The nmap Command in Linux is a powerful tool for discovering open ports on local or remote hosts.
It can be installed with any package manager. Unlike the netstat tools, ss and lsof that check open sockets or files, nmap searches for open ports using the “trial and error” method, trying to connect to known ports, and if it finds an open one, it checks What type of door service does the door serve.
To check open ports from 1 to 1000:
$ nmap localhost
Starting Nmap 7.70 (https://nmap.org) at 2019-10-23 06:01 -03
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000098s latency).
A short script can be written to compare open ports with respect to a previous file:
The preview file must first be created to serve as a comparison in the future:
$ nmap localhost | grep open > original
The script below executes nmap, and compares the result with the “original” file. If there is a difference, an email will be sent:
#! /bin/bash
nmap localhost | grep open > current
current original diff
if [$? -eq 0]; then
The “-v” option checks all TCP ports reserved on the scanme.nWheelmap.org machine in detailed mode:
$ nmap -v scanmen.Wheelmap.org Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:01 -03 Initiating Ping Scan at 22:01 Scanning scanme.nWheelmap.org (45.33.32.156) [2 ports] Completed Ping Scan at 22:01, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:01 Completed Parallel DNS resolution of 1 host. at 22:01, 0.02s elapsed Initiating Connect Scan at 10:01 p.m. Scanning scanme.nWheelmap.org (45.33.32.156) [1000 ports] Discovered open port 80/TCP on 45.33.32.156 Discovered open port 22/TCP on 45.33.32.156 Discovered open port 9929/TCP on 45.33.32.156 Discovered open port 31337/TCP on 45.33.32.156 Completed Connect Scan at 22:01, 1.07s elapsed (1000 total ports) Nmap scan report for scanme.nWheelmap.org (45.33.32.156) Host is up (0.075s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/TCP open http 9929/TCP Open NPing-Echo 31337/TCP Open Elite Read data files from: /usr/bin/.. /share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds
The “-sS” option initiates a stealth SYN scan on every machine in the /24 size network where the scanme.nWheelmap.org address resides.
The “-O” option will determine which operating system is running on each running host. This requires root privileges due to the SYN scan and operating system detection:
$ sudo nmap -sS -O scanme.nmap.org/24 Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:04 -03 Nmap scan report for scanme.nWheelmap.org (45.33.32.156) Host is up (0.070s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/TCP open http 9929/TCP Open NPing-Echo 31337/TCP Open Elite Device type: general purpose|WAP|Webcam|Firewall|Storage-MISC Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (91%), Tandberg embedded (86%), Fortinet Linux 2.6.X (86%), IPFire Linux 2.6.X (85%), Check Point Linux 2.6.X (85%), Axcient embedded (85%) OS CPE: cpe: /o:linux:linux_kernel:2.6.32 cpe: /o:linux:linux_kernel:3 cpe: /o:linux:linux_kernel:2.4 cpe: /h:tandberg:vcs cpe: /o:fortinet:linux_kernel:2.6 cpe: /o:ipfire:linux:linux:linux:linux:kernel:2.6 cpe: /o:ipfire:linux:linux:linux:linux:kernel:2.6 cpe: /o:ipfire:linux:linux:linux:32 cpe: /o:linux:linux_kernel:2.6.18 Aggressive OS guests: Linux 2.6.32 - 2.6.35 (91%), Linux 2.6.32 - 2.6.39 (91%), Linux 2.6.32 - 3.0 (90%), Linux 2.6.18 (89%), Linux 3.2 - 3.6 (89%), Linux 2.6.32 (88%), Linux 3.1.9 (88%), Linux 2.6.39 (88%), Linux 2.6.32 - 2.6.33 (88%), Linux 2.6.32 - 2.6.33 (88%), Linux 2.6.32 (88%) 6.27 (88%) Not exact OS matches for host (test conditions not ideal). Network Distance: 14 hops (...)
The “-sV” option is the host enumeration and a TCP scan of the first half of the 198.116.0.0/16 subnet. This tests whether systems run SSH (22), DNS (53), POP3 (110), or IMAP (143) on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine which application is running:
$ nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127 Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:08 -03 Nmap scan report for ip-172-30-0-191.ec2.internal (172.30.0.191) Host is up (0.00016s latency). PORT-STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 53/TCP closed domain 110/TCP closed pop3 143/TCP closed imap 4564/tcp closed unknown (...)
