How to Use Nmap: Commands and Tutorial Guide (2023)

Nmap is a network mapper that has emerged as one of the most popular, free network discovery tools on the market. Nmap is now one of the core tools used by network administrators to map their networks. The program can be used to find live hosts on a network, perform port scanning, ping sweeps, OS detection, and version detection.

A number of recent cyberattacks have re-focused attention on the type of network auditing that Nmap provides. Analysts have pointed out that the recent Capital One hack, for instance, could have been detected sooner if system administrators had been monitoring connected devices. In this guide, we’ll look at what Nmap is, what it can do, and explain how to use the most common commands.

Download the full Netcat cheatsheet

Ideally, Nmap should be used as part of an integrated Data Security Platform. Once Nmap has been used to map a network, a platform such as Varonis’ Datadvantage can then be used to implement advanced access control.

  • How To Use Nmap
  • Nmap Tutorial and Examples
  • Nmap Commands
  • Nmap FAQ

What is Nmap?

How to Use Nmap: Commands and Tutorial Guide (1)

At its core, Nmap is a network scanning tool that uses IP packets to identify all the devices connected to a network and to provide information on the services and operating systems they are running.

The program is most commonly used via a command-line interface (though GUI front-ends are also available) and is available for many different operating systems such as Linux, Free BSD, and Gentoo. Its popularity has also been bolstered by an active and enthusiastic user support community.

Nmap was developed for enterprise-scale networks and can scan through thousands of connected devices. However, in recent years Nmap is being increasingly used by smaller companies. The rise of the IoT, in particular, now means that the networks used by these companies have become more complex and therefore harder to secure.

This means that Nmap is now used in many website monitoring tools to audit the traffic between web servers and IoT devices. The recent emergence of IoT botnets, like Mirai, has also stimulated interest in Nmap, not least because of its ability to interrogate devices connected via the UPnP protocol and to highlight any devices that may be malicious.

What Does Nmap Do?

How to Use Nmap: Commands and Tutorial Guide (2)

At a practical level, Nmap is used to provide detailed, real-time information on your networks, and on the devices connected to them.

The primary uses of Nmap can be broken into three core processes. First, the program gives you detailed information on every IP active on your networks, and each IP can then be scanned. This allows administrators to check whether an IP is being used by a legitimate service, or by an external attacker.

Secondly, Nmap provides information on your network as a whole. It can be used to provide a list of live hosts and open ports, as well as identifying the OS of every connected device. This makes it a valuable tool in ongoing system monitoring, as well as a critical part of pentesting. Nmap can be used alongside the Metasploit framework, for instance, to probe and then repair network vulnerabilities.

Thirdly, Nmap has also become a valuable tool for users looking to protect personal and business websites. Using Nmap to scan your own web server, particularly if you are hosting your website from home, is essentially simulating the process that a hacker would use to attack your site. “Attacking” your own site in this way is a powerful way of identifying security vulnerabilities.

How To Use Nmap

How to Use Nmap: Commands and Tutorial Guide (3)

Nmap is straightforward to use, and most of the tools it provides are familiar to system admins from other programs. The advantage of Nmap is that it brings a wide range of these tools into one program, rather than forcing you to skip between separate and discrete network monitoring tools.

In order to use Nmap, you need to be familiar with command-line interfaces. Most advanced users are able to write scripts to automate common tasks, but this is not necessary for basic network monitoring.

How To Install Nmap

The process for installing Nmap is easy but varies according to your operating system. The Windows, Mac, and Linux versions of the program can be downloaded here.

  • For Windows, Nmap comes with a custom installer (namp<version>setup.exe). Download and run this installer, and it automatically configures Nmap on your system.
  • On Mac, Nmap also comes with a dedicated installer. Run the Nmap-<version>mpkg file to start this installer. On some recent versions of macOS, you might see a warning that Nmap is an “unidentified developer”, but you can ignore this warning.
  • Linux users can either compile Nmap from source or use their chosen package manager. To use apt, for instance, you can run Nmap –version to check if Nmap is installed, and sudo apt-get install Nmap to install it.

Nmap Tutorial and Examples

Once you’ve installed Nmap, the best way of learning how to use it is to perform some basic network scans.

How To Run a Ping Scan

One of the most basic functions of Nmap is to identify active hosts on your network. Nmap does this by using a ping scan. This identifies all of the IP addresses that are currently online without sending any packets to these hosts.

To run a ping scan, run the following command:

# nmap -sp

This command then returns a list of hosts on your network and the total number of assigned IP addresses. If you spot any hosts or IP addresses on this list that you cannot account for, you can then run further commands (see below) to investigate them further.

