Here’s everything you can do with Nmap – Command Examples

Updated on September 2, 2017

Nmap is an open source network mapper that allows one to scan network of hosts, services, perform security assessment and auditing. This useful command comes with loads of options and capabilities, but you need to have expertise in using it. In this tutorial, I’ll try to introduce few command examples that can help you to identify possible vulnerable points in the hosts, entire subnet, operating system and services version detection, listing of services, interfaces, routes, mac identification etc…

So, here we go.

Some of the Linux flavor may not come with nmap installed, so you can install it using yum or apt-get depending on the operating system you are using.

# yum install nmap


# apt-get install nmap

Let’s start with scanning a single host:

Scanning single IP address (no root)

$ nmap

Sample output:

Host is up (0.00035s latency).
Not shown: 999 closed ports
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds

Scanning multiple IP addresses (no root)

$ nmap

Scanning multiple IP addresses using comma as delimiter

$ nmap,5

The above command will scan and IP addresses

Scanning range of IP addresses (no root)

$ nmap

The above command will scan IP address starting from to

Scanning IP address using wild-card (no root)

$ nmap 14.0.0.*

Scanning all IP addresses in a subnet

$ nmap

Scanning a host using domain name

$ nmap

Scanning hosts reading from a text file

$ cat host-list.txt
$ nmap -iL host-list.txt

Scanning a subnet excluding a particular IP address

$ nmap --exclude

Scan a subnet excluding list of IP addresses

$ nmap --exclude,2

Scan a subnet excluding the list of IP addresses from a file

$ cat exclude-ips.txt,2,3,4,5
$ nmap --excludefile exclude-ips.txt

Identify hostnames of all IPs in a subnet (no root)

$ nmap -sL

Perform PING sweep

Ping sweep is generally used to find out which hosts are alive in the network. Ping sweep can be used if you want to scan large number of hosts in a network.

# nmap -sP

Scan a single port of a particular IP address or host (no root)

$ nmap -p 22

Sample output:

Host is up (0.00066s latency).
22/tcp open  ssh
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Scan a range of ports (no root)

$ nmap -p 15-23

Sample output:

15/tcp closed netstat
16/tcp closed unknown
17/tcp closed qotd
18/tcp closed unknown
19/tcp closed chargen
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open   ssh
23/tcp closed telnet

Perform a fast scan of ports (100 most common ports) (no root)

$ nmap -F

Scan top $number of ports (no root)

$ nmap --top-ports 10
$ nmap --top-ports 2

Scan all ports (no root)

$ nmap -p-

The above command will scan all 65535 ports of a given IP address.

Detecting OS and Service information of a remote host (no root)

$ nmap -A

Sample output:

Starting Nmap 7.01 ( ) at 2016-07-11 06:34 UTC
 Host is up (0.00029s latency).
 Not shown: 999 closed ports
 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)

Service detection (no root)

$ nmap -sV

Aggressive service detection (no root)

Nmap command relies on different methods to detect operating system and service information. The aggressive service detection is helpful when the service runs on an uncommon port (for e.g, SSH is expected to listen on port 22, but the remote host might be running the service on different port). The aggressive service detection is slower than the normal service detection, as the later one gets the information from the service banners.

$ nmap -sV --version-intensity 5

Sample output:

Host is up (0.00044s latency).
Not shown: 999 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at

Detecting Operating System (root)

The above service detection example will reveal the operating system information. It’s also possible to guess the operating system and its version using the below command as well.

Note: The OS detection requires root privilege.

$ nmap -O
TCP/IP fingerprinting (for OS scan) requires root privileges.
# nmap -O
# nmap -O --osscan-guess
Starting Nmap 7.01 ( ) at 2016-07-11 08:39 UTC
Host is up (0.00035s latency).
Not shown: 999 closed ports
22/tcp open  ssh
Aggressive OS guesses: Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Android 5.0.2 (92%), Android 5.1 (92%), Linux 3.0 (92%), Linux 3.11 (92%), Linux 3.12 (92%), Linux 3.12 - 3.19 (92%), Linux 3.13   (92%)
# nmap -v -O --osscan-guess

Detect if a host is protected by a firewall (root)

When firewall is disabled in the remote host, the nmap scans all ports and says they are unfiltered as shown below:

# nmap -sA
Host is up (0.00042s latency).
All 1000 scanned ports on ( are unfiltered

When the firewall is enabled in the remote host, the nmap says ports are filtered:

# nmap -sA
Nmap scan report for (
Host is up (0.00045s latency).
All 1000 scanned ports on ( are filtered

Scanning using NSE scripts

There are about 400+ NSE (Nmap Scripting Engine) scripts that can be used with nmap and each script comes with a good documentation. In order to identify the list of scripts installed in your machine, run the below command:

# locate nse |grep script

DNS Brute force to identify sub domains of a given domain (no root)

nmap allows one to identify the list of sub-domains for a given host. Identifying sub-domains of a hosts can reveal new targets while performing security assessment. To do that, dns-brute.nse script has to be used.

$ nmap -p 80 --script dns-brute.nse

Sample output:

80/tcp open  http
Host script results:
| dns-brute:
|   DNS Brute-force hostnames:
| -
|_ - 2606:2800:220:1:248:1893:25c8:1946

Identifying virtual hosts on a given host (no root)

The given domain name may host multiple websites using virtual hosts feature of the web servers. You can identify virtual hosts using hostmap-bfk.nse script.

