LinuxNetworkingOthersVulnerability Scanner

How to Use Nmap Command to Network Scan Guide

What is Nmap?

At its core, Nmap is a network scanning tool that uses IP packets to identify all network devices and provide information about the services and operating systems they use.

The system is widely used with a command line interface (although earlier GUI conclusions are available) and is available on many operating systems such as Linux, Free BSD, and Gentoo. Its reputation has also been strengthened by an active and enthusiastic user support community.

The rise of IoT, in particular, now means that the networks used by these companies have become more complex and therefore difficult to protect.

This means that Nmap is now used in many website monitoring tools to test traffic between web servers and IoT devices. The recent emergence of IoT bots, like Mirai, has also aroused interest in Nmap because of its ability to detect devices connected to the UPnP protocol and highlight any potentially malicious devices.

How to use Nmap

Nmap is straightforward to use, and many of the tools it provides are familiar to system administrators from other applications. The advantage of Nmap is that it brings a lot of these tools into one system, rather than forcing you to skip between different and different network monitoring tools.

To use Nmap, you need to familiarize yourself with the command line links. Most advanced users are able to write scripts to perform normal tasks automatically, but this is not required for basic network monitoring.

How To Install Nmap

The process of installing Nmap is simple but varies depending on your operating system. Windows, Mac, and Linux versions of the program can be downloaded here.

Install Linux & Termux :

 apt install nmap -y 

Nmap Command List

1. Normal Scanning

1. Scanning System with hostname and IP address. First, Scan using Hostname


Now let’s scan using the IP Address


The nmap command allows you to scan the system in various ways. For this we do scanning using the hostname such as “” and the web address ““, to find all openings, services, and MAC addresses in the system.



2. Advanced option scan

To use the scan “-v” option. Advanced option scan. show all scan live

nmap -v


3. Multiple Ip Address Scan

The list of Nmap commands also includes an IP address scanner. If you want to scan a single IP address, follow the code given in point 3, but if you want to scan multiple IP addresses, you must follow the steps below.



We can scan multiple hosts by typing IP addresses or nmap host names. This syntax will help when scanning multiple addresses. You have different syntaxes for consecutive IP addresses.



4. Display open ports

Finding open ports (destination ports that respond to UDP/TCP/SCTP requests) can be the first step to protecting and hacking any network. And if you want to find only the ports you can connect to, then this command can really come in handy.

Command: nmap — open<IP address/domain name>

nmap -open

In the example above, we use the “–open” parameter with the IP address, so the Nmap command shows us only ports with open status.



5. Nmap All Port Scan Command

If you want to scan a port or even a whole range of ports on remote or local servers, you’ll need to run the Nmap port scan command. Here is the Nmap port scan command:

nmap -p 1-65535

You have now scanned 65535 ports on the local host in this example. You can change the values ​​according to your needs and the number of scanned ports will also change completely. The Nmap command to scan all ports can also help make the process better and easier.


6. Most Popular Ports Scanning

Goal: Scan a fixed number of the most popular ports.

To use this command, you must use the “–top-ports” option with a specific numeric value. This option gives you the ability to scan upstream ports. However, in Nmap, you also have the option to select the number of master ports to scan. This command allows users to get better and faster results.

Command: nmap –top-ports <numeric value> <IP address/domain>

nmap –top-ports 20

In our example, we used the “–top-ports” option to specify that we need to scan the top 20 ports of the IP address



7. Ping Scan Using Nmap

The list of Nmap commands is extensive and extensive. Several examples could be given, but if you want to ping scan with Nmap, you need to do this:

This command sends an Internet Control Message Protocol (ICMP) echo request to all IP addresses on the network. But the main disadvantage of this type of scanning is that some remote hosts block IP-based ping packets. His favorite example is – Windows Firewall with ICMP Advanced Security Blocks echoes request packets by default. This command offers host details and is less aggressive compared to other scans.

nmap -sp

This is probably one of the most used and popular Nmap commands to help detect hosts on any network.



8. Scanning IP Range

The Nmap scan command helps in scanning the entire range of IP addresses. This syntax will help you know the full range of CIDR IP addresses. Example:

nmap 192.168.0/24

Like the other syntaxes, you will need to select random ranges when scanning the IP range as well. Several syntaxes can help scan alternate IP addresses in a range, and some others can scan consecutive IP addresses.



