Tutorial Nmap Commands [Complete]

Tutorial Nmap commands

Nmap is a free and open-source Network Mapper. This most popular network scanner is used for network discovery and security auditing. As an administrator, you can use this network discovery tool to map your network. Nmap is also valuable for users who host their website from home since they can simulate the process that a hacker would use to attack their site. When you install Nmap, you will need to know some commands to perform some basic network scans. This article presents Tutorial Nmap Commands. To purchase your own Linux VPS, visit the available packages of Eldernode and order what you need.

Nmap Commands

Recommended Article: Tutorial Install WINE on AlmaLinux 8.4 or 8.5

What is Nmap

Nmap is an open-source and free utility that makes the network discover and secure. Network administration systems find the network mapper (Nmap) useful for tasks as managing service upgrade schedules, monitoring host or service uptime, and network inventory. Nmap is also flexible, powerful, portable, easy, free, well documented, supported, acclaimed, and popular. To determine the available hosts on the network, the map uses row IP packets in a novel way. It is designed to scan large networks rapidly and works fine against single hosts.

Nmap Features

Nmap offers some features for probing computer networks. Here are the most widely used features of Nmap software. You can get other features and information with the -h switch. Let’s review some of them in the below list:

1- Quick scan of all ports

2- Target operating system identification

3- Sending an anonymous packet to filter the firewall

4- Ability to scan a certain range of ports

5- Spoofing feature

6- Ability to save the scan result with different formats

7- Ability to set TTL to filter smart firewalls

8- Ability to send packets for smart scanning

9- Ability to identify services with open port

10- Ability to adjust various scanning techniques

Top Nmap Commands with Examples

Once you have installed Nmap, you need to use Nmap commands to start scanning the host or network to find out any possible vulnerable points in the hosts. The IP entered in the commands is for example and you can enter your IP. Pay attention to uppercase and lowercase letters. Also, all commands can be run on Windows and Linux operating systems.

Stay with us to review the best Nmap commands with examples for Linux Network.

Nmap Ping Scan Command

Active hosts could be identified by Nmap on your network as its most basic function. Ping scan allows Nmap to do this and identifies all of the IP addresses that are online without sending any packets to these hosts. You can use the command below to Run a ping scan and see which servers are Active:

nmap -sp

Also, it returns a list of hosts on your network and the total number of assigned IP addresses. So, you can run the following command to view the returned information on every active IP on your network:


Nmap Host Scan Commands

The host scan is a more powerful way to scan your networks since it sends ARP request packets to all the hosts connected to your network. Then, each host responds to this packet with another ARP packet containing its status and MAC address.

Use the following command to Run a host scan:

nmap -sp <target IP range>

You can use this command as a powerful way to spot suspicious hosts connected to your network. Using this command allows you to return information on every host, their latency, their MAC address, and also any description associated with this address.

Note: You may face an unusual issue in this list. So, run a DNS query on a specific host, by using:

namp -sL <IP address>

You will view the information on what the IP is actually for since the above command returns a list of names associated with the scanned IP.

Nmap Port Scanning Commands

You can use Nmap for port scanning. Here are the most commonly used commands:

sS TCP SYN scan
sT TCP connect scan
sU UDP scans

The differences between these types of scans are whether they cover TCP or UDP ports and whether they execute a TCP connection.

Nmap OS Scanning Commands

Another powerful feature of Nmap is OS scanning. Nmap can send TCP and UDP packets to a particular port while using this type of scan and then analyze its response. Finally by comparing the response to a database of 2600 operating systems, returns information on the OS (and version) of a host.

You can Run an OS scan by running the command below:

nmap -O <target IP>

As we mentioned, users who run Nmap on their home server, find it so valuable. If you are running Nmap on your home server, use the following command to scan a number of the most ”popular” ports for a host automatically. You just need to replace the”20” with the number of ports to scan:

nmap --top-ports 20 YourIPAddress

It returns a concise output that details the status of the most common ports. In this way, you will see if you have any unnecessarily open ports.

Nmap Output Result Commands

To output to a file, add an extension to your commands as shown below. It output the results of your Nmap scans to a file:

-oN output.txt

To your command to output the results to a text file, or:

-oX output.xml

To output to an XML.