How To Run A Host Scan

A more powerful way to scan your networks is to use Nmap to perform a host scan. Unlike a ping scan, a host scan actively sends ARP request packets to all the hosts connected to your network. Each host then responds to this packet with another ARP packet containing its status and MAC address.

To run a host scan, use the following command:

# nmap -sp <target IP range>

This returns information on every host, their latency, their MAC address, and also any description associated with this address. This can be a powerful way of spotting suspicious hosts connected to your network.

If you see anything unusual in this list, you can then run a DNS query on a specific host, by using:

# namp -sL <IP address>

This returns a list of names associated with the scanned IP. This description provides information on what the IP is actually for.

How To Use Nmap in Kali Linux

Using Nmap in Kali Linux can be done in an identical way to running the program on any other flavor of Linux.

That said, there are advantages to using Kali when running Nmap scans. Most modern distros of Kali now come with a fully-features Nmap suite, which includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap Commands

How to Use Nmap: Commands and Tutorial Guide (4)

Most of the common functions of Nmap can be executed using a single command, and the program also uses a number of ‘shortcut’ commands that can be used to automate common tasks.

Here is a quick run-down:

1. Ping Scanning

As mentioned above, a ping scan returns information on every active IP on your network. You can execute a ping scan using this command:

# nmap -sp

2. Port Scanning

There are several ways to execute port scanning using Nmap. The most commonly used are these:

# sS TCP SYN scan# sT TCP connect scan# sU UDP scans# sY SCTP INIT scan# sN TCP NULL

The major differences between these types of scans are whether they cover TCP or UDP ports and whether they execute a TCP connection. Here are the basic differences:

  • The most basic of these scans is the sS TCP SYN scan, and this gives most users all the information they need. It scans thousands of ports per second, and because it doesn’t complete a TCP connection it does not arouse suspicion.
  • The main alternative to this type of scan is the TCP Connect scan, which actively queries each host, and requests a response. This type of scan takes longer than a SYN scan, but can return more reliable information.
  • The UDP scan works in a similar way to the TCP connect scan but uses UDP packets to scan DNS, SNMP, and DHCP ports. These are the ports most frequently targeted by hackers, and so this type of scan is a useful tool for checking for vulnerabilities.
  • The SCTP INIT scan covers a different set of services: SS7 and SIGTRAN. This type of scan can also be used to avoid suspicion when scanning an external network because it doesn’t complete the full SCTP process.
  • The TOP NULL scan is also a very crafty scanning technique. It uses a loophole in the TCP system that can reveal the status of ports without directly querying them, which means that you can see their status even where they are protected by a firewall.

3. Host Scanning

Host scanning returns more detailed information on a particular host or a range of IP addresses. As mentioned above, you can perform a host scan using the following command:

# nmap -sp <target IP range>

4. OS Scanning

OS scanning is one of the most powerful features of Nmap. When using this type of scan, Nmap sends TCP and UDP packets to a particular port, and then analyze its response. It compares this response to a database of 2600 operating systems, and return information on the OS (and version) of a host.

To run an OS scan, use the following command:

# nmap -O <target IP>

5. Scan The Most Popular Ports

If you are running Nmap on a home server, this command is very useful. It automatically scans a number of the most ‘popular’ ports for a host. You can run this command using:

nmap --top-ports 20

Replace the “20” with the number of ports to scan, and Nmap quickly scans that many ports. It returns a concise output that details the status of the most common ports, and this lets you quickly see whether you have any unnecessarily open ports.

6. Output to a File

If you want to output the results of your Nmap scans to a file, you can add an extension to your commands to do that. Simply add:

-oN output.txt

To your command to output the results to a text file, or:

-oX output.xml

To output to an XML.

7. Disable DNS Name Resolution

Finally, you can speed up your Nmap scans by using the -n parameter to disable reverse DNS resolution. This can be extremely useful if you want to scan a large network. For example, to turn off DNS resolution for the basic ping scan mentioned above, add -n:

# nmap -sp -n

Nmap FAQ

The commands above cover most of the basic functionality of Nmap. You might still have some questions though, so let’s run through the most common ones.

Q: What Are Some Nmap Alternatives?

There are some alternatives to Nmap, but most of them are focused on providing specific, niche functionality that the average system administrator does not need frequently. MASSCAN, for instance, is much faster than Nmap but provides less detail. Umit, by contrast, allows you to run several scans at once.

In reality, however, Nmap provides all the functionality and speed that the average user requires, especially when used alongside other similarly popular tools like NetCat (which can be used to manage and control network traffic) and ZenMap (which provides a GUI for Nmap)

Q: How Does Nmap Work?

