How to nmap

Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.

Last updated: April 4, 2026

Quick Answer: Nmap (Network Mapper) is a powerful, open-source tool used for network discovery and security auditing. To use Nmap, you typically run it from your command line, specifying a target IP address or hostname and various options to define the scan type, port range, and output format. It's essential to understand that using Nmap on networks you don't own or have explicit permission to scan can be illegal and unethical.

Key Facts

Nmap was first released in 1997 by Gordon Lyon (Fyodor).
It supports over 50 different scan types, including TCP SYN, TCP connect, UDP, and FIN scans.
Nmap can detect over 1000 common protocols and services, and can identify versions of many applications.
It's available for Linux, Windows, and macOS.
Nmap scripts (NSE) extend its functionality for tasks like vulnerability detection and advanced discovery.

What is Nmap?

Nmap, short for Network Mapper, is a free and open-source utility for network exploration and security auditing. It's a versatile tool used by network administrators, security professionals, and even hobbyists to discover hosts and services on a computer network, thus creating a "map" of the network. Nmap is designed to be incredibly fast and easy to use, yet powerful enough to tackle complex network tasks. Its primary functions include discovering active hosts on a network, identifying open ports on those hosts, and determining the operating system and service versions running on them.

Why Use Nmap?

There are numerous reasons why someone might use Nmap:

Network Inventory: System administrators can use Nmap to maintain an accurate inventory of devices and services on their network.
Security Auditing: Security professionals use Nmap to identify potential vulnerabilities by discovering open ports and services that could be exploited. It helps in assessing the security posture of a network.
Troubleshooting: Network issues can often be diagnosed by understanding which ports are open and what services are running.
Service Version Detection: Nmap can often determine the specific software and version number of services running on open ports, which is crucial for patch management and vulnerability assessment.
Operating System Detection: It can also attempt to identify the operating system of the target host.

How to Use Nmap: Basic Commands

Nmap is primarily a command-line tool. The basic syntax is:

nmap [Scan Type(s)] [Options] {Target Specification}

Let's break down some common use cases:

Scanning a Single Host

To scan a single IP address or hostname:

nmap 192.168.1.1

nmap example.com

This will perform a default scan, which usually includes a TCP SYN scan (if run with root/administrator privileges) or a TCP connect scan (if run as a normal user), checking the 1000 most common ports.

Scanning a Range of IPs

You can scan a range of IP addresses:

nmap 192.168.1.1-20

This will scan hosts from 192.168.1.1 to 192.168.1.20.

Scanning a Subnet

To scan an entire subnet (e.g., a class C network):

nmap 192.168.1.0/24

Scanning Specific Ports

By default, Nmap scans the 1000 most common ports. You can specify which ports to scan:

nmap -p 80 192.168.1.1

To scan a range of ports:

nmap -p 1-100 192.168.1.1

To scan all 65535 ports (this can take a long time):

nmap -p- 192.168.1.1

Scan Types

Nmap offers various scan types, each with different stealthiness and effectiveness:

TCP SYN Scan (`-sS`): The default and most popular scan type for privileged users. It's fast and relatively stealthy as it doesn't complete the TCP connection.
TCP Connect Scan (`-sT`): The default for unprivileged users. It completes the TCP connection, making it less stealthy but often more reliable.
UDP Scan (`-sU`): Used to scan UDP ports. UDP scans are slower than TCP scans.
FIN Scan (`-sF`), Xmas Scan (`-sX`), Null Scan (`-sN`): These are stealthier scans that rely on specific TCP flag combinations to infer port states. They are less reliable against some operating systems.

Service and Version Detection (`-sV`)

To attempt to determine the service and version running on open ports:

nmap -sV 192.168.1.1

Operating System Detection (`-O`)

To attempt to detect the operating system of the target:

nmap -O 192.168.1.1

Note: OS detection requires root/administrator privileges.

Aggressive Scan (`-A`)

An aggressive scan enables OS detection, version detection, script scanning, and traceroute:

nmap -A 192.168.1.1

Output Formats

Nmap can output results in various formats:

Normal Output (`-oN`): Standard human-readable format.
Grepable Output (`-oG`): Useful for parsing with tools like grep.
XML Output (`-oX`): Structured format suitable for programmatic processing.
All Formats (`-oA`): Outputs in normal, grepable, and XML formats.

Example:

nmap -oN output.txt 192.168.1.1

Nmap Scripting Engine (NSE)

NSE allows users to write and share scripts to automate a variety of networking tasks, from advanced vulnerability detection to network discovery. Scripts are categorized and can be run using the `-sC` (default scripts) or `--script` option.

Example:

nmap --script vuln 192.168.1.1

Ethical and Legal Considerations

It is crucial to understand that using Nmap on networks or systems without explicit permission is illegal and unethical. Unauthorized scanning can be construed as a reconnaissance phase of a cyberattack. Always ensure you have proper authorization before scanning any network that you do not own or manage.

Installation

Nmap is available for Linux, Windows, and macOS. Installation methods vary:

Linux: Usually available through package managers (e.g., `sudo apt install nmap` on Debian/Ubuntu, `sudo yum install nmap` on Fedora/CentOS).
Windows/macOS: Download installers from the official Nmap website (nmap.org).

By mastering Nmap, you gain a powerful tool for understanding and securing your network environment, but always remember to use it responsibly and legally.