Also, you can save the output to a text file by running the commands below:

nmap > output.txt
nmap -oN /path/to/filename
nmap -oN output.txt

How to speed up Nmap Scans

Especially in large network scans, if you disable reverse DNS resolution, you can speed up your Nmap scans by using -n parameters. For example, to turn off DNS resolution for the basic ping scan mentioned above, add -n:

nmap -sp -n

To perform a fast scan use the Nmap command below:

nmap -F
nmap -6 -F IPv6_Address_Here
Recommended Article: Tutorial Nmap Commands [Complete]

In the following of this article, let’s see some other commands to use Nmap.

_ Quick scan of a system:

nmap -F

_ Quick scan with details and version of ports:

nmap -v

_ Identify the operating system with a detailed scan:

nmap -v -A

_ Full scan with the desired range of port numbers:

nmap -v -p 1-100

In the above command, only ports 1 to 100 are scanned and reported.

_ Scan by sending random packets to block the destination system firewall:

nmap -v -f

_ Send packets from a specific port for an anonymous scan:

nmap -v -g 80

In the above command, Nmap sends all the packets through your port 80 and the destination system looks at it as a web request.

To show all packets sent and received, run:

nmap --packet-trace
nmap --packet-trace server1.YourDomainAddress

_ Scan a system when the system has blocked the ping:

nmap -v -Pn

Nmap software uses the ICMP protocol to check the status of the system, and if the user has blocked this protocol, you must use the -pn switch.

_ An example of a complete command to use Nmap:

nmap -v -A -Pn -f  -p 1-65535 -g 80

Your system will send the packets with port 80, also check and display along with the operating system specifications. Also, Nmap software does not care about closing the ICMP protocol of the destination system and sends the packets randomly.

How to Scan a large number of hosts/networks

To scan a large number of hosts/networks you can use the -iL option. Using this option allows you to read the list of target systems using a text file:

cat > /tmp/test.txt

Then, append names as follows:


The syntax is as follows:

nmap -iL /tmp/test.txt

How to exclude hosts/networks (IPv4)

To exclude hosts/networks (IPv4) from Nmap scan examples while scanning a large number of them, use the following command:

nmap --exclude
nmap --exclude,

OR exclude list from a file called /tmp/exclude.txt:

nmap -iL /tmp/scanlist.txt --e    xcludefile /tmp/exclude.txt

How to detect firewall setting using Nmap Command

You can use firewall detection during penetration testing and vulnerability scans. Several functions can be used to detect firewall settings across the given hosts, but the -sA flag is the most common:

nmap command examples for your host
nmap -sA
nmap -sA server1.YourDomainAddress

Then, you can Scan a host when protected by the firewall using the commands below. For example, to scan a router/wifi device having as IP:

nmap -PN
nmap -PN server1.YourDomainAddress

How to view open ports using the Nmap command

To show open or possibly open posts you can use the below Nmap commands in Linux:

nmap --open
nmap --open server1.YourDomainAddress
nmap --open

To scan all your devices/computers for open ports ever, type:

nmap -T5
nmap -T5 {sub/net}

How to use Nmap command for Nikto

Recently, Nikto was introduced to you. To scan web servers and pipes into Nikto for scanning, run the following commands:

nmap -p80 -oG - | /path/to/ -h -
nmap -p80,443 -oG - | /path/to/ -h -


In this article, you reviewed the most important Nmap commands. The Nmap command comes with lots of options, now you know how to use Nmap for offensive and defensive purposes. However, if you are not comfortable with the CLI you can use the GUI app named Zenmap. It is the official Nmap Security Scanner GUI. If you are interested to learn more, refer to How to scan ports using connects scan and Fin scan on Nmap.

How useful was this post?

Click on a star to rate it!

Average rating 1 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

View More Posts
Marilyn Bisson
Content Writer
Eldernode Writer
We Are Waiting for your valuable comments and you can be sure that it will be answered in the shortest possible time.

Leave a Reply

Your email address will not be published. Required fields are marked *

We are by your side every step of the way

Think about developing your online business; We will protect it compassionately

We are by your side every step of the way


7 days a week, 24 hours a day