Search form


nmap is a security scanner capable of mapping topology, discovering hosts, determining OS and device profiles, examining individual services, and exposing vulnerabilities across networks. It's licensed under the GPL and binaries are available for most platforms. A graphical frontend called Zenmap is available in most Linux repos.

More specifically, nmap sends ICMP Echo (type 0), ICMP Timestamp Request (type 13), TCP SYN, and TCP ACK packets to specified individual systems or network address ranges. As nmap discovers active or listening devices, nmap examines their open ports, places them into one of six categories -- open, closed, filtered, unfiltered, open/filtered, and closed/filtered -- and attempts to identify the services or software running on them. All default behavior can be modified using nmap's command-line switches. See the official nmap documentation and IP protocol RFC sourcebook for further discussion. nmap is a useful pen-testing tool as it includes a scripting engine and is capable of sending intentionally malformed or fragmented packets, performing decoy scans, and falsifying source ports, IP and MAC addresses for IDS and firewall evasion.

Some Common nmap Options

Usage is nmap options hostname-or-IP-range

-AEnable OS detection, version detection, script scanning, and traceroute
--exclude-ports port rangeDon't scan the listed port range, e.g., --exclude-ports 0-255
-FFast mode, scans the 100 busiest ports for each protocol listed in the nmap-services file; default is 1,000
-OEnable OS detection
-oN/X/S/G/A filenameSpecify output format to save results: -oN=normal, -oX=XML, -oS=script kiddie (for the l33+ h4X0r), -oG=grep-able, -oA=all
-PnDon't perform host discovery/ping scan, and assume all hosts are online; default is host discovery enabled with ICMP Echo/Timestamp Request/TCP SYN/TCP ACK packets
-p port-rangeSpecify a port range, e.g., -p 1-65535 to scan all TCP ports
-snDisable port scan, only perform host discovery/ping scan
-sS or -sATCP SYN or TCP ACK scan (SYN is default)
-sUUDP scan
-sVProbe open ports to determine service/version details
-T0-5Set timing template; higher is more aggressive; default is 3 ("normal"); 4 recommended in most cases
--traceroutePerform a post-scan route trace to host using the scan results to determine which port/protocol are most likely to reach the target (if you just want to see a multi-hop traceroute as on Unix-like OSes, use -sn -Pn --traceroute)
-vIncrease verbosity of results, use -vv for greater verbosity
--version-intensity 0-9/light/all/traceService/version detection intensity from light to all (0-9)/limit to most likely (intensity 2)/all (9)/show detailed version scan activity

Some nmap Examples

Verbose aggressive scan of a single host with traceroute, OS and service detection:

$ nmap -T4 -A -v

Same as above, but also scan UDP ports:

$ nmap -sS -sU -T4 -A -v

Scan some common TCP ports:

$ nmap -p 22,25,80,143,443,587,993,995 -T4 -A -v

Skip host discovery:

$ nmap -p 22,25,80,143,443,587,993,995 -T4 -A -v -Pn

Perform normal host discovery plus traceroute:

$ nmap -sn --traceroute

Find and enumerate potential web servers among the 256 possible IP addresses in the given network (IPv4 CIDR notation), then attempt to identify the specific application running on ports 80/443:

$ nmap -sV -p 80,443

Same as above, but skip host discovery/ping scan, and save the results in XML and grep-able formats:

$ nmap -sV -Pn -p 80,443 -oX /home/me/webservers.xml -oG /home/me/webservers.gnmap