Linux nmap command (network scan) [Basic Guide]

The nmap Command in Linux is a powerful tool for discovering open ports on local or remote hosts.

It can be installed with any package manager. Unlike the netstat tools, ss and lsof that check open sockets or files, nmap searches for open ports using the “trial and error” method, trying to connect to known ports, and if it finds an open one, it checks What type of door service does the door serve.

Using NMAP to Find Open Ports on a Network

To check open ports from 1 to 1000:

$ nmap localhost 
Starting Nmap 7.70 (https://nmap.org) at 2019-10-23 06:01 -03 
Nmap scan report for localhost (127.0.0.1) 
Host is up (0.000098s latency). 

A short script can be written to compare open ports with respect to a previous file:

The preview file must first be created to serve as a comparison in the future:

$ nmap localhost | grep open > original

The script below executes nmap, and compares the result with the “original” file. If there is a difference, an email will be sent:

#! /bin/bash 
nmap localhost | grep open > current 
current original diff 
if [$? -eq 0]; then

Check reserved ports with nmap

The “-v” option checks all TCP ports reserved on the scanme.nWheelmap.org machine in detailed mode:

$ nmap -v scanmen.Wheelmap.org

Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:01 -03
Initiating Ping Scan at 22:01
Scanning scanme.nWheelmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 22:01, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:01
Completed Parallel DNS resolution of 1 host. at 22:01, 0.02s elapsed
Initiating Connect Scan at 10:01 p.m.
Scanning scanme.nWheelmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/TCP on 45.33.32.156
Discovered open port 22/TCP on 45.33.32.156
Discovered open port 9929/TCP on 45.33.32.156
Discovered open port 31337/TCP on 45.33.32.156
Completed Connect Scan at 22:01, 1.07s elapsed (1000 total ports)
Nmap scan report for scanme.nWheelmap.org (45.33.32.156)
Host is up (0.075s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/TCP open http
9929/TCP Open NPing-Echo
31337/TCP Open Elite

Read data files from: /usr/bin/.. /share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

SYN scan with nmap

The “-sS” option initiates a stealth SYN scan on every machine in the /24 size network where the scanme.nWheelmap.org address resides.

The “-O” option will determine which operating system is running on each running host. This requires root privileges due to the SYN scan and operating system detection:

$ sudo nmap -sS -O scanme.nmap.org/24
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:04 -03
Nmap scan report for scanme.nWheelmap.org (45.33.32.156)
Host is up (0.070s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/TCP open http
9929/TCP Open NPing-Echo
31337/TCP Open Elite
Device type: general purpose|WAP|Webcam|Firewall|Storage-MISC
Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (91%), Tandberg embedded (86%), Fortinet Linux 2.6.X (86%), IPFire Linux 2.6.X (85%), Check Point Linux 2.6.X (85%), Axcient embedded (85%)
OS CPE: cpe: /o:linux:linux_kernel:2.6.32 cpe: /o:linux:linux_kernel:3 cpe: /o:linux:linux_kernel:2.4 cpe: /h:tandberg:vcs cpe: /o:fortinet:linux_kernel:2.6 cpe: /o:ipfire:linux:linux:linux:linux:kernel:2.6 cpe: /o:ipfire:linux:linux:linux:linux:kernel:2.6 cpe: /o:ipfire:linux:linux:linux:32 cpe: /o:linux:linux_kernel:2.6.18
Aggressive OS guests: Linux 2.6.32 - 2.6.35 (91%), Linux 2.6.32 - 2.6.39 (91%), Linux 2.6.32 - 3.0 (90%), Linux 2.6.18 (89%), Linux 3.2 - 3.6 (89%), Linux 2.6.32 (88%), Linux 3.1.9 (88%), Linux 2.6.39 (88%), Linux 2.6.32 - 2.6.33 (88%), Linux 2.6.32 - 2.6.33 (88%), Linux 2.6.32 (88%) 6.27 (88%)
Not exact OS matches for host (test conditions not ideal).
Network Distance: 14 hops
(...) 