Nmap builds on previous network auditing tools to provide quick, detailed scans of network traffic. It works by using IP packets to identify the hosts and IPs active on a network and then analyze these packets to provide information on each host and IP, as well as the operating systems they are running.

Q: Is Nmap Legal?

Yes. If used properly, Nmap helps protect your network from hackers, because it allows you to quickly spot any security vulnerabilities in your systems.

Whether port scanning on external servers is legal is another issue. The legislation in this area is complex and varies by territory. Using Nmap to scan external ports can lead to you being banned by your ISP, so make sure you research the legal implications of using the program before you start using it more widely.

The Bottom Line

Taking the time to learn Nmap can dramatically increase the security of your networks because the program offers a quick, efficient way of auditing your systems. Even the basic features offered by the program – such as the ability to perform port scanning – quickly reveal any suspicious devices that are active on your network.

Using Nmap to perform frequent network audits can help you avoid becoming easy prey for hackers, whilst also improving your knowledge of your own network. In addition, Nmap provides functionality that complements more fully-featured data security platforms such as that offered by Varonis, and when used alongside these tools can dramatically improve your cybersecurity.


How do I run a Nmap command? ›

To get started, download and install Nmap from the website and then launch a command prompt. Typing nmap [hostname] or nmap [ip_address] will initiate a default scan. A default scan uses 1000 common TCP ports and has Host Discovery enabled. Host Discovery performs a check to see if the host is online.

How do I scan an IP address with Nmap? ›

To use nmap to scan the devices on your network, you need to know the subnet you are connected to.
Using the IP scanning-tool NMAP
  1. On Linux, type hostname -I into a terminal window.
  2. On macOS, go to System Preferences then Network and select your active network connection to view the IP address.

What does the command Nmap 192.168 1.1 O does? ›

OS Detection
-O --max-os-triesnmap -O --max-os-tries 1Set the maximum number x of OS detection tries against a target
-Anmap -AEnables OS detection, version detection, script scanning, and traceroute
3 more rows
Aug 27, 2021

How do I read a script in Nmap? ›

You can view a description of a script with the --script-help option. Additionally, you can pass arguments to some scripts via the --script-args and --script-args-file options, the later is used to provide a filename rather than a command-line arg.

Can you Nmap yourself? ›

Developer, port scan thyself

Regularly port scan yourself; it's the only way to be certain that your databases aren't listening to the outside world. Run Nmap against your servers, and make sure that only the ports you expect are open. To make it easier, here's a script to do it for you.

How do I do a quick Nmap scan? ›

If you need to perform a scan quickly, you can use the -F flag. The -F flag will list ports on the nmap-services files. Because the -F "Fast Scan" flag does not scan as many ports, it isn't as thorough.

What is Nmap beginner? ›

Nmap is short for Network Mapper. It is an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to detect installed applications. Nmap allows network admins to find which devices are running on their network, discover open ports and services, and detect vulnerabilities.

Why do hackers use Nmap? ›

The answer is Yes because Nmap can be used to gain access to uncontrolled ports on the network that may lead to providing access to the system. The hackers run the commands to get into the targeted system and can exploit the vulnerabilities of that system.

How do I scan all IP addresses on my network? ›

On Windows, type the command “ipconfig” and press Return. Get more information by typing the command “arp -a.” You should now see a basic list of the IP addresses for devices connected to your network.

How do I scan for local IP? ›

However, there are a few ways to scan local networks for IP addresses.
How to Find All IP Addresses on a Network
  1. Open the command prompt.
  2. Enter the command “ipconfig” for Mac or “ifconfig” on Linux. ...
  3. Next, input the command “arp -a”. ...
  4. Optional: Input the command “ping -t”.
Jan 4, 2023

What is the most popular Nmap command? ›

3. Ping Scan Using Nmap. This is probably one of the most used and popular Nmap commands to help host detection on any network.

What is the most powerful Nmap scan? ›

OS Scanning

OS scanning is one of the most powerful features of Nmap. When using this type of scan, Nmap sends TCP and UDP packets to a particular port, and then analyze its response. It compares this response to a database of 2600 operating systems, and return information on the OS (and version) of a host.

What is the most common Nmap scan? ›

Nmap Ping Scan

The most famous type of scan is the Nmap ping scan (so-called because it's often used to perform Nmap ping sweeps), and it's the easiest way to detect hosts on any network.

