Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.
The software provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap is also capable of adapting to network conditions including latency and congestion during a scan. Nmap is under development and refinement by its user community.
Nmap features include :
Nmap is available for most, if not, all linux distributions so in order to install it, use your distribution’s package manager to search and install the ‘nmap’ package.
Example of Nmap commands
Note that running nmap as an unprivileged user will considerably decrease its functionality. For best results, either run it as the root user or use sudo.
Also, to increase verbosity level, use the -v option within every command or -vv for even higher verbosity. EX:
nmap -v -sS hostname.com
Simple network scan:
Scan multiple hosts:
nmap 192.168.1.1 10.0.0.1 18.104.22.168
nmap 192.168.1.* --exclude 192.168.1.5
Scan specific or multiple ports:
nmap -p 80 192.168.1.1
nmap -p 80,443 192.168.1.1
nmap -p 80-250 192.168.1.1
Discover remote server OS information:
nmap -A 80 192.168.1.1
nmap -O --osscan-guess 192.168.1.1
Scan remote server when protected by firewall:
nmap -PN 192.168.1.1
nmap -PS 192.168.1.1
nmap -PA 192.168.1.1
Perform a stealthy scan:
nmap -sS 192.168.1.1
Discover available services and their versions on the remote host:
nmap -sV 192.168.1.1
Discover running hosts on a network:
nmap -sP 192.168.1.1
Scan a IPv6 remote host
nmap -6 FE80::0202:B3FF:FE1E:8426
Show only open ports:
nmap --open 192.168.1.1
Perform a fast scan (only for 100 most common ports instead of 1000:
nmap -F 192.168.1.1
Perform an even faster scan (bandwidth consuming, detection by remote host guaranteed):
nmap -T4 192.168.1.1
nmap -T5 192.168.1.1
Firewall / intrusion detection software evasion options
The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.
nmap -f 192.168.1.1
The -D option causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.
nmap -n -D 10.0.0.1,22.214.171.124,126.96.36.199 192.168.1.1
This options spoofs your MAC address:
nmap --spoof-mac NEW.MAC.ADDR 192.168.1.1
If you don’t feel comfortable with the command line, you can use Zenmap, the official nmap GUI.