How to use Nmap: Full tutorial

How to use Nmap full tutorial

In this article I am going to show you how to use Nmap with a full tutorial. Many new users install Nmap but they don't know much about how to use Nmap. Before getting started we must know what is Nmap and what is Nmap Used for. So without wasting time let's get started.

1. What is Nmap?

Nmap stands for Network Mapper. Basically, Nmap is an open-source network exploration and security tool. It was designed to quickly scan large networks, although it does a great job with single targets.

Nmap uses raw IP packets in original ways to determine which hosts are available on the network, which services (application name and version) they offer, which operating systems (and OS versions) they use, what types of packet filters/firewalls are used, and dozens of other characteristics.

Nmap is available For Windows, Linux, Mac OS X, Free BSD, Sun Solaris, Amiga, HP-UX, and Other Platforms.

2. What is Nmap used for?

Nmap is typically used for security checks, Finding Vulnerabilities in the system, many network and system administrators find it useful for common tasks, such as monitoring network structure, managing service startup schedules, and accounting for the host or service uptime.

Nmap was originally written by Gordon Lyon.

3. Nmap Basic Commands

In this section, I am going to show you some basic Nmap Commands and what is the use of these Nmap commands.


3.1 Scanning a simple host or IP address

Scan a simple IP Address


Scan Host by name

nmap <target website>

scan the IP  in verbose mode (more information)

nmap -v

With the help of the above commands, you will able to perform a basic scan on a specific network. In Nmap -v stands for verbose mode. If you enable this mode by typing -v then Nmap will give you more information on the terminal screen about the scan.

3.2 Scan multiple IP addresses or subnet


The above command will scan multiple IP addresses that are mentioned above. You can replace these IP addresses and put your own IP address of the system.


The above command will work similarly to the previously mentioned command.

scan a range of IP addresses


The above Nmap command will scan the range of specified IP address starting from to

scan a range of IP addresses using a wildcard

nmap 192.168.10.*

The above command will scan all 256 IP addresses starting from to

Scan the Entire Subnet


The above command will scan the entire subnet.

3.3 Host, IP Address Exclusion

nmap --exclude

nmap --exclude,

The above command will exclude the unnecessary host or IP address from the scan. You can exclude any host/IP by using --exclude command.

3.4 Determine OS and software version

nmap -A

nmap -v -A

The above command will Enable OS detection, version detection, script scanning, and traceroute. By using -A command you can easily determine the Operating system and software version of the system.

Don't get confused with -v. The use of -v is to print more detail about the scan on the Terminal window.

3.5 Find out if the host/network is protected by a firewall

nmap -sA

nmap -sA <Target Website>

The above command will help you to find out the network is protected by a firewall or not. This command is very important you must use this command first to detect the firewall in order to avoid any ban on your IP address.

3.6 Scanning Host with Firewall Protection

nmap -Pn

nmap -Pn <Target Web>

The above command will scan a particular host with firewall protection.

3.7 Scanning IPv6 Host/IP

nmap -6 2402:3a80:891:dd8d:df95:d2fc:ff6d:4760

nmap -6 <Target Web>

nmap -v -A -6 2402:3a80:891:dd8d:df95:d2fc:ff6d:4760

The above command will scan IPv6 of the target system. -6 is used to scan IPv6 of the target system.

3.8 Perform the quick scan with Nmap

nmap -F -v

The above command will perform the quick scan. -F is used to perform a quick scan. Nmap scans fewer ports than the default in a quick scan.

My recommendation is don't use this command until you are confident about the specific port is the default. Because Nmap will scan only Important ports in this can and all the remaining ports will be ignored.

3.9 Scan a specific port using nmap

nmap -p <port> <hostname> 

Scan port 8080

nmap -p 8080

The above nmap command will scan port 8080 on host

Scan TCP Port 8080

nmap -p T:8080

The above nmap command will scan TCP port 8080 on host

Scan UDP Port 50

nmap -p U:50

The above nmap command will scan UDP port 50 on host

Scan multiple Ports

nmap -p 8080,443,80,3059

The above nmap command will scan ports 8080,443,80,3059 on host

Scan port range

nmap -p 50-400

The above command will tell the Nmap to scan port range 50 to 400 on host

Combination of all option

nmap -p U:50,53,130,T:20-40,80,5309,8080

nmap -p U:50,53,130,T:20-40,80,5309,8080 <Target Web>

The above command will tell Nmap to scan UDP port 50,53,130 and TCP port range from 20 to 40 including ports 80,5309,8080 on host

Scan all ports

nmap -p "1-"

The above command will tell Nmap to scan all ports on host

Show only open ports

nmap --open

nmap --open <Target Web>

The above command will show only ports that are open on the host.

Scan ports with the highest ratings (the most common), the rating is indicated by an integer greater than 1

nmap --top-ports 5

nmap --top-ports 10

The above command will scan the only top and necessary port.

The fastest way to scan all host/IP for open ports.

nmap -T5

3.10 Find out remote operating system using Nmap

nmap -O

nmap -O --osscan-guess

nmap -v -O --osscan-guess

The above command will tell Nmap to find out which operating system is running on host Don't be confused with the above 3 commands. The work of all three commands is the same.

3.11 Find out service version of remote service

nmap -sV

The above Nmap command will find which service version is running on the host.