What is nmap Scripting Language? ›

The Nmap scripting language is an embedded Lua interpreter which is extended with libraries for interfacing with Nmap. The Nmap API is in the Lua namespace nmap . This means that all calls to resources provided by Nmap have an nmap prefix. nmap. new_socket() , for example, returns a new socket wrapper object.

What are the default nmap scripts? ›

Nmap contains scripts for brute forcing dozens of protocols, including http-brute , oracle-brute , snmp-brute , etc. These scripts are the default set and are run when using the -sC or -A options rather than listing scripts with --script .

Is it illegal to scan a Nmap? ›

Not at all.. just scanning for ports or identifying the services running or finding vulnerabilities is not illegal at all,but yes if you further exploit these vulnerabilities to gain access to systems ,servers etc.. then it is definitely illegal.

Can you Nmap any IP address? ›

You can append / <numbits> to an IPv4 address or hostname and Nmap will scan every IP address for which the first <numbits> are the same as for the reference IP or hostname given. For example, 192.168. 10.0/24 would scan the 256 hosts between 192.168. 10.0 (binary: 11000000 10101000 00001010 00000000 ) and 192.168.

Is it illegal to scan ports? ›

In the U.S., no federal law exists to ban port scanning. At the state and local level, no clear guidelines exist.

How many TCP ports are there? ›

Ports and Protocols. Between the protocols User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), there are 65,535 ports available for communication between devices.

How can I check a specific port? ›

Press the Windows key + R, then type "cmd.exe" and click OK. Enter "telnet + IP address or hostname + port number" (e.g., telnet 1723 or telnet 10.17. xxx. xxx 5000) to run the telnet command in Command Prompt and test the TCP port status.

How do I know what ports to scan? ›

Normally, port scans trigger huge amounts of requests to different ports or IP Addresses within a short period of time. Such port scans can be easily detected by simple mechanisms like counting the number of requested ports for each Source IP Address.

How do I run a scan? ›

Finally, here's how to do a virus scan on your Android:
  1. Go to the Google Play Store.
  2. Click on Menu.
  3. Click on Play Protect.
  4. Click on Settings.
  5. Turn Scan Apps With Play Protect on.
Jan 24, 2023

What is Nmap and how do you use it? ›

Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what's connected, what services each host is operating, and so on. It allows a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP.

How do I write Nmap results to a file? ›

Saving and Loading Scan Results
  1. To save an individual scan to a file, choose “Save Scan” from the “Scan” menu (or use the keyboard shortcut ctrl+S). ...
  2. You can save every scan in an inventory with “Save All Scans to Directory” under the “Scan” menu (ctrl+alt+S).

What should I know before learning Nmap? ›

Getting started with Nmap
  • Windows or Linux? ...
  • Step 1: Operating System Installation. ...
  • Step 2: Ubuntu Installation. ...
  • Step 3: Nmap Installation from source. ...
  • Nmap command example. ...
  • Zenmap for those who like to click. ...
  • The 3 way TCP handshake. ...
  • Filtered ports or when the Firewall drops a packet.

What are the three main functions of Nmap? ›

Port scanning – Enumerating the open ports on target hosts. Version detection – Interrogating network services on remote devices to determine application name and version number. Ping Scan – Check host by sending ping requests.

Is Nmap a good tool for hackers? ›

One of the reasons why Nmap is featured in so many movies is because of its ability to uncover unknown information about computer networks, meaning that it makes for a great tool for hackers.

Can you go to jail by using Nmap? ›

When used properly, Nmap helps protect your network from invaders. But when used improperly, Nmap can (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP.

How do hackers scan ports? ›

During a port scan, hackers send a message to each port, one at a time. The response they receive from each port determines whether it's being used and reveals potential weaknesses. Security techs can routinely conduct port scanning for network inventory and to expose possible security vulnerabilities.

What are some of the problems with using Nmap? ›

NMAP Considerations

- Scanned devices (the target) may respond in unexpected ways (eg. medical devices, network gear). - Can be blocked by Antivirus software on both the system performing the scan and the system being scanned. This can affect the depth and accuracy of the data provided by NMAP.

Can IP be tracked exact location? ›

IP addresses do reveal your geolocation, but not your precise location like a home address does. IP addresses will also never reveal your name, phone number, or other precise personal information.

Can I trace an exact location of IP address? ›

Your IP address doesn't contain the information necessary to reveal your exact physical location to anyone who may attempt to trace your IP address and find you. In some circumstances, a person may be able to locate the city or general area you're in.

Can you track an IP to an exact address? ›

Through a useful internet tool called IP Geolocation Lookup, you can track an IP address close to someone's exact location. You can get pretty close, depending on a variety of factors, to finding the physical location of someone's IP address.

