How to nmap in kali linux

Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.

Last updated: April 4, 2026

Quick Answer: Nmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing, commonly used in Kali Linux. To use Nmap, open a terminal in Kali Linux and type `nmap` followed by the target IP address or hostname and desired scan options.

Key Facts

Nmap was first released in 1997 by Gordon Lyon (Fyodor).
It supports over 570 firewall/IDS evasion techniques.
Nmap can detect over 2,000 different port states, far beyond the basic open, closed, and filtered.
Over 1 million downloads have been recorded.
Nmap Scripting Engine (NSE) allows users to write and share scripts for automating a wide variety of networking tasks.

What is Nmap?

Nmap, short for Network Mapper, is a free and open-source utility for network exploration and security auditing. It is widely used by network administrators for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Security professionals use Nmap to perform penetration testing and vulnerability scanning. Its versatility and power have made it a standard tool in the cybersecurity and network administration fields.

Why is Nmap Popular in Kali Linux?

Kali Linux is a Debian-derived Linux distribution specifically designed for digital forensics and penetration testing. It comes pre-installed with a vast array of security tools, and Nmap is one of the most fundamental and frequently used among them. The ease of access within Kali Linux makes it a preferred environment for learning and practicing Nmap techniques.

Basic Nmap Usage

The most basic Nmap scan involves specifying the target. The target can be an IP address, a hostname, or even a range of IP addresses.

nmap 192.168.1.1nmap example.com

To scan multiple hosts, you can use a comma-separated list or a range:

nmap 192.168.1.1,192.168.1.5nmap 192.168.1.1-10

You can also specify a subnet using CIDR notation:

nmap 192.168.1.0/24

Common Nmap Scan Types

Nmap offers various scan types, each with different purposes and levels of stealth:

TCP SYN Scan (-sS): This is the default and most popular scan type. It's often called a "half-open" scan because it doesn't complete the TCP connection. It sends a SYN packet and waits for a SYN/ACK (port open) or RST (port closed) response. It's fast and relatively stealthy.
TCP Connect Scan (-sT): This scan completes the full TCP connection. It's less stealthy than SYN scan but is used when the user lacks raw socket privileges (e.g., not running as root).
UDP Scan (-sU): Used to scan for open UDP ports. UDP scanning is slower than TCP scanning because UDP is a connectionless protocol, and responses are not guaranteed.
Ping Scan (-sn): This scan determines which hosts are online without performing port scans. It's useful for quickly discovering live hosts on a network.
Version Detection (-sV): Attempts to determine the service and version number running on open ports.
OS Detection (-O): Attempts to determine the operating system of the target.
Aggressive Scan (-A): Enables OS detection, version detection, script scanning, and traceroute. It's a comprehensive but noisy scan.

Using Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) allows users to write and share scripts to automate a wide variety of networking tasks, including advanced vulnerability detection, backdoors, and more. NSE scripts are written in the Lua programming language.

To run scripts, use the -sC option (runs default scripts) or specify scripts with --script:

nmap -sC 192.168.1.1nmap --script vuln 192.168.1.1

Advanced Nmap Options

Nmap has a vast number of options for fine-tuning scans:

Timing (-T0 to -T5): Controls the speed of the scan. -T0 is very slow and stealthy, while -T5 is very fast but more prone to detection and errors. -T4 is a common balance.
Port Specification (-p): Allows you to specify which ports to scan. You can list individual ports, ranges, or use shortcuts like -p- for all 65535 ports.
Output formats (-oN, -oX, -oG, -oA): Save scan results in various formats: Normal (-oN), XML (-oX), Grepable (-oG), or All formats (-oA).
Verbosity (-v, -vv): Increases the amount of information Nmap displays during a scan.

Example of a Comprehensive Scan

A common advanced scan might look like this:

sudo nmap -sV -sC -O -p- -T4 -oA scan_results 192.168.1.1

This command performs:

sudo: Required for some scan types like SYN scan and OS detection.
-sV: Version detection.
-sC: Default script scanning.
-O: OS detection.
-p-: Scan all 65535 TCP ports.
-T4: Aggressive timing template.
-oA scan_results: Save output in all formats (normal, XML, grepable) with the base filename 'scan_results'.

Ethical Considerations

It is crucial to understand that using Nmap on networks or systems without explicit permission is illegal and unethical. Always ensure you have proper authorization before conducting any network scans. Nmap is a powerful tool that should be used responsibly.