If you have ever used Linux as the operating system for your computer, you know that it offers zillions of Nmap commands and command lines to choose from. Each one is specialized and preferred for a particular task. Here we will be talking about one of those Nmap commands in Linux or network mapper. What is Nmap and how to use Nmap you ask, it is an open-source Linux command line used for network exploration and security editing.

  1. What is Nmap used for?
  2. What are Nmap commands and various types of Nmap basic commands
  3. How do I run a Nmap scan?

1) What is Nmap used for?

To keep a check on the real-time information of the network 

To check the number of ports, open in the network 

To scan ports, operating system, and host 

To avail, detailed information of all the IPs activated on your network 

To obtain the list of live hosts 

Now that we know what Nmap is used for, let us look at the Nmap command list: 

2) What are Nmap commands and various types of Nmap basic commands?

1. Scan IP ranges

You use Nmap to search the whole set of CIDR IPs, such as:

            Nmap -p

2. Scan the most popular ports 

Using the “–top-ports” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:

Nmap –top-ports 20

3. Scan for open ports 

By IP address as well as by domain name, Nmap will show open services and ports.

Nmap -F

4. Scan multiple hosts 

Instead of scanning a single host at once, Nmap can scan several locations at once. This is beneficial for more comprehensive network infrastructures. There are many options to search for multiple locations at once, based on how many locations you need to investigate.


5. Exclude a host from the search

You may want to pick a whole community (such as a whole subnet) when avoiding a single host while scanning a network.

nmap 192.168.0.* –exclude

With the the-exclude flag, you may exclude those hosts from your quest.

nmap 192.168.0.* –excludefile /file.txt

By using the exclude flag and connecting to a particular file, you can also exclude a list of hosts from your search. The best way to remove numerous hosts from your quest is to do this.

6. Scan to find firewall settings

          During penetration testing and vulnerability scans, identifying firewall settings can be helpful. To detect firewall settings across the specified hosts, several functions can be used, but the -sA flag is the most common.

           nmap -sA

Using the sA flag will let you know if a firewall on the host is working. To obtain the data, it uses an ACK scan.

7. Scan to find out operating system information

Nmap can also include operating system detection, script scanning, traceroute, and version detection, in addition to general information. It is important to remember that Nmap will do its best to distinguish things like versions and operating systems, but it may not always be absolutely precise.

Nmap -A

You can discover the operating system details of the mapped hosts by entering the -A flag on your Nmap button. In conjunction with other Nmap commands, the -A flag may be used.

8. Scan to find information about service versions

At times, from open ports, you can need to detect service and version information. This is helpful for troubleshooting, vulnerability testing, or finding services that need to be changed.

nmap -sV

9. Scan from a file

If you have a long list of IP addresses and you need to scan through them, you can simply import the file that has these addresses through a command line. 

Nmap -iL /file.txt 

This will give a for IP addresses present in the file. Along with scanning, you can also use other commands and flags. This is useful when the hosts need references.

nmap -sP

10. Scan using TCP or UDP protocols

The fact that it functions on both TCP and UDP protocols is one of the things we love most about Nmap. And although most services run on TCP, the scanning of UDP-based services can also give you a great advantage. Let’s find out any cases.

Standard TCP scanning output:

[root@securitytrails:~]nmap -sT

Starting Nmap 7.60 ( ) at 2018-10-01 09:33 -03

Nmap scan report for

Host is up (0.58s latency).

Not shown: 995 closed ports


80/tcp open http

1900/tcp open upnp

20005/tcp open btx

49152/tcp open unknown

49153/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

UDP scanning results using “-sU” parameter:

[root@securitytrails:~]nmap -sU localhost

Starting Nmap 7.60 ( ) at 2018-10-01 09:37 -03

Nmap scan report for localhost (

Host is up (0.000021s latency).

Other addresses for localhost (not scanned): ::1

Not shown: 997 closed ports


68/udp open|filtered dhcpc

111/udp open rpcbind

5353/udp open|filtered zeroconf

11. Launch DOS with nmap

We found that the host was vulnerable to Slowloris attack in our previous example (#12), and now we will try to exploit that weakness by launching a DOS attack in a loop forever:

nmap -max-parallelism 800 -Pn –script http-slowloris –script-args http-slowloris.runforever=true

12. Detect malware infections on remote hosts 

It is possible to perform a typical malware scan by using:

nmap -sV –script=http-malware-host

13. Get help

You may use a tag to get context-based information if you have any questions about Nmap or any of the given commands. 

nmap -h

The -h tag will display a support screen for Nmap commands, including information about the open flags. 

14. Scan to find active servers 

If you want to find out the number and identity of active servers on the network, this command can be used. The tag ‘-sP’ helps in locating machines, ensuring that machines respond or that unexpected machines are detected across the network

nmap -sP

15. Save Nmap scan results to a file 

Save/export our data to a text file:

Nmap -oN output.txt

3) How do I run a Nmap scan?

After understanding the variety of commands, you can run with the Nmap tool, let us take some time to understand how do we run Nmap scan on our network 

  1. Install Nmap from to get started 
  2. Launch command prompt 
  3. Type in nmap [hostname] or nmap [ip_address] to start a default scan 


You will easily discover information about ports, paths, and firewalls with the proper Nmap commands. For a system administrator, Nmap has many configurations and flags to explore. In addition to being able to run in a veiled fashion, initiate decoys, and search for possible vulnerabilities actively and rapidly.

So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.



Are you ready to build your own career?