In this example nmap chooses 100 hosts at random and checks for web servers (port 80). Host enumeration is disabled with -Pn:
$ nmap -v -iR 100 -Pn -p 80 Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:11 -03 Initiating Parallel DNS resolution of 10 hosts at 22:11 Completed Parallel DNS resolution of 10 hosts at 22:11, 1.20s elapsed (...)
In this example, nmap checks 4096 IPs for any web server (port 80 – without pinging) and saves the output in XML format:
$ nmap -Pn -p80 -oX pb-port80scan.xml 216.163.128.20/20
The “-sA” option scans whether the host uses a Linux firewall to filter packets:
$ sudo nmap -sA facebook.com
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:29 -03
Nmap scan report for facebook.com (157.240.229.35)
Host is up (0.00055s latency).
The “-Sp” option performs a ping-type scan on a network:
$ nmap -Sp 172.30.0.0/24
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:31 -03
Nmap scan report for go.universobh.com.br (172.30.0.30)
Host is up (0.00037s latency).
Nmap scan report for ip-172-30-0-191.ec2.internal (172.30.0.191)
Host is up (0.00035s latency).
This scan category is not always effective, as most networks protect their hosts from ping.
The nmap “–open” option shows a host’s possible open ports:
$ nmap --open google.pt
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:33 -03
Nmap scan report for google.pt (172.217.15.99)
Host is up (0.015s latency).
The “-T5″ option quickly scans possible open ports:
$ nmap -T5 facebook.com
Starting Nmap 6.40 (http://nmap.org) at 2021-12-08 22:35 -03
Nmap scan report for facebook.com (157.240.229.35)
Host is up (0.00068s latency).
Be careful when running nmap on hosts hosted on Amazon AWS, Google Cloud, or Microsoft Azure, as they check the logs on their edge firewalls to verify that there are none suspicious activity of “PenTest” on your networks.
Single IP scan | nmap 192.168.1.1 |
Scan from an nmap host | www.testhostname.com |
Scan a range of IPs | nmap 192.168.1.1-20 |
Scan from a subnet | nmap 192.168.1.0/24 |
Scan from from an | nmap text file -iL list-of-ips.txt |
Scan an nmap port | -p 22 192.168.1.1 |
Scan a range of nmap ports | -p 1-100 192.168.1.1 |
Scan the 100 common ports (fast) | nmap -F 192.168.1.1 |
Scan all 65535 ports | nmap -p- 192. 168.1.1 |
Scan using TCP connect | nmap -sT 192.168.1.1 |
Scan using TCP SYN (default) | nmap -sS 192.168.1.1 |
UDP port scan | nmap -sU -p 123,161,162 192.168.1.1 |
Port scan – ignore discovery | nmap -Pn -F 192.168.1.1 |
Detect OS and Services | nmap -A 192.168.1.1 |
Detect services | nmap -sV 192.168.1.1 |
Aggressively detect services | nmap -sV –version-intensity 5 192.168.1.1 |
Detect services through the banner | nmap -sV –version-intensity 0 192.168.1.1 |
Save to file | nmap -on outputfile.txt 192.168.1.1 |
Save in XML | nmap -oX outputfile.xml 192.168.1.1 |
Save in TXT for grep | nmap -oG outputfile.txt 192.168.1.1 |
Saves in all formats | nmap -oA outputfile 192.168. |
Get the titles of the HTML pages | nmap –script=http-title 192.168.1.0/24 |
Get the HTTP headers | nmap –script=http-headers 192.168.1.0/24 |
web apps | nmap –script=http-enum 192.168.1.0/24 |
The sudo command on Linux executes a given command as if it were another user.…
The ss command on Linux is extremely useful for investigating sockets, providing various information about…
Free Linux command shows the amount of total memory in use and available, as well…
The shell has structures for testing conditions and executing certain program sequences several times (loop),…
The /etc/fstab file stores the configuration of which devices should be mounted and what is…
The Netcat Command in Linux or nc is a utility used to do “almost anything”…
This website uses cookies.