nmap: Useful Command Examples


If you have not worked on security issues you probably need to submit to nmap, otherwise you do not need presentations. For those who do not know him yet, say that nmap is a very practical open source tool. It is used to track ports, services and other information on a remote machine. It was originally written by Gordon Lyon, although today a large community participates in its development.

Thanks to her you can test the security of various computer systems, discovering services or computers connected to a network to try to get information about them and see some possible vulnerabilities or entry points. To make this possible, this tool written in various programming languages ​​will send a series of defined network packets to other computers on the network and analyze their responses ...

The number of options you have is very large. Therefore it can also offer a large number of functions. You can even use the various parameters that you can pass to the command to adapt to different types of latency and congestion, evade certain barriers, and perform various types of scans which we will now analyze.

Practical nmap examples

Nmap it is a very complex tool, and its use is not explained from the beginning, but I am going to show some very interesting real practical examples. To do this, I am going to create several categories and in each one of them explain some application cases. In addition, I also do not explain how this tool is installed, which is not usually installed by effect in most GNU / Linux distributions, only in those intended for security such as Kali Linux, Parrot OS Security, etc.

Be patient, sometimes it can show data very quickly, in other cases it could take a while to show it. So do not despair, even if it seems that the tool is not doing anything, it will be analyzing. You can have a coffee while or do something to distract yourself ... But in the end, it will pay off.

Also, I recommend that you use virtual machines or your own home devices to avoid problems. Practice with that and you will not be tempted to get into bigger problems ... From LxA we are not responsible for what you use it for.

If you're not too fond of working with the command line, you have the option of using Zenmap, an official GUI for this project, to make things a bit easier ...

Ping sweep

Some examples to perform a ping sweep with nmap, that is, a method to establish the range of IPs that are assigned to the hosts. In other words, for discover devices online within a network or range. To do this, you just have to run the following command (both are equivalent):

nmap -sP

nmap -sn

But if what you want is to discover all the hosts of a class C network, you can modify the previous command and execute it in this other way:

nmap -sP 192.168.0.* 

El * is a wildcard character, that is, it represents any value. But you can also filter or tune a bit more by using host names (eg: server1.example.com), specific IP addresses, ranges (eg:, a subnet (eg: .

Define ports on the scanner

To define ports with nmap, you can use the -p flag followed by the specific port number that you want to analyze or also a list of ports separated by commas to do it over several:

nmap -p 80, 21 192.168.0.* 

You can also specify ranges, as it happened with the IPs, for this, you can use the script to define the beginning and end of the scan:

nmap -p 21-80 linuxadictos.com

And you can use ranges of IPs and ports at the same time, even various sections of ranges, the truth is that the combinations are quite large. Use your imagination, but here is another example of it:

nmap -p 21-23,1000-2000 

The previous command would search only between ports 21 and 23, 100 to 2000 and skip the rest of the ports. With somewhat similar IPs, from 1 to

ARP scanner

A scanner with the ARP protocol it can be done quite easily. You can do it normal or without ARP as I show in these two examples respectively:

nmap -sP -PR 192.168.*.*
nmap -sn --disable-arp-ping 192.168.0.*

Again I repeat, with this kind of fast and reliable polling For ARP, you can also play with port ranges, IP ranges, domain names, etc. You can combine them as you please ...

FIN scanner

It's a more aggressive probing. You already know that there are three fundamental types of scanning, the NULL (-sN), FIN (-sF) and Xmas (-sX). The first does not set any bit, the TCP header flag is 0. In the second case, which is the one we are interested in for this example, the FIN bit is used. In the latter case, the FIN, PSH and URG flags are used.

A Pair of examples with END are:

nmap -sF -T4 
nmap -sF -T2

By the way, -T is to specify Timing templates. The names are paranoid or 0, sneaky or 1, polite or 2, normal or 3, aggressive or 4 and insane or 5. You can specify the one you need at all times, for example -T4 is recommended for a local network. That can be depending on whether you want to evade certain defense mechanisms, depending on the bandwidth, etc.

NULL scanner

The following scanner type: NULL. Examples of how this type of probing would be done:

nmap -v -sN -p 8080 server1.ejemplo.com
nmap -sN -T5

As you see in those examples, you can also use the templates that I mentioned before ... I don't want to be repeated, but you already know that you can combine the options and parameters as you want, with enough flexibility.

Remember that both NULL, XMAS and FIN cannot distinguish between open and filtered ports in many settings. To help nmap distinguish them, you can use the -sV option:

nmap -sN -T2 -sV -p 80,21,23

Xmas scanner

The "Christmas" poll

nmap -sX -T2 -v2 -p 80

In this case I have introduced another new variable, and it is -v, which specify the level of detail what do you want. In this case it is 2, instead of the normal verbose mode that would be with -v. It can be applied to the above commands too if you need.

More examples with nmap

Apart from the above, you can also use others from the huge number of options that nmap has. For example, if you want discover the type of operating system In a poll, you can use the -O option:

nmap -sV -O -v 

On the other hand, you have to know that nmap can use a number of scripts very practical that can further extend your capabilities and find, for example, vulnerabilities. To update the nmap script base use:

nmap --script-updatedb 

For, use these scripts, you can do the following:

nmap -f -sS -sV --script auth

Note that I have used auth, but you can use more options:

  • auth: run all your scripts available for authentication
  • default: run the scripts basic default tool
  • discovery: retrieves information from target or victim
  • external: script to use external resources
  • intrusive: uses scripts that are considered intrusive to the victim or target
  • malware: check for open connections due to malicious code or backdoors (back doors)
  • safe: run scripts that are not intrusive
  • vuln: discover the most known vulnerabilities
  • there: executes absolutely all scripts with NSE extension available

You can also use specific scripts to discover a specific vulnerability. For example the SMB ms08-067:

nmap -p 445 --script smb-vuln-ms08-067 192.168.4.*

The amount of tools available as you can see are very numerous. Another option, and with this I am done, would be to check if it is vulnerable to an attack by brute force against SSH protocol:

nmap --script ssh-brute.nse

Learn More

For, more information, you can use the man command in your distro and also this other online manual. There you will find everything you need to know about this complex tool.

man nmap

However, I hope these examples help you, you already know that you can leave your comments...

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

4 comments, leave yours

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Ivan said

    Excellent post, I congratulate you ...

    You should consider making one for IPv6 as nmap sample information is scarce.

  2.   LEO said

    Good afternoon.

  3.   Alfred said

    I have only recently started researching NMAP, I already had the opportunity to take a few
    security courses and they address NMAP but your explanation was clearer than in the
    Excellent information, thanks.

  4.   A3RCR3A said

    Good post: D
    Greetings from Chile

bool (true)