Check specific ports with nmap

The “-sV” option is the host enumeration and a TCP scan of the first half of the 198.116.0.0/16 subnet. This tests whether systems run SSH (22), DNS (53), POP3 (110), or IMAP (143) on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine which application is running:

$ nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:08 -03
Nmap scan report for ip-172-30-0-191.ec2.internal (172.30.0.191)
Host is up (0.00016s latency).
PORT-STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
53/TCP closed domain
110/TCP closed pop3
143/TCP closed imap
4564/tcp closed unknown
(...) 

Scan random hosts with nmap

In this example nmap chooses 100 hosts at random and checks for web servers (port 80). Host enumeration is disabled with -Pn:

$ nmap -v -iR 100 -Pn -p 80
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:11 -03
Initiating Parallel DNS resolution of 10 hosts at 22:11
Completed Parallel DNS resolution of 10 hosts at 22:11, 1.20s elapsed
(...) 

Save nmap data in XML

In this example, nmap checks 4096 IPs for any web server (port 80 – without pinging) and saves the output in XML format:

$ nmap -Pn -p80 -oX pb-port80scan.xml 216.163.128.20/20

Find out if the target uses a firewall

The “-sA” option scans whether the host uses a Linux firewall to filter packets:

$ sudo nmap -sA facebook.com 
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:29 -03 
Nmap scan report for facebook.com (157.240.229.35) 
Host is up (0.00055s latency). 

Discover connected hosts with ping scan

The “-Sp” option performs a ping-type scan on a network:

$ nmap -Sp 172.30.0.0/24 
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:31 -03 
Nmap scan report for go.universobh.com.br (172.30.0.30) 
Host is up (0.00037s latency). 
Nmap scan report for ip-172-30-0-191.ec2.internal (172.30.0.191) 
Host is up (0.00035s latency). 

This scan category is not always effective, as most networks protect their hosts from ping.

Scan possible open doors

The nmap “–open” option shows a host’s possible open ports:

$ nmap --open google.pt 
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:33 -03 
Nmap scan report for google.pt (172.217.15.99) 
Host is up (0.015s latency). 

Quick open port testing with nmap

The “-T5″ option quickly scans possible open ports:

$ nmap -T5 facebook.com 
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:35 -03 
Nmap scan report for facebook.com (157.240.229.35) 
Host is up (0.00068s latency). 

Be careful when using nmap

Be careful when running nmap on hosts hosted on Amazon AWS, Google Cloud, or Microsoft Azure, as they check the logs on their edge firewalls to verify that there are none suspicious activity of “PenTest” on your networks.

Nmap Quick Guide

Select targets with NMAP

Single IP scan	nmap 192.168.1.1
Scan from an nmap host	www.testhostname.com
Scan a range of IPs	nmap 192.168.1.1-20
Scan from a subnet	nmap 192.168.1.0/24
Scan from from an	nmap text file -iL list-of-ips.txt

Select Ports with NMAP

Scan an nmap port	-p 22 192.168.1.1
Scan a range of nmap ports	-p 1-100 192.168.1.1
Scan the 100 common ports (fast)	nmap -F 192.168.1.1
Scan all 65535 ports	nmap -p- 192. 168.1.1

Select scan types with NMAP

Scan using TCP connect	nmap -sT 192.168.1.1
Scan using TCP SYN (default)	nmap -sS 192.168.1.1
UDP port scan	nmap -sU -p 123,161,162 192.168.1.1
Port scan – ignore discovery	nmap -Pn -F 192.168.1.1

OS (operating system) detection with NMAP

Detect OS and Services	nmap -A 192.168.1.1
Detect services	nmap -sV 192.168.1.1
Aggressively detect services	nmap -sV –version-intensity 5 192.168.1.1
Detect services through the banner	nmap -sV –version-intensity 0 192.168.1.1

NMAP output formats

Save to file	nmap -on outputfile.txt 192.168.1.1
Save in XML	nmap -oX outputfile.xml 192.168.1.1
Save in TXT for grep	nmap -oG outputfile.txt 192.168.1.1
Saves in all formats	nmap -oA outputfile 192.168.

HTTP scan with NMAP

Get the titles of the HTML pages	nmap –script=http-title 192.168.1.0/24
Get the HTTP headers	nmap –script=http-headers 192.168.1.0/24
web apps	nmap –script=http-enum 192.168.1.0/24