9. Scanning the entire subnet

We can scan the entire subnet or IP range with a nmap by providing a “*” for it. It will scan the entire subnet and provide information about the Top Network hosts.

nmap 192.168.71.*


10. Service Version Detection

Nmap has a database of more than 2000 services and related ports, for example – SSH (port 22) and HTTP (port 80). So if you want to know which versions are running, you can use the Nmap version detection (-sV) command when doing network inventories. Knowing the exact version number can be really helpful when looking for exploits on your server.

nmap -sV

In the example above, we are doing a version check using the “sV” command and it will give us a list of services with their versions.



11. Scanning IP and Scan Host from a File

If we have a long list of addresses that we need to scan, we can import the file directly through the command line. It will generate a scan of the given IP addresses. Nmap can scan; several syntaxes can be used to read text files. The only thing you need to keep in mind is that it contains IP addresses and hosts inside. To use this Nmap command, you must first create a list.txt file and ensure that the file contains this syntax:

nmap -iL input.txt



12. Get OS Information

Nmap is an ideal choice for many regarding remote OS acquisition. Flag -A tells Nmap to find and display OS information about the hosts you are testing.

nmap -A
nmap -A -v

So you can add a v flag for more information on your search result. It is a great way to execute Nmap commands for beginners. The command below is to show you how to get the OS information of the hosts who live on file.



13. Information about the Host

8. Here -A Shows Offer will Information such as OS ( -O ) detection, translation detection, text scan (-sC), and traceroute even provide a lot of important information about the Host.

nmap -A <Domain Name>


14. Operating System Scan

Here It Will Show The Application When The Domain Or IP Address Is Active But Will Not Show The Real Operating System Available On The Computer. Will Only Display the Operating System Online. This will automatically guess the operating system (OS) in the home.

nmap -O <Domain Name>



15. Saving the result to a file

Using Nmap commands has become a key part of the coding world. If you want to save the results, you can do it like this:

nmap -oN output.txt
nmap -oN output.txt

This command helps you export or save the result from a file without reading it.



16. Nmap UDP Scan

Description: Nmap scans a target computer by sending a UDP packet to each target port. This command requires root/admin privileges.

Although most popular services on the Internet run over TCP, some services such as DNS [port 53], DHCP [ports 161/162], and SNMP [ports 67/68] still use UTP.

A common mistake is to forget to harden UDP ports on your system/network, making them vulnerable to UDP exploits, which are quite common. UDP Scan -sU can be used in tandem with SYN Scan -sS to check both protocols in the same scan, as seen in Figure 1.7.

nmap -sU


17. Nmap TCP Scan

One of the best things is the Nmap command for checking open ports, and the second best thing about Nmap is its ability to work with TCP and UDP without any hiccups. A few services are limited to TCP only, but people understand the benefit of scanning UDP-based services. Here are examples of both of these services that Nmap allows.

The output you get when you scan using standard TCP:

nmap -sT



18. Nmap TCP SYN Scan

Nmap TCP SYN scan sends an SYN packet to the 1000 most used ports on the target computer and waits for a response.

Because the TCP SYN Scan method does not attempt to open a full-fledged connection to the target, it prevents the target system from logging connection attempts; therefore this scanning method is supposed to be secret. However, keep in mind that scanning secrecy is not guaranteed in many cases, as modern firewalls can detect it.

The output of the -sS flag output command for is shown in Figure 1.1.

sudo nmap -sS



19. Namp TCP ACK Scan

Firewall Information Scanning to find security system settings.

Finding firewall settings can be helpful during login testing and risk scanning.  To view it we use the “-sA” option. This will provide you with information about the active firewalls on the host. Uses ACK scanning for information.

sudo nmap -sA

sudo nmap -v -sA




20. Using Nmap to Detect CVE

Many system administrators are not aware of this feature that Nmap offers – CVE detection. It is one of the best features that people rarely use. There is a predefined script in the Nmap command that allows users to run this process. One can use these predefined scripts or own their Lua programming language to derive specific functionality that can help in CVE detection. Below is the command you need to use:

nmap -Pn –script vuln
nmap -Pn –script vuln


21. How to run Dos with Nmap

One thing Nmap will never be short on is the number of features. From Nmap command cheats to Nmap termux commands, there are several cross-platform features available on Nmap. In addition to all the other commands that run on Nmap, you have the ability to run DOS files on this platform. This can be done against network testing.

