10 BASIC NMAP COMMANDS AND HOW TO USE THEM

By Leonard Cucos •  Updated: 04/28/21 •  8 min read

In this practical Nmap guide, we will learn how to use some of the basic Nmap commands to scan for vulnerabilities in a network. If you are new to Nmap, this is the place to start!

In this guide, I am using Kali Linux 2021, but you can install and run Nmap with success on virtually any operating system out there.

If you don’t have Nmap installed on your machine yet, here is a step-by-step guide on installing Nmap on Windows, macOS, Linux, and FreeBSD.

Without further ado, let’s get our hands dirty.

To see all the parameters and options supported by Nmap, open a terminal and type: 

nmap 

Alternatively, you can type the following command:

nmap --help

The Nmap command output will generate a long list of parameters (switches) that Nmap supports, classified as Target Specification, Host Discovery, Scan Techniques, Port Specification, and Scan Order, Service/Version Detection, Script Scan, OS Detection, Timing and Performance, Firewall/IDS Evasion and Spoofing, Output, so on.

Nmap commands man page. Source: nudesystems.com
Figure 1.1: NMAP commands – output [truncated].

NMAP Single Target Scan

You can scan a target with Nmap without specifying any command-line option. The target you want to scan can be either an IP address or a hostname. If you chose a hostname, Nmap would automatically try to resolve a name to its IP address.

Syntax for NMAP single target scan:

nmap <target IP or hostname>
Nmap commands - single target scan. Source: nudesystems.com
Figure 1.2: Example of a single target scan

The Nmap command output shows the status of the ports scanned as seen in Table 1.1 below:

PORTSTATESERVICE
Port number/protocolStatus of the scanned portService used on the port
Table 1.1: NMAP commands – output fields

TIP: Nmap will scan the most commonly used 1000 TCP/IP ports on a machine by default. 

As you can see in Figure 1.1 above, the Nmap single target scan for IP 172.16.121.128 detected five open ports out of 1000 ports scanned. Even with a simple Nmap scan, we can find plenty of relevant information about this target machine:

  1. A total of 995 ports are in a closed state.
  2. The five open ports run Windows-specific services [msrpc, netbios-ssn, microsoft-ds, wsdapi, Elite].

Before we continue, there are six possible Nmap port states as shown in Table 1.2 below:

Port state
OPENA port that responds actively to an incoming connection.
CLOSEDA port that responds actively to a probe but there is no service running on the respective port.
FILTEREDA port that is actively protected by a firewall and prevents Nmap from determining the port status [open or closed].
UNFILTEREDA port can be scanned, but Nmap cannot precisely determine if the port is open or closed. 
OPEN | FILTEREDA port that Nmap sees as open but cannot precisely determine the actual state of the port. 
CLOSED | FILTEREDA port that Nmap sees as closed but cannot precisely determine the actual state of the port. 
Table 1.2: NMAP commands – port states

Multiple Targets Scan With NMAP

Nmap can scan multiple hosts using one command by stringing together a group of target IPs or hostnames. If you chose to scan multiple IPs and hostnames in one go, you must separate IPs or hostnames by a space shown in Figure 1.3 below. 

Syntax for NMAP multiple target scan:

nmap <Target1 Target2 Target3 etc.>
Nmap commands - multiple target scan M1. Source: nudesystems.com
Figure 1.3: NMAP commands – multiple target scan [Method 1]

TIP: For target IPs that are in the same subnet, the hosts part of the IP can be separated by comma (,) as shown in Figure 1.4 below. 

Nmap commands - multiple target scan M2. Source: nudesystems.com
Figure 1.4: NMAP commands – multiple target scan [Method 2]

IP Range Scan With NMAP

Nmap can scan a range of IPs in the same subnet where the IP range is separated by dash () as seen in Figure 1.5

Syntax for NMAP multiple target scan:

nmap <IP range>
Nmap commands - single target scan M3. Source: nudesystems.com
Figure 1.5: NMAP commands – multiple target scan [Method 3]

In the above example, the Nmap was instructed to scan the IP range from 172.16.121.125/24 to 172.16.121.135/24

If you intend to scan multiple networks/subnets, you can use a wildcard character (*) representing all valid ranges of IPs within a subnet [0 to 255] to perform the scan in one go. For example, if we want to scan all the hosts in class C 192.168.1-10, we would use the command:

nmap  192.168.1-10.* 

As a result, Nmap will scan all the hosts between 192.168.1.* to 192.168.10.* – a total of 2540 [254×10] IP addresses. Be aware, the largest the subnet range, the more time Nmap will require to perform the scan.

Scan An Entire Subnet With NMAP [CIDR] 

Nmap can also scan an entire CIDR [Classless Inter-Domain Routing] subnet using CIDR notation. In the example in Figure 1.6, we are scanning all the 254 hosts in the 172.16.121.1/24 subnet in one go. 

The syntax for NMAP scan using CIDR notation:

nmap <Network/CIDR>
Nmap commands - CIDR target scan. Source: nudesystems.com
Figure 1.6: NMAP commands – scan using CIDR notation 

TIP: CIDR notation comprises of network address and subnet mask separated by a dash (/). E.g., 172.16.121.1/24

List of Target Scan With NMAP

If you plan to scan a large number of IPs or hostnames, instead of listing each IP/hostname on the Nmap command line, you can create a text file containing all the targets you want to scan and use the file as input for Nmap. 

Here is a text file [ips_scan.txt] example I created containing a few IPs I want to scan using this method in my lab:

Nmap commands - scan input file. Source: nudesystems.com
Figure 1.7: NMAP commands – scan using an input file

The syntax for NMAP scan using an input file:

nmap -iL <filename.txt>

TIP: the -iL switch instructs NMAP to extract the targets to scan from a given file [Figure 1.8]

Nmap commands - scan input file IPs. Source: nudesystems.com
Figure 1.8: Example of NMAP scan using an input file [ips_scan.txt]

Random Target Scan With NMAP

Nmap supports the feature of randomly scanning a given number of targets using the -iR switch. Due to the sensitive nature of this scan, I will not be showing the output for this scan [see Figure 1.9]. 

Please use the Nmap random target scan with caution, or you may get in trouble with your company, internet provider, or worse.

The syntax for NMAP random target scan:

nmap -iR <number of targets to scan>
Nmap commands - target scan -iR. Source: nudesystems.com
