Terminal GuideNmap: Network Scanner & Security Auditing Tool Guide
Nmap (Network Mapper) is the industry-standard open-source tool for network discovery and security auditing. Learn how to use Nmap for port scanning, service detection, OS fingerprinting, and scripted vulnerability checks.
Dai Aoki
CEO at init, Inc. / CTO at US & JP startups / Creator of WebTerm
Quick Reference
Host Discovery
nmap -sn 192.168.1.0/24Ping sweep (no port scan)nmap -Pn targetSkip host discoverynmap -PS22,80 targetTCP SYN discoveryPort Scanning
nmap targetTop 1000 ports (default)nmap -p 1-65535 targetAll portsnmap -sS targetTCP SYN scan (stealth)Service Detection
nmap -sV targetVersion detectionnmap -O targetOS detectionnmap -A targetAggressive (OS + version + scripts)NSE Scripts
nmap --script=default targetDefault scriptsnmap --script=vuln targetVulnerability scriptsnmap --script=safe targetSafe scripts onlyOutput
-oN file.txtNormal output-oX file.xmlXML output-oA basenameAll formats at onceDownloadable Image Preview
Overview
Nmap (Network Mapper) is a free and open-source utility created by Gordon Lyon (Fyodor) for network discovery and security auditing. Since its initial release in 1997, it has become the de facto standard for network reconnaissance in both offensive and defensive security. System administrators use Nmap to inventory their networks, manage service upgrade schedules, and monitor host or service uptime. Security professionals rely on it to identify open ports, running services, operating systems, and potential vulnerabilities across target infrastructure.
Nmap works by sending specially crafted packets to target hosts and analyzing the responses. It supports dozens of scan techniques including TCP SYN scans, UDP scans, SCTP INIT scans, and more. Its extensible scripting engine (NSE) allows users to write and share scripts that automate a wide variety of networking tasks, from advanced version detection to vulnerability exploitation.
Key capabilities of Nmap include:
- Host Discovery -- Identify which hosts are available on a network
- Port Scanning -- Enumerate open ports on target hosts
- Service/Version Detection -- Determine what applications and versions are running
- OS Detection -- Fingerprint the operating system of remote hosts
- Scriptable Interaction -- Automate tasks with the Nmap Scripting Engine (NSE)
- Flexible Output -- Export results in normal, XML, grepable, and script kiddie formats
Installation
Nmap is available on all major platforms. Here is how to install it on different operating systems.
# Debian / Ubuntu
sudo apt update && sudo apt install nmap
# Fedora / RHEL / CentOS
sudo dnf install nmap
# Arch Linux
sudo pacman -S nmap
# macOS (Homebrew)
brew install nmap
# macOS (MacPorts)
sudo port install nmap
# Windows -- download the installer from https://nmap.org/download.html
# Or use winget:
winget install Insecure.Nmap
# Verify installation
nmap --versionnmap.org.Basic Usage
At its simplest, Nmap takes a target specification and scans it for open ports and services. The target can be a hostname, an IP address, a CIDR range, or a combination of these.
# Scan a single host (top 1000 ports by default)
nmap 192.168.1.1
# Scan a hostname
nmap scanme.nmap.org
# Scan multiple hosts
nmap 192.168.1.1 192.168.1.2 192.168.1.3
# Scan a range of IPs
nmap 192.168.1.1-254
# Scan an entire subnet
nmap 192.168.1.0/24
# Scan from a file of targets
nmap -iL targets.txt
# Exclude specific hosts
nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.254Host Discovery
Before port scanning, Nmap determines which hosts are online. By default, it sends an ICMP echo request, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP timestamp request. You can customize this behavior with various discovery options.
