In the world of networking and cybersecurity, information is power. Whether you are a system administrator monitoring a local office network, a DevOps engineer auditing cloud configurations, or a penetration tester seeking vulnerabilities, you need a reliable way to map networks and identify active services.
This is where Nmap (Network Mapper) comes in. Nmap is the industry-standard, open-source tool for network discovery and security auditing.
In this ultimate Nmap tutorial, we will explain how Nmap works, guide you through installing it on Windows, Linux, and macOS, and provide over 15 practical command examples that you can start using today.
What is Nmap and How Does It Work?
Nmap was first released in 1997 and has since grown into one of the most powerful network scanning tools available. At its core, Nmap works by sending specially crafted raw IP packets to target hosts. It then analyzes the responses (or lack thereof) to determine:
- Active Hosts: Whether a device is powered on and connected to the network.
- Open Ports: Which network ports are accepting incoming connections.
- Running Services: The name and version of the applications listening on those ports (e.g., Apache HTTP, OpenSSH, MySQL).
- Operating System: The OS and kernel version running on the target device.
- Firewall Settings: Whether network filters or firewalls are blocking ports.
Understanding Port States
When Nmap scans a target, it classifies ports into one of six states:
- Open: An application is actively accepting connections on this port.
- Closed: The port is accessible (it receives and responds to packets), but no application is listening on it.
- Filtered: Nmap cannot determine if the port is open or closed because a firewall or network filter is blocking the probe.
- Unfiltered: The port is accessible, but Nmap cannot determine if it is open or closed (usually seen in ACK scans).
- Open|Filtered: Nmap is unable to distinguish between an open port and a filtered port (often occurs with UDP scans).
- Closed|Filtered: Nmap is unable to distinguish between a closed port and a filtered port.
How to Install Nmap
Nmap is cross-platform and runs natively on Linux, macOS, and Windows. Here is how to install it on each operating system.
1. Install Nmap on Linux
Most Linux distributions include Nmap in their official package repositories. Open your terminal and run the command matching your distribution:
Debian / Ubuntu / Linux Mint
sudo apt update
sudo apt install nmap -yRed Hat / CentOS / Fedora
sudo dnf install nmap -y
# On older systems:
# sudo yum install nmap -yArch Linux / Manjaro
sudo pacman -S nmap --noconfirmTo verify the installation, run:
nmap --version2. Install Nmap on macOS
The easiest way to install Nmap on macOS is using Homebrew, the popular command-line package manager.
- Open your Terminal.
- Run the following command:
brew install nmap
Alternatively, you can download the official .dmg installer from the Nmap Download Page, open it, and follow the setup wizard.
3. Install Nmap on Windows
On Windows, Nmap includes both the command-line utility and Zenmap (a graphical user interface for Nmap).
- Go to the Nmap Download Page.
- Download the latest stable Windows installer (e.g.,
nmap-<version>-setup.exe). - Run the installer. During the setup wizard, ensure that Npcap is checked (Npcap is a driver that allows Nmap to capture and transmit raw network packets on Windows).
- Once installed, open Command Prompt (CMD) or PowerShell and verify the installation:
nmap --version
Basic Nmap Command Syntax
The general syntax for Nmap is simple:
nmap [Scan Type(s)] [Options] [Target]- Target can be an IP address (
192.168.1.1), a domain name (example.com), a subnet (192.168.1.0/24), or a range of IP addresses (192.168.1.1-50).
15+ Practical Nmap Scanning Examples
[!WARNING] Ethical & Legal Warning: Only scan target networks and devices that you own or have explicit, written authorization to scan. Port scanning without permission can be viewed as malicious activity or a cyberattack by ISPs and network security systems.
For testing purposes, Nmap provides an authorized target domain:
scanme.nmap.org.
1. Scan a Single Host or Domain
The simplest Nmap scan will resolve the host name, ping it to check if it’s online, and scan the 1,000 most common TCP ports.
nmap scanme.nmap.org
# Or using an IP address:
nmap 192.168.1.102. Scan Multiple Targets
You can scan multiple separate targets by separating them with spaces.
nmap 192.168.1.10 192.168.1.20 scanme.nmap.org3. Scan a Range of IP Addresses
Use a hyphen to scan a consecutive block of IP addresses.
nmap 192.168.1.1-154. Scan a Whole Subnet (CIDR Notation)
If you want to map all devices connected to a local subnet, use the CIDR notation. This scans all 256 possible IP addresses in the subnet.
nmap 192.168.1.0/245. Scan Specific Ports or Port Ranges
By default, Nmap scans the 1,000 most common ports. To scan specific ports, use the -p option.