$ nmap -p 80 --script hostmap-bfk.nse
 Host script results:
 | hostmap-bfk:
 |   hosts:

Identify the geographical location of given host

# nmap --traceroute --script traceroute-geolocation.nse -p 80

Sample output:

Host script results:
| traceroute-geolocation:
|   HOP  RTT     ADDRESS                                                                                                                                               GEOLOCATION
|   1    0.44                                                                                                                                              23,113 China (Guangdong)
|   2    0.88                                                                                                                                          - ,-
|   3    1.58                                                                                                                                         20,77 India ()
|   4    1.87                                                                                                                                           20,77 India ()
|   5    1.61                                                                                                                                         - ,-
|   6    11.62                                                                                                                                           - ,-
|   7    ...
|   8    13.32                                                                                                                                         - ,-
|   9    14.71                                                                                                                                         18,72 India (Mah\xC4\x81r\xC4\x81shtra)
|   10   ...
|   11   ...
|   12   ...
|   13   293.92 (                                                                                                  51,0 United Kingdom ()
|   14   293.77 (85.9                                                                             5.25.41)  51,0 United Kingdom ()
|   15   168.70 (                                                                                                    51,0 United Kingdom ()
|   16   168.13 (                                                                                                     51,0 United Kingdom ()
|   17   293.97 (                                                                                                     51,0 United Kingdom ()
|   18   275.17 (                                                                                                                 38,-97 United States ()
|_  19   295.32                                                                                                                                         42,-70 United States (Massachusetts)

For example, identify list of HTTP related scripts:

# locate nse |grep http

From the above output, you can copy the script name and use it with –script option.

Get HTTP service information (no root)

There are many scripts to get HTTP service information such as title of the web page, HTTP headers, finding various known paths of web application etc…

$ nmap --script=http-title
Host is up (0.0000070s latency).
Not shown: 998 closed ports
22/tcp open  ssh
80/tcp open  http
|_http-title: Apache2 Ubuntu Default Page: It works

Get HTTP header information (no root)

$ nmap --script=http-headers
22/tcp open  ssh
80/tcp open  http
| http-headers:
|   Date: Mon, 11 Jul 2016 07:08:05 GMT
|   Server: Apache/2.4.18 (Ubuntu)
|   Last-Modified: Mon, 11 Jul 2016 07:04:49 GMT
|   ETag: "2c39-53756c49f4280"
|   Accept-Ranges: bytes
|   Content-Length: 11321
|   Vary: Accept-Encoding
|   Connection: close
|   Content-Type: text/html
|_  (Request type: HEAD)

Identify known paths of HTTP web application (no root)

$ nmap --script=http-enum
80/tcp open  http
| http-enum:
|_  /server-status/: Potentially interesting folder

Detect Heartbleed SSL vulnerability (no root)

You might have heard of SSL vulnerability heartbleed. Nmap command can be used to detect this vulnerability as shown below:

nmap -sV -p 443 --script=ssl-heartbleed

Identify whois of a domain name (no root)

$ nmap -sV --script=whois-domain.nse

Sample output:

Host script results:
| whois-domain:
| Domain name record found at
| % IANA WHOIS server
| % for more information on IANA, visit
| % This query returned 1 object
| domain:       EXAMPLE.COM
| organisation: Internet Assigned Numbers Authority
| created:      1992-01-01
| source:       IANA

TCP Syn and UDP Scan (root)

# nmap -sS -sU -PN

The above command will scan 2000 common TCP and UDP ports. The –PN option requests nmap to skip ping scan and assume that the host is up. The option is useful when the remote machine has firewall enabled and drops all ICMP packets.

TCP connect scan (no root)

$ nmap -sT

The above command requests the OS to establish TCP connection to the 1000 common ports instead of sending TCP SYN packet.

Scan an IPv6 addresses (no root)

All the above example commands were scanning an IPv4 address, but you can scan IPv6 address as well. To do that, you need to use option ‘-6‘ followed by an IPv6 address.

$ nmap -6 2001:db8:000:3eff:fe52:77

List host Interfaces and routes (no root)

$ nmap --iflist
Starting Nmap 7.01 ( ) at 2016-07-11 09:53 UTC
DEV  (SHORT) IP/MASK                      TYPE     UP MTU   MAC
lo   (lo)                  loopback up 65536
lo   (lo)    ::1/128                      loopback up 65536
ens3 (ens3)                  ethernet up 1450  FA:16:3E:C0:14:5F
ens3 (ens3)  fe80::f816:3eff:fec0:145f/64 ethernet up 1450  FA:16:3E:C0:14:5F
DST/MASK                      DEV  METRIC GATEWAY            ens3 0                   ens3 0                     ens3 0
::1/128                       lo   0
fe80::f816:3eff:fec0:145f/128 lo   0
fe80::/64                     ens3 256
ff00::/8                      ens3 256

Save Nmap outputs to a text file

$ nmap -oN nmap_text.txt

Save Nmap output as XML

$ nmap -oX nmap_xml.xml

Save output in a format for grep

$ nmap -oG nmap_grep.txt

Save Nmap output in all formats

$ nmap -oA allformats_file

Nmap with GUI

Download Zenmap (or) install it using apt-get/yum

$ sudo apt-get install zenmap

zenmap gui nmap

Was this article helpful?

Related Articles

Leave a Comment