# Ping sweep -- discover live hosts without port scanning
nmap -sn 192.168.1.0/24
# TCP SYN discovery on specific ports
nmap -PS22,80,443 192.168.1.0/24
# TCP ACK discovery
nmap -PA80,443 192.168.1.0/24
# UDP discovery
nmap -PU53,161 192.168.1.0/24
# ICMP echo discovery only
nmap -PE 192.168.1.0/24
# ARP discovery (local network only, very fast)
nmap -PR 192.168.1.0/24
# Skip host discovery -- treat all hosts as online
nmap -Pn 192.168.1.0/24
# Combine multiple discovery techniques
nmap -PS22,80 -PA443 -PE 192.168.1.0/24-PR) is the fastest and most reliable method because ARP requests cannot be blocked by host-based firewalls. Nmap uses ARP discovery automatically when scanning local network addresses.Port Scanning Techniques
Nmap offers several scan types, each with different trade-offs in terms of speed, stealth, and accuracy. The choice depends on your goals and the network environment.
# TCP SYN scan (default, requires root) -- half-open, fast, stealthy
sudo nmap -sS 192.168.1.1
# TCP Connect scan (no root required) -- completes full TCP handshake
nmap -sT 192.168.1.1
# UDP scan -- slower but essential for services like DNS, SNMP, DHCP
sudo nmap -sU 192.168.1.1
# Combined TCP SYN + UDP scan
sudo nmap -sS -sU 192.168.1.1
# TCP ACK scan -- detect firewall rulesets (filtered vs unfiltered)
sudo nmap -sA 192.168.1.1
# TCP FIN scan -- may bypass stateless firewalls
sudo nmap -sF 192.168.1.1
# Xmas scan -- sets FIN, PSH, URG flags
sudo nmap -sX 192.168.1.1
# NULL scan -- sends packets with no flags set
sudo nmap -sN 192.168.1.1
# SCTP INIT scan
sudo nmap -sY 192.168.1.1
# Scan specific ports
nmap -p 22,80,443 192.168.1.1
# Scan a port range
nmap -p 1-1024 192.168.1.1
# Scan all 65535 ports
nmap -p- 192.168.1.1
# Scan top N ports by frequency
nmap --top-ports 100 192.168.1.1
# Fast scan -- top 100 ports
nmap -F 192.168.1.1Port States
| State | Meaning |
|---|---|
| open | An application is actively accepting connections on this port |
| closed | The port is accessible but no application is listening |
| filtered | Nmap cannot determine if the port is open (firewall is blocking probes) |
| unfiltered | The port is accessible but Nmap cannot determine open/closed (ACK scan only) |
| open|filtered | Nmap cannot determine if the port is open or filtered |
| closed|filtered | Nmap cannot determine if the port is closed or filtered |
Service and Version Detection
Knowing that a port is open is only the first step. Nmap can probe open ports to determine what service is running and its version. This is critical for identifying vulnerable software.
# Enable version detection
nmap -sV 192.168.1.1
# Set version detection intensity (0-9, default 7)
nmap -sV --version-intensity 5 192.168.1.1
# Light version detection (intensity 2)
nmap -sV --version-light 192.168.1.1
# Try all probes (intensity 9)
nmap -sV --version-all 192.168.1.1
# Version detection + default scripts + OS detection + traceroute
nmap -A 192.168.1.1
# Combine with specific port range
nmap -sV -p 80,443,8080,8443 192.168.1.1Example output from version detection:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
3306/tcp open mysql MySQL 8.0.35-0ubuntu0.22.04.1Advanced Usage
Nmap Scripting Engine (NSE)
The Nmap Scripting Engine is one of Nmap's most powerful features. It allows users to write scripts in Lua to automate a wide variety of tasks. Nmap ships with over 600 scripts organized into categories such as auth, broadcast,default, discovery,exploit, safe, and vuln.
