The complete guide for NMAP Command

  • Post last modified:December 31, 2020
  • Reading time:10 mins read

Nmap is one of the most popular free and open-source command-line utility network scannings. Nmap can be used to discover hosts and service use by the system on the same network.

A Nmap tool helps you to audit local and remote server open ports and the network details.

It is available in all major operating system such as Windows, Linux, and macOS. There is another nmap product known as zenmap, which is GUI based version of nmap.

Today we guide you on using nmap in all major Linux distribution like port status, multiple hosts and, many more.

A use of Nmap scanning on the server without proper consent is illegal. If you want to scan first take the proper consent from the owner; otherwise, they can take legal action against you.

In this guide, we will scan nmap on the local network, and server provided by nmap “scanme.nmap.com”.

Install Nmap on Your Linux System

Before moving toward command guide you should install nmap on your system, follow the guide on how to Install nmap on various distribution.

I hope you have installed nmap on the Linux system now I’ll share the nmap commands with you.

Nmap Command

1. Scan Open port using nmap command

If you want to check the open port on specific IPv4,or IPv6, and server name you can pass the following command

To Scan Port Status for IPv4 address

In this you need to type pass ip address of the following network in excerpt I have used my local network.

$ nmap 192.168.1.110
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 10:24 IST
Nmap scan report for server.trendoceans.com (192.168.1.110)
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

When you want to perform nmap port scanning quicky, then you need to add parameter “-F” stands for Fast mode, this will scan less port than normal.

$ nmap -F 192.168.1.110

To Scan Port Status for server name

When you want to check port status of specific server name,In this you need to replace ip address to server name that’s it.

$ nmap server.trendoceans.com
$ nmap scanme.nmap.com
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 10:42 IST
Nmap scan report for scanme.nmap.com (45.33.32.156)
Host is up (0.24s latency).
Other addresses for scanme.nmap.com (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
rDNS record for 45.33.32.156: scanme.nmap.org
Not shown: 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
9929/tcp  open     nping-echo
31337/tcp open     Elite

Nmap done: 1 IP address (1 host up) scanned in 49.24 seconds

To get more details about host

Using parameter -v stands for verbose will give the information of host in more details.

$ sudo nmap -v 45.33.32.156
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 12:40 IST
Initiating Ping Scan at 12:40
Scanning 45.33.32.156 [4 ports]
Completed Ping Scan at 12:40, 0.28s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:40
Completed Parallel DNS resolution of 1 host. at 12:40, 0.00s elapsed
Initiating SYN Stealth Scan at 12:40
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed SYN Stealth Scan at 12:41, 14.41s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.24s latency).
Not shown: 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
9929/tcp  open     nping-echo
31337/tcp open     Elite

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.87 seconds
           Raw packets sent: 1082 (47.584KB) | Rcvd: 1074 (42.964KB)

2. Scan for specific port

We can also scan specific port status on local or server machine, To check specific port status we have to use the parameter -p stands for the port, provide the hostname.

In this example I’ll check the port number 25 status.

$ nmap -p 25 45.33.32.156
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 10:51 IST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.42s latency).

PORT   STATE    SERVICE
25/tcp filtered smtp

Nmap done: 1 IP address (1 host up) scanned in 4.72 seconds

Scan for specific port range

The nmap command utility provides us to scan from the specific port range. In this example, I’ll scan the port from 1 to 100.

$ nmap -p 1-100 45.33.32.156
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 11:16 IST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.25s latency).
Not shown: 97 closed ports
PORT   STATE    SERVICE
22/tcp open     ssh
25/tcp filtered smtp
80/tcp open     http

Nmap done: 1 IP address (1 host up) scanned in 5.30 seconds

If you want to scan port in sequence manner you can use -r parameter to nmap command.

Scan Multiple port

When you want to scan multiple port you need to pass -p parameters next the port number that you want to scan and host name.

$ nmap -p 80,443 45.33.32.156
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 11:11 IST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.27s latency).

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds

2. Scan Multiple Hosts using Nmap

A nmap provides you to scan or audit multiple hosts at a single command. This command is useful when you have multiple hosts to audit at a specific server. There are many ways which you can scan multiple ports at the time we will list down below.