3.12 Show all sent and received packets

nmap --packet-trace

nmap --packet-trace <Target Web>

3.13 Scan host using TCP ACK (PA) and TCP Syn (PS) ping

nmap -PS

nmap -PS 8080,21,443

nmap -PA

nmap -PA 8080,21,200-400

If the firewall blocks standard ICMP pings, try the following host discovery methods that I mentioned in the above commands.

3.14 Scan host using IP protocol ping

nmap -PO

The above command will scan the host using IP protocol ping.

3.15 Scan host using UDP ping

nmap -PU

The above Nmap command will help you to scan the host using UDP ping. The benefit of scanning with UDP ping is that it can bypass firewalls and filters that reflect only TCP.

3.16 Discover the Most Used TCP Ports Using TCP SYN Scan

The default scans faster and less noticeable.

nmap -sS

You can say that the above scan is a default scan and it is less noticeable by the firewalls.

Check the most popular TCP ports using TCP connection scan

nmap -sT

This command checks the most popular TCP port using TCP connection. If a firewall is present on the host then it can block your IP because it is noticeable and slow.

Check for the most common TCP ports using TCP ACK scan

nmap -sA

The command scan the most common TCP ports using a TCP ACK scan.

Check for the most common TCP ports using Window Scan

nmap -sW

The above command scan the most common TCP ports using a windows scan.

Check for the most common TCP ports using TCP Maimon scanning

nmap -sM

The above command scans the most common TCP port using the Maimon scanning method.

3.17 Host Scan UDP Services (UDP Scan)

The most popular services on the Internet use the TCP protocol. DNS, SNMP, and DHCP are the three most popular UDP services. Use the following syntax to define UDP services:

nmap -sU

nmap -sU <Target Web>

The above command will help you to scan UDP ports.

3.18 IP Protocol Scan

This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported on the target machine:

nmap -sO

3.19 Firewall scan for security issues

The following scan types use a thin loophole in TCP and are good for testing the security of common attacks:

Scan TCP Null to fool a firewall into generating a response

Does not set any bits (TCP header flag 0)

nmap -sN

TCP Fin Scan to check the firewall

nmap -sF

Xmas TCP Scanning for Firewall Verification

nmap -sX

The above command Sets FIN, PSH, and URG flags decorating packages like a Christmas tree.

3.20 Scanning a firewall with packet fragments

The -f option causes the requested scan (including ping scan) to use fragments of IP packets. The idea of ​​splitting the TCP header into several packets is to make it harder for filters, intrusion detection systems, and other troubles to figure out what you are doing.

nmap -f

nmap -f <Target Web>

nmap -f 15 <Target Web>

Set your own offset size with the --mtu option

nmap --mtu 32

3.21 Masking Scans using Dummy hosts

Scanning using dummy hosts; in this case, the scan target considers that the dummy hosts that you specify also scan it. Although the target IDS can report that 5-10 port scans were performed from each IP address, the system will not be able to find out which of these IP addresses the scan was actually done and which were only harmless traps:

nmap -n -D <ip1>,<ip2>,<your IP>,<IP3>,<IP4> host


nmap -n -D,,,,

3.22 Firewall scan with MAC address spoofing

MAC address spoofing

nmap --spoof-mac MAC-ADDRESS-HERE

Add other options

nmap -v -sT -Pn --spoof-mac MAC-ADDRESS-HERE

Use random MAC address

The number 0 means nmap will choose a completely arbitrary MAC address

nmap -v -sT -Pn --spoof-mac 0

3.23 Save output to a text file

nmap > output.txt

nmap -oN /path/to/filename

nmap -oN output.txt

3.24 Nmap NSE Scripts

If you use Nmap, it is highly likely that NSE scripts worked for you even if you did not explicitly run them. NSE scripts are used, for example, when you use Nmap to determine the version of a remote service or OS.

If you want to load any particular script from Nmap then --script command is used.

For example:

nmap --script "http-*"

The above command will load all scripts whose name starts with http-, such as http-auth and http-open-proxy. The argument to --script had to be in quotes to protect the wildcard from the shell.

Hence the Usage of basic Nmap Script is completed. Now time to answer some Frequently asked questions.

4. Is Nmap illegal?

If you have written permission of the system owner to use Nmap for finding open ports and vulnerabilities in the system. Then the usage of Nmap is Legal. Or If you want to test your own network to secure your network then the usage of Nmap is legal.

If you are using Nmap to find vulnerabilities in the system without the written permission of network administrator then the usage of Nmap is illegal.

Nmap can be legal or illegal depending on the situation that I mentioned above.

4.1 Some frequently asked questions on Google:

Q1. How do I run a Nmap Scan?

Answer: Please read the above article. We have mentioned Most of the Nmap command, and how to use those Commands to run different types of scans.

Q.2 Why is port scanning dangerous?

Answer: A port scan help an attacker to find the open ports. Once the attacker finds an open port running listening service then an attacker can scan it for vulnerabilities. 

Q.3 What is difference between Nmap and Wireshark?

Answer: Nmap allows you to scan Host/IP for open port and to discover services and OS on the system. While Wireshark is used to capture and analyze network packets.

5. Conclusion

Nmap is not that much difficult to use that you are thinking. You must give your time to learn Nmap because Nmap offer efficient and quick way to audit your system.

Nmap is used by most Cyber Security experts and Researches. If you are interested in Cyber Security and Ethical Hacking then Learning Nmap is a must.

You Might Also Like:

Post a Comment

Previous Post Next Post