# Run default scripts (same as -sC)
nmap --script=default 192.168.1.1
nmap -sC 192.168.1.1
# Run a specific script
nmap --script=http-title 192.168.1.1
# Run multiple scripts
nmap --script=http-title,http-headers 192.168.1.1
# Run all scripts in a category
nmap --script=vuln 192.168.1.1
# Run scripts matching a pattern
nmap --script="http-*" 192.168.1.1
# Combine categories with boolean expressions
nmap --script="default and safe" 192.168.1.1
nmap --script="default or vuln" 192.168.1.1
nmap --script="not intrusive" 192.168.1.1
# Pass arguments to scripts
nmap --script=http-brute --script-args='userdb=users.txt,passdb=passwords.txt' 192.168.1.1
# Useful reconnaissance scripts
nmap --script=banner 192.168.1.1
nmap --script=dns-brute example.com
nmap --script=whois-domain example.com
# SSL/TLS analysis
nmap --script=ssl-enum-ciphers -p 443 192.168.1.1
nmap --script=ssl-cert -p 443 192.168.1.1
nmap --script=ssl-heartbleed -p 443 192.168.1.1
# SMB enumeration
nmap --script=smb-enum-shares,smb-enum-users -p 445 192.168.1.1
# List all available scripts
ls /usr/share/nmap/scripts/
# Get help for a specific script
nmap --script-help=http-titleNSE Script Categories
| Category | Description |
|---|---|
| auth | Scripts related to authentication credentials |
| broadcast | Scripts that discover hosts via broadcast messages |
| brute | Scripts that perform brute-force credential attacks |
| default | Scripts that run with -sC (safe + useful) |
| discovery | Scripts that actively discover more about the network |
| dos | Scripts that may cause denial of service |
| exploit | Scripts that actively exploit vulnerabilities |
| external | Scripts that send data to external services |
| fuzzer | Scripts that send unexpected data to find bugs |
| intrusive | Scripts that may crash targets or use significant resources |
| malware | Scripts that check for malware infections |
| safe | Scripts that are considered safe to run without risk |
| version | Extension of the version detection feature |
| vuln | Scripts that check for specific vulnerabilities |
exploit,dos, or intrusive categories. These scripts can crash services or cause unintended effects on target systems. Always test in a controlled environment first.OS Detection
Nmap can fingerprint the operating system of a remote host by analyzing subtle differences in TCP/IP stack implementation. OS detection requires at least one open and one closed port on the target.
# Enable OS detection (requires root)
sudo nmap -O 192.168.1.1
# OS detection with version detection
sudo nmap -O -sV 192.168.1.1
# Limit OS detection to promising targets
sudo nmap -O --osscan-limit 192.168.1.0/24
# Increase aggressiveness for OS guessing
sudo nmap -O --osscan-guess 192.168.1.1
# Maximum detection -- OS + version + scripts + traceroute
sudo nmap -A 192.168.1.1Example OS detection output:
OS details: Linux 5.4 - 5.15 (95%), Linux 5.0 - 5.5 (93%)
Network Distance: 1 hop
OS CPE: cpe:/o:linux:linux_kernel:5.4 cpe:/o:linux:linux_kernel:5.15Timing and Performance
Nmap provides six timing templates (T0 through T5) that trade off speed versus stealth and accuracy. You can also fine-tune individual timing parameters for maximum control.
# Timing templates (T0=paranoid, T1=sneaky, T2=polite, T3=normal, T4=aggressive, T5=insane)
nmap -T0 192.168.1.1 # Paranoid -- IDS evasion, very slow
nmap -T1 192.168.1.1 # Sneaky -- IDS evasion, slow
nmap -T2 192.168.1.1 # Polite -- reduces bandwidth usage
nmap -T3 192.168.1.1 # Normal -- default timing
nmap -T4 192.168.1.1 # Aggressive -- fast, assumes reliable network
nmap -T5 192.168.1.1 # Insane -- fastest, may miss results
# Fine-tune specific timing parameters
nmap --min-rate 1000 192.168.1.0/24 # Send at least 1000 packets/sec
nmap --max-rate 500 192.168.1.0/24 # Limit to 500 packets/sec
nmap --max-retries 2 192.168.1.0/24 # Limit probe retransmissions
nmap --host-timeout 30m 192.168.1.0/24 # Give up on slow hosts
nmap --min-hostgroup 64 192.168.1.0/24 # Scan hosts in parallel groups
nmap --max-hostgroup 256 192.168.1.0/24 # Limit parallel host groups
# Practical fast scan for large networks
nmap -T4 --min-rate 1000 -p- 192.168.1.0/24Timing Templates
| Template | Use Case |
|---|---|
| -T0 (Paranoid) | Maximum IDS evasion; serialized scans with 5-minute waits between probes |
| -T1 (Sneaky) | IDS evasion; 15-second waits between probes |
| -T2 (Polite) | Reduced bandwidth usage; 0.4-second waits between probes |
| -T3 (Normal) | Default timing template; balanced speed and accuracy |
| -T4 (Aggressive) | Faster scans on reliable networks; recommended for most pen tests |
| -T5 (Insane) | Maximum speed; may sacrifice accuracy; use on fast LANs only |
Output Formats
Nmap supports several output formats that are useful for reporting, parsing, and integration with other tools.