For example, I will use set of IP address to scan multiple host

$ nmap 45.33.32.156 45.33.32.157 45.33.32.158 45.33.32.159
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 11:33 IST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.26s latency).Not shown: 989 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
255/tcp   filtered unknown
1027/tcp  filtered IIS
5910/tcp  filtered cm
9929/tcp  open     nping-echo
18988/tcp filtered unknown
31337/tcp open     Elite
32777/tcp filtered sometimes-rpc17
49155/tcp filtered unknown

Nmap scan report for thirdmode.com (45.33.32.157)
Host is up (0.27s latency).
Not shown: 995 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  filtered smtp
80/tcp  open     http
443/tcp open     https
873/tcp open     rsync

Nmap scan report for li982-158.members.linode.com (45.33.32.158)
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap scan report for li982-159.members.linode.com (45.33.32.159)
Host is up (0.72s latency).
Not shown: 983 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
264/tcp   filtered bgmp
311/tcp   filtered asip-webadmin
888/tcp   filtered accessbuilder
1027/tcp  filtered IIS
1839/tcp  filtered netopia-vo1
3905/tcp  filtered mupdate
4444/tcp  filtered krb524
7402/tcp  filtered rtps-dd-mt
7676/tcp  filtered imqbrokerd
8087/tcp  filtered simplifymedia
10025/tcp filtered unknown
10566/tcp filtered unknown
30951/tcp filtered unknown
32784/tcp filtered unknown

Nmap done: 4 IP addresses (4 hosts up) scanned in 378.70 seconds

Scan Multiple Host using comma

In the above command I have type all the IP address one by one, If you don’t want to repeat the complete IP address you just need provide the ending address following , comma.

In the example I will scan port from 157 to 160 using comma.

$ nmap 45.33.32.156,157,158,159,160

Scan Multiple Host using wildcard *

When you want to scan complete subnet you just need to provide wildcard asterisk symbol.This process will take time to get result on your terminal screen.

$ nmap 45.33.32.*

Scan Multiple Host using range

As you know, we can check the port status using range “-” hyphen, We can also scan multiple host instead of typing an IP address. You just need to provide a range from where to start and endpoint.

In this is example I’ll start range from 156 to 160

$ nmap 45.33.32.156-160

A result time depends upon the number of the range you have mentioned on a command.

Read this:- Notepadqq: Notepad++ alternative for Linux

3. Scan OS Information

This nmap command utility will discover the Operating System, detection, version detection, script scanning, and traceroute of the host IP.

To find out the Operating System details you need to pass parameters -A with the host details.

In this example I’ll pass the command as follow to detect the Operating System

$ nmap -A 45.33.32.156
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 12:19 IST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.24s latency).
Not shown: 995 closed ports
PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
|   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
25/tcp    filtered smtp
80/tcp    open     http       Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Nmap Project
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
9929/tcp  open     nping-echo Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.96 seconds

This command will show you more details than operating system like service which is running on active port.

When you want to Enable OS detection, you just need pass parameter -O this will find the Operating System Information.

This utility require sudo privileges to run on your terminal

$ sudo nmap -O 45.33.32.156

There are other parameters like -–osscan-limit will guess the operating system and -osscan-guess will work in an aggressive manner to find OS Infor.

It may be the information which you receive from nmap is not accurate but It will give you the overview.

If you find the information is incorrect, which is discovered from nmap, you can report incorrect results at https://nmap.org/submit/.

4. Scan version info of running service

This command will help you to find which version of the application host is using. To check the version, you need to type a command with parameters -sV.

$ nmap -sV 45.33.32.156
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 12:54 IST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.24s latency).
Not shown: 995 closed ports
PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
25/tcp    filtered smtp
80/tcp    open     http       Apache httpd 2.4.7 ((Ubuntu))
9929/tcp  open     nping-echo Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.94 seconds

You can use several parameters to detect version are as follows

–version-intensity <level> You can set the intensity to detect version 0 from light and 9 high intensity

$ nmap --version-intensity 5 45.33.32.156
  • –version-trace Use to get detail version with the scan activity.

5. Scan to Detect Firewall Settings

You can check easily firewall setting of host server using nmap command utility this will ensure you don’t left the any loop holes.

To check firewall is enable require sudo privileges, type the command:

$ sudo nmap -sA 45.33.32.156
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 13:08 IST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.30s latency).
All 1000 scanned ports on scanme.nmap.org (45.33.32.156) are filtered

Nmap done: 1 IP address (1 host up) scanned in 271.21 seconds

In the above output will show all the port are filtered. It means the firewall is enabled on the host server.

That’s it for the nmap guide,There are many other command which you can use,If you want me to continue writing on nmap please comment me down.

Like what you read? Please share it with others.
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Dwight
Dwight
7 hours ago

great work, can you make more article like this on nmap?

Jake Redfield
Reply to  Dwight
2 hours ago

For sure, Keep supporting.