain Name. The above command will show all the open ports for this IP Address.

See an example below:

me@server:~$ nmap
Starting Nmap 7.80 ( ) at 2021-01-12 08:09 AEDT
Nmap scan report for (
Host is up (0.17s latency).
Other addresses for (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 20.01 seconds


Most of the time, when you run the Nmap command, you will see a table in the output having three columns PORT, STATE, and SERVICE.

The PORT column shows the port number and the name of the protocol, e.g. TCP, UDP or any other.

The STATE column shows the PORT state whether open, closed, filtered, unfiltered, open|filtered, or closed|filtered.

The SERVICE column shows the name of the SERVICE running on that specific PORT. The service name could be SSH, HTTP, HTTPS, or any other service running in your system.

Scanning Range of IP Addresses or Host

You can also scan multiple IP Addresses by specifying a range:


As a result of this command, we will get information about all the 15 IP Addresses we have mentioned.

You can also specify multiple IP Addresses like this:


Do not forget to give a space after each IP Address.

Detecting all the Hosts Connected to a Network

Following command shows all the possible hosts for this network. It also shows those hosts that are up along with their hostnames.

nmap -sL

By using the number 24, we are specifying the subnet.

The following command shows only those hosts which are up along with their IP Addresses and hostnames.

nmap -sn

The -sn parameters specify a ping scan and are used to disable the port scan. So, using the sn option will not show the PORT, STATE, SERVICE table.

You can also run the same command using wildcards as:

nmap -sn 192.168.43.*

When scanning a network, you can also specify an IP Address that you do not want to scan:

nmap 192.168.43.* --exclude

So, because of this exclude option, the specified IP Address will not be scanned.

Detecting the Operating System

Following command guesses the Operating System being used on the target host:

nmap -O

Where the option O stands for the Operating System.

We can also use the option –osscan-guess to guess the Operating System more aggressively:

nmap --osscan-guess

Running the nmap command with A option detects the Operating System, version as well as traceroute and other information:

nmap -A

You can also run the above command with the T4 option. This option is used for faster execution.

nmap -A -T4

Getting Traceroute for a Host

You can find the traceroute (route from your computer to the specified destination) by the following command:

sudo nmap --traceroute

The command with the traceroute option will only work with sudo.

Scanning Fewer Ports for Quick Scan

As mentioned earlier, you can use the T4 option for faster execution. Moreover, you can scan the fewer ports for a quick scan using the F option.

nmap -F -T4

Here the F stands for “fast scan”

Scanning any Specific Ports

Instead of scanning all the ports of a host, you can also scan any specific ports.

Run the following command to scan port 80 e.g.

nmap -p80

Here the p stands for the port.

Instead of scanning only one port, you can also scan multiple ports:

nmap -p80,8080

You can further explore this tool by running the following command:

man nmap

Find Open Ports

Return all open ports, the port state and service name for

root@server:/# nmap
Starting Nmap 7.80 ( ) at 2020-03-08 19:14 CST
Nmap scan report for (
Host is up (0.17s latency).
Other addresses for (not scanned): 2606:2800:220:1:248:1893:25c8:1946
Not shown: 996 filtered ports
80/tcp   open   http
443/tcp  open   https
1119/tcp closed bnetgame
1935/tcp closed rtmp

Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds

Adding a -v or -vv will increase verbosity level:

root@odis:/# nmap -vv
Starting Nmap 7.80 ( ) at 2020-03-08 19:14 CST
Warning: Hostname resolves to 2 IPs. Using
Initiating Ping Scan at 10:19
Scanning ( [4 ports]
Completed Ping Scan at 10:19, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:19
Completed Parallel DNS resolution of 1 host. at 10:19, 0.03s elapsed
Initiating SYN Stealth Scan at 10:19
Scanning ( [1000 ports]
Discovered open port 80/tcp on
Discovered open port 443/tcp on
Completed SYN Stealth Scan at 10:19, 10.27s elapsed (1000 total ports)
Nmap scan report for (
Host is up, received echo-reply ttl 57 (0.16s latency).
Other addresses for (not scanned): 2606:2800:220:1:248:1893:25c8:1946
Scanned at 2021-03-08 10:19:15 AEDT for 10s
Not shown: 996 filtered ports
Reason: 996 no-responses
80/tcp   open   http     syn-ack ttl 57
443/tcp  open   https    syn-ack ttl 57
1119/tcp closed bnetgame reset ttl 57
1935/tcp closed rtmp     reset ttl 57


You should now be able to install and know how to use Nmap. Let us know your favorite Nmap commands!

Want more? Why not watch this great YouTube clip explaining Nmap:


Leave a Reply

Your email address will not be published. Required fields are marked *