# Normal output to file
nmap -oN scan_results.txt 192.168.1.1
# XML output (for parsing and tool integration)
nmap -oX scan_results.xml 192.168.1.1
# Grepable output (easy to parse with grep/awk)
nmap -oG scan_results.gnmap 192.168.1.1
# Script kiddie output (for entertainment only)
nmap -oS scan_results.skid 192.168.1.1
# Save in all formats simultaneously
nmap -oA scan_results 192.168.1.1
# Increase verbosity during scan
nmap -v 192.168.1.1
nmap -vv 192.168.1.1 # Even more verbose
# Increase debugging output
nmap -d 192.168.1.1
nmap -d2 192.168.1.1 # Level 2 debugging
# Show open ports as they are found (useful for long scans)
nmap --open -v 192.168.1.1
# Resume an interrupted scan
nmap --resume scan_results.gnmap-oA to save output in all formats at once. The XML output is particularly useful for importing results into tools like Metasploit, or parsing with scripts using libraries like python-nmap.Practical Examples
Web Server Security Audit
A comprehensive security audit of a web server typically combines port scanning, version detection, and targeted NSE scripts to identify misconfigurations and vulnerabilities.
# Step 1: Quick scan of common web ports
nmap -sV -p 80,443,8080,8443 webserver.example.com
# Step 2: Enumerate HTTP services with NSE
nmap -sV --script=http-title,http-headers,http-methods,http-server-header \
-p 80,443 webserver.example.com
# Step 3: Check for common web vulnerabilities
nmap --script=http-vuln-cve2017-5638,http-sql-injection,http-csrf \
-p 80,443 webserver.example.com
# Step 4: Analyze SSL/TLS configuration
nmap --script=ssl-enum-ciphers,ssl-cert,ssl-known-key \
-p 443 webserver.example.com
# Step 5: Check for HTTP security headers
nmap --script=http-security-headers -p 80,443 webserver.example.com
# Full web audit in one command
nmap -sV -sC --script="http-* and safe" -p 80,443,8080,8443 \
-oA web_audit webserver.example.comNetwork Inventory and Asset Discovery
System administrators often need to maintain an up-to-date inventory of hosts and services on their network. Nmap makes this straightforward.
# Step 1: Discover all live hosts on the network
nmap -sn 10.0.0.0/24 -oG live_hosts.gnmap
# Step 2: Extract live host IPs
grep "Status: Up" live_hosts.gnmap | awk '{print $2}' > live_ips.txt
# Step 3: Scan all live hosts for services
nmap -sV -iL live_ips.txt -oA network_inventory
# Full network inventory with OS and service detection
sudo nmap -sS -sV -O --top-ports 1000 10.0.0.0/24 -oA full_inventory
# Quick device type identification
sudo nmap -sn -O 192.168.1.0/24
# Find all web servers on the network
nmap -sV -p 80,443,8080,8443 192.168.1.0/24 --open
# Find all SSH servers
nmap -sV -p 22 192.168.1.0/24 --open
# Find all database servers
nmap -sV -p 3306,5432,1433,27017,6379 192.168.1.0/24 --openFirewall and IDS Evasion
During penetration tests, you may need to evade firewalls or intrusion detection systems (IDS) to get accurate results. Nmap offers several techniques for this purpose.