How can I see all devices connected to my network? ›

View devices connected to your network and review data usage
  1. Open the Google Home app .
  2. Tap Wi-Fi .
  3. At the top, tap Devices.
  4. Tap a specific device and a tab to find additional details. Speed: Real time usage is how much data your device is currently using.

How do I find a device by IP address? ›

How do I find a device by IP address? In Windows, go to All Programs -> Accessories. Then right-click on Command Prompt. Choose Run As Administrator and type in nslookup %ipaddress% putting an IP address instead of %ipaddress%.

How do I scan all IP addresses in a network with Nmap? ›

You can append / <numbits> to an IP address or hostname and Nmap will scan every IP address for which the first <numbits> are the same as for the reference IP or hostname given. For example, 192.168. 10.0/24 would scan the 256 hosts between 192.168. 10.0 (binary: 11000000 10101000 00001010 00000000 ) and 192.168.

Is Nmap a sniffer? ›

As a network analyzer or packet sniffer, Nmap is extremely versatile. For example, it allows the user to scan any IP active on their network.

Would you tell Nmap to scan all ports? ›

The Nmap command you will need to scan all ports is “nmap –p– 192.168. 0.1,” which scans ports 0 through 65,535. If you want to scan a single port, the command to enter is “nmap -p 22 192.168. 1.1.” For scanning a range of ports, you would need to insert the following command in the Nmap window: “nmap -p 1-100 192.168.

Which tool is better than Nmap? ›

An angry IP scanner is the best alternative for Nmap for the port scan tool. It is mainly used for the fast scanning speed of port and IP address scanners as it has a multi-thread process that separates each scan.

How long should an Nmap scan take? ›

By default, Nmap scans the most common 1,000 ports. On a fast network of responsive machines, this may take a fraction of a second per host. But Nmap must slow down dramatically when it encounters rate limiting or firewalls that drop probe packets without responding. UDP scans can be agonizingly slow for these reasons.

Which is better Nmap or Wireshark? ›

Wireshark is mostly generic scanning and hence returns details of every request that is made in the network. Nmap allows applications to learn about the other computers that are available on the network. Wireshark allows an application to learn what is being sent or receive on one's computer.

How many port scan Nmap scan? ›

By default, Nmap scans the most common 1,000 ports for each protocol.

What does F mean in Nmap? ›

By default, Nmap scans the 1,000 most popular ports of each protocol it is asked to scan. Alternatively, you can specify the -F (fast) option to scan only the 100 most common ports in each protocol or --top-ports to specify an arbitrary number of ports to scan.

What does T4 mean in Nmap? ›

The -T4 is for the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.

Which Nmap scan is aggressive? ›

Nmap has a special flag to activate aggressive detection, namely -A . Aggressive mode enables OS detection ( -O ), version detection ( -sV ), script scanning ( -sC ), and traceroute ( --traceroute ).

Is it legal to scan with Nmap? ›

Network probing or port scanning tools are only permitted when used in conjunction with a residential home network, or if explicitly authorized by the destination host and/or network. Unauthorized port scanning, for any reason, is strictly prohibited.

Is Nmap easy to use? ›

Nmap is straightforward to use, and most of the tools it provides are familiar to system admins from other programs. The advantage of Nmap is that it brings a wide range of these tools into one program, rather than forcing you to skip between separate and discrete network monitoring tools.

What do hackers use Nmap? ›

Nmap is used to discover free networks around you. Network administrators find Nmap very useful as they always need to map their networks. Hackers also started using Nmap for auditing networks and other purposes.

How do I scan for open ports? ›

To view the TCP/UDP open port state of a remote host, type “portqry.exe –n [hostname/IP]” where [hostname/IP] is replaced with the hostname or IP address of the remote host.

What Nmap Cannot do? ›

Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information.

Is it OK to Nmap Google? ›

Scanning a remote host without permission is illegal, because an uncontrolled scan can trigger remote server daemons (like knockd), IDS events and even cause a Denial of Service.


Top Articles
Latest Posts
Article information

Author: Reed Wilderman

Last Updated: 25/08/2023

Views: 5489

Rating: 4.1 / 5 (52 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Reed Wilderman

Birthday: 1992-06-14

Address: 998 Estell Village, Lake Oscarberg, SD 48713-6877

Phone: +21813267449721

Job: Technology Engineer

Hobby: Swimming, Do it yourself, Beekeeping, Lapidary, Cosplaying, Hiking, Graffiti

Introduction: My name is Reed Wilderman, I am a faithful, bright, lucky, adventurous, lively, rich, vast person who loves writing and wants to share my knowledge and understanding with you.