The command you will need to follow to do this is:

nmap -max-parallelism 800 -Pn –script http-slowloris –script-args http-slowloris.runforever=true



22. Detection of remote host malware infection

Nmap commands in kali Linux, Nmap commands in termux or even Nmap commands for vulnerability scanning are essential for system administrators, but remote host malware detection is more important.

You can simply use the Google Malware Checker with the command:

nmap -sV --script=http-malware-host



23. No Ping Scan | Firewall Bypass

A non-ping check prevents Nmap from finding the host. It is entered using the -Pn option. By default, Nmap only tests active computers found using host discovery. With this option, Nmap will perform the required scanning functions against each specified target IP as if each were active. This is done when it is important to find every possible active computer, including those that may not respond to host discovery.

nmap -Pn



24. Consult Nmap Documentation

As Nmap has grown so much over time, it is very difficult to remember all its beginnings. Fortunately, Nmap documents provide excellent information to help get users started on this issue.

The first command will give you all the available Nmap options. You can check the manual for more details using the last one.

nmap --help



Target Specification :

nmap single IP
nmap specific IP
nmap range
nmap scanme.nmap.orgScan domain
nmap using CIDR notation
-iLnmap -iL target.txtScan target from file
-iRnmap -iR 50Scan 50 random hosts
–excludenmap –exclude listed hosts



Nmap Scan Techniques :

-sSnmap -sSTCP SYN port scan (Default)
-sTnmap -sTTCP connect port scan (Default)
-sUnmap -sUUDP port scan
-sAnmap -sATCP ACK port scan
-sWnmap -sWTCP Window port scan
-sMnmap -sMTCP Maimon port scan


Host Discovery :

-sLnmap -sLNo Scan. List targets only
-snnmap -snDisable port scanning. Host discovery only.
-Pnnmap -PnDisable host discovery. Port scan only.
-PSnmap -PS22-25,80TCP SYN discovery on port x.
Port 80 by default
-PAnmap -PA22-25,80TCP ACK discovery on port x.
Port 80 by default
-PUnmap -PU53UDP discovery on port x.
Port 40125 by default
-PRnmap -PRARP discovery on the local network
-nnmap -nNever do DNS resolution


Port Specification :

-pnmap -p 21Port scan for port x
-pnmap -p 21-100Port range
-pnmap -p U:53,T:21-25,80Port scan multiple TCP and UDP ports
-pnmap -p-Port scan all ports
-pnmap -p http,httpsPort scan from service name
-Fnmap -FFast port scan (100 ports)
–top-portsnmap –top-ports 2000Port scan the top x ports
-p-65535nmap -p-65535Leaving off the initial port in range makes the scan start at port 1
-p0-nmap -p0-Leaving off-end port in the range
makes the scan go through to port 65535


Output :

-oNnmap -oN normal.fileNormal output to the file normal.file
-oXnmap -oX xml.fileXML output to the file xml.file
-oGnmap -oG grep.fileGrepable output to the file grep.file
-oAnmap -oA resultsOutput in the three major formats at once
-oG –nmap -oG –Grepable output to the screen. -oN -, -oX – also usable
-vnmap -vIncrease the verbosity level (use -vv or more for greater effect)
-dnmap -dIncrease debugging level (use -dd or more for greater effect)
–reasonnmap –reasonDisplay the reason a port is in a particular state, the same output as -vv
–opennmap –openOnly show open (or possibly open) ports
–packet-tracenmap -T4 –packet-traceShow all packets sent and received
–iflistnmap –iflistShows the host interfaces and routes
–resumenmap –resume results.fileResume a scan


Conclusion :

There are various ways you can improve your Nmap with abilities. These commands and examples can help you understand and explore the Nmap monitoring tool. Check out the entire blog and keep in mind the commands that are useful for your systems. There are several specific sets of commands for each platform and user interface, but on the other hand, a few are common and can be used across all of them.

So you’ve decided to pursue a career in cyber security? Visit our website in Cyber ​​Security and experience the best opportunity to launch a successful career in Cyber ​​Security.


Hello, I'm SUMAN from India. I’m currently working on Cyber Ethical Hacking Penetration Testing & Bug Bounty. I’m currently learning more about Web Design, Android ROM
Notify of
Inline Feedbacks
View all comments
Back to top button
Would love your thoughts, please comment.x