# Fragment packets (split into 8-byte fragments)
sudo nmap -f 192.168.1.1
# Use specific MTU for fragmentation
sudo nmap --mtu 24 192.168.1.1
# Use decoy IP addresses to mask your source
sudo nmap -D RND:10 192.168.1.1
sudo nmap -D 10.0.0.1,10.0.0.2,ME,10.0.0.3 192.168.1.1
# Spoof source IP address (requires specific network setup)
sudo nmap -S 10.0.0.100 -e eth0 192.168.1.1
# Use a specific source port (firewalls sometimes allow port 53 or 80)
sudo nmap --source-port 53 192.168.1.1
sudo nmap -g 80 192.168.1.1
# Append random data to packets
sudo nmap --data-length 25 192.168.1.1
# Randomize target scan order
nmap --randomize-hosts 192.168.1.0/24
# Use slow timing to avoid IDS detection
nmap -T1 --max-rate 10 192.168.1.1
# Idle scan (zombie scan) -- very stealthy
sudo nmap -sI zombie_host:80 192.168.1.1
# MAC address spoofing
sudo nmap --spoof-mac 0 192.168.1.1 # Random MAC
sudo nmap --spoof-mac Apple 192.168.1.1 # Apple vendor prefix
sudo nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1 # Specific MAC-sI) requires finding a suitable zombie host with predictable IP ID sequences.Vulnerability Assessment
Nmap's vulnerability scripts can identify known security issues across common services. While not a replacement for dedicated vulnerability scanners, NSE provides fast initial assessment.
# Run all vulnerability detection scripts
nmap --script=vuln 192.168.1.1
# Check for specific CVEs
nmap --script=smb-vuln-ms17-010 -p 445 192.168.1.1 # EternalBlue
nmap --script=ssl-heartbleed -p 443 192.168.1.1 # Heartbleed
nmap --script=http-shellshock -p 80 192.168.1.1 # Shellshock
# SMB vulnerability scan
nmap --script="smb-vuln-*" -p 445 192.168.1.1
# Brute force common services (use with caution)
nmap --script=ftp-brute -p 21 192.168.1.1
nmap --script=ssh-brute -p 22 192.168.1.1
nmap --script=mysql-brute -p 3306 192.168.1.1
# Check for anonymous FTP access
nmap --script=ftp-anon -p 21 192.168.1.1
# Check for default SNMP community strings
nmap --script=snmp-brute -sU -p 161 192.168.1.1
# DNS zone transfer check
nmap --script=dns-zone-transfer -p 53 ns1.example.com
# Comprehensive vulnerability assessment
sudo nmap -sS -sV -O --script=vuln -p- -T4 \
-oA vuln_assessment 192.168.1.1Options Reference
The following table summarizes the most commonly used Nmap options organized by function.
Target Specification
| Option | Description |
|---|---|
| host/CIDR | Scan target host or network (e.g., 192.168.1.0/24) |
| -iL <file> | Read targets from a file |
| -iR <num> | Scan random hosts |
| --exclude <hosts> | Exclude hosts from scan |
| --excludefile <file> | Exclude hosts listed in file |
Scan Techniques
| Option | Description |
|---|---|
| -sS | TCP SYN scan (stealth, default with root) |
| -sT | TCP Connect scan (default without root) |
| -sU | UDP scan |
| -sA | TCP ACK scan (detect firewalls) |
| -sF / -sX / -sN | FIN / Xmas / NULL scans |
| -sI <zombie> | Idle scan (very stealthy) |
| -sY | SCTP INIT scan |
| -sn | Ping scan (host discovery only) |
Port Specification
| Option | Description |
|---|---|
| -p <ports> | Specify ports (e.g., -p 22,80,443 or -p 1-1024) |
| -p- | Scan all 65535 ports |
| -F | Fast scan (top 100 ports) |
| --top-ports <n> | Scan top N most common ports |
| -r | Scan ports sequentially (do not randomize) |
Detection & Enumeration
| Option | Description |
|---|---|
| -sV | Service/version detection |
| -O | OS detection |
| -A | Aggressive mode (OS + version + scripts + traceroute) |
| -sC | Run default NSE scripts (same as --script=default) |
| --script=<name> | Run specific NSE scripts or categories |
| --script-args=<args> | Pass arguments to NSE scripts |
| --traceroute | Trace the network path to hosts |
Output Options
| Option | Description |
|---|---|
| -oN <file> | Normal output to file |
| -oX <file> | XML output |
| -oG <file> | Grepable output |
| -oA <basename> | Output in all formats |
| -v / -vv | Increase verbosity |
| -d / -d2 | Increase debugging level |
| --open | Show only open ports |
| --resume <file> | Resume an aborted scan |
Tips & Best Practices
- Always get authorization first -- Scanning without permission is illegal in most jurisdictions. Obtain written authorization and clearly define the scope before any scan.