# Scan only port 80 and 443 (HTTP/HTTPS)
nmap -p 80,443 192.168.1.10
# Scan a range of ports (e.g., 1 to 100)
nmap -p 1-100 192.168.1.10
# Scan all 65,535 TCP ports
nmap -p- 192.168.1.106. Perform a Fast Port Scan (-F)
If you are short on time, the -F flag instructs Nmap to scan only the top 100 most common ports. This makes the scan up to 10 times faster.
nmap -F 192.168.1.107. Ping Scan / Host Discovery (-sn)
If you only want to know which devices on a network are online (without scanning their ports), use the -sn option (previously -sP). This is also called a ping sweep.
nmap -sn 192.168.1.0/248. Stealthy TCP SYN Scan (-sS)
This is the default scan for privileged users. It is also known as a half-open scan because Nmap sends a SYN packet and waits for a SYN-ACK. If received, Nmap sends a RST packet immediately rather than completing the three-way handshake. Note: This requires administrator or root (sudo) privileges.
sudo nmap -sS 192.168.1.109. TCP Connect Scan (-sT)
If you do not have root or administrator privileges, Nmap will default to a TCP Connect Scan. It asks the host operating system to establish a full connection by completing the three-way handshake. This scan is easily logged by the target firewall or application.
nmap -sT 192.168.1.1010. UDP Port Scan (-sU)
Many services use UDP instead of TCP (e.g., DNS, DHCP, SNMP). To scan for active UDP ports, use the -sU flag. UDP scans are typically much slower than TCP scans.
sudo nmap -sU 192.168.1.1011. Detect Service Version (-sV)
If you want to know what software and version are running on open ports, use the -sV option. This helps security experts determine if any services are outdated and vulnerable to exploit.
nmap -sV 192.168.1.1012. Operating System (OS) Detection (-O)
Nmap can analyze the packet replies to fingerprint the target operating system. It compares the response characteristics to its database of thousands of operating systems.
sudo nmap -O 192.168.1.1013. Perform an Aggressive Scan (-A)
The aggressive scan flag (-A) combines several useful features into one command. It enables:
- Operating system detection (
-O) - Service version detection (
-sV) - Script scanning (
-sC) - Traceroute
sudo nmap -A 192.168.1.1014. Scan Targets from a Text File (-iL)
If you need to scan a large number of hosts that are not in a sequential range, you can write them down in a text file (one host or subnet per line) and pass it to Nmap using the -iL option.
Create a file called targets.txt:
192.168.1.5
192.168.1.22
192.168.1.50-60Run the scan:
nmap -iL targets.txt15. Save Nmap Scan Output to a File
You should always save your scan results for documentation and future reference. Nmap allows you to output to different file formats:
# Save in normal text format (readable by humans)
nmap -oN scan_results.txt 192.168.1.10
# Save in XML format (perfect for importing into other tools)
nmap -oX scan_results.xml 192.168.1.10
# Save in greppable format (ideal for command-line tools like grep/awk)
nmap -oG scan_results.gnmap 192.168.1.10
# Save in all three formats simultaneously
nmap -oA my_scan 192.168.1.1016. Run Vulnerability Checks Using NSE (--script)
The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful features. It allows users to write and share scripts to automate tasks like vulnerability checks, brute-forcing, and advanced host discovery.
# Run a scan using a category of scripts (e.g. "vuln" to look for vulnerabilities)
nmap --script vuln 192.168.1.10
# Run a scan using safe, default scripts
nmap -sC 192.168.1.10Advanced Tip: Bypassing Simple Firewalls
Basic firewalls often block incoming ping probes or SYN requests. Here are a couple of ways to troubleshoot filtered results:
- Skip Ping Discovery (
-Pn): Instructs Nmap to treat all target hosts as online. This is useful when firewalls block ping requests but allow connection attempts.nmap -Pn 192.168.1.10 - Packet Fragmentation (
-f): Splits the TCP headers over several packets, making it harder for packet filters or intrusion detection systems (IDS) to identify a scan.sudo nmap -f 192.168.1.10
Conclusion
Nmap is an indispensable tool in every network administrator and cybersecurity professional’s toolkit. By understanding how to install Nmap on Windows, Linux, and macOS, and learning basic scanning options like ping discovery, port targeting, OS identification, and NSE scripts, you can easily map and audit any network environment.
Once you have identified open HTTP/HTTPS ports, continue your security assessment by checking out our tutorials on the Nikto Web Server Scanner to check for server vulnerabilities, the Hydra Online Brute Force Tool to audit login portal credentials, or the OWASP ZAP Beginner Tutorial for web application vulnerability scanning.
Remember to always obtain permission before scanning targets on the internet or private networks. Stay curious, scan responsibly, and happy learning!
Discussion
Loading comments...