- Start with host discovery -- Use
-snfirst to identify live hosts before running detailed port scans. This saves time and reduces noise. - Use
-T4for pen tests -- The aggressive timing template is usually the best balance of speed and reliability on modern networks. Reserve-T5for local networks only. - Save all output formats -- Always use
-oAto save results in all formats. The XML output integrates well with Metasploit, while the grepable format is ideal for shell scripting. - Combine
-sVand-sC-- Service version detection paired with default scripts gives you the most useful information in a single scan pass. - Scan UDP too -- Many administrators forget about UDP services. Use
-sUto check for DNS (53), SNMP (161/162), DHCP (67/68), and NTP (123). - Use
--opento filter results -- When scanning large networks, add--opento only display open ports and reduce output noise. - Run as root when possible -- Root privileges enable SYN scans, OS detection, and other raw-packet features that are more efficient and accurate than unprivileged scans.
- Be mindful of network impact -- Aggressive scans on production networks can cause performance issues. Use
--max-rateto throttle packet rates on sensitive environments. - Keep Nmap and scripts updated -- New NSE scripts and detection signatures are regularly added. Update frequently with
nmap --script-updatedbafter adding new scripts. - Use the Nmap database for quick searches -- Refer to the
nmap-servicesfile for port/service mappings and thenmap-os-dbfor OS fingerprint data. - Automate with scripts -- Combine Nmap with bash scripts or tools like
python-nmapfor repeatable scanning workflows and automated reporting.
Related Tools
Nmap works well alongside other security tools as part of a comprehensive penetration testing workflow. Here are some tools that complement Nmap for different stages of security assessments.
- Wireshark / tshark -- Capture and analyze network traffic to understand packet-level behavior during and after Nmap scans. Useful for verifying scan results and investigating anomalies.
- Metasploit Framework -- Import Nmap XML output directly into Metasploit for exploitation. Use
db_import scan.xmlin msfconsole to populate the target database. - Nikto -- After identifying web servers with Nmap, use Nikto for deeper web server vulnerability scanning and misconfiguration detection.
- sqlmap -- When Nmap discovers web applications with potential SQL injection points, use sqlmap for automated SQL injection testing.
- Masscan -- For extremely large-scale scanning (entire Internet ranges), Masscan provides much faster scanning than Nmap, though with less detailed results. Use Masscan for initial discovery and Nmap for detailed follow-up.
- Zenmap -- The official Nmap GUI that provides network topology visualization, scan comparison, and a more accessible interface for those who prefer graphical tools.
Summary
Nmap is an essential tool for anyone working in network security or system administration. Its combination of powerful scanning capabilities, extensible scripting, and flexible output options makes it indispensable for network reconnaissance and security auditing. Here are the key takeaways:
- Use
nmap -snfor host discovery and network mapping - Use
nmap -sS -sV -sCfor comprehensive service enumeration - Use
nmap --script=vulnfor vulnerability assessment - Use
nmap -Ofor operating system fingerprinting - Always save output with
-oAfor reporting and tool integration - Adjust timing with
-T4for fast scans or-T1for stealth - Explore the 600+ NSE scripts for automated security checks
- Always scan ethically and with proper authorization
Official Documentation
For authoritative information, refer to the official documentation:
Related Articles
Wireshark & tshark: Network Protocol Analyzer Guide
Master Wireshark and tshark for network traffic analysis. Learn capture filters, display filters, protocol dissection, and CLI-based packet analysis.
Nikto: Web Server Vulnerability Scanner Guide
Complete guide to Nikto web server scanner. Learn vulnerability scanning, SSL testing, authentication bypass detection, and automated security assessments.
Metasploit Framework: Penetration Testing Guide
Complete guide to the Metasploit Framework for penetration testing. Learn msfconsole, exploit modules, payloads, and post-exploitation techniques.
sqlmap: SQL Injection Testing Tool Guide
Complete guide to sqlmap for automated SQL injection detection and exploitation. Learn database enumeration, data extraction, and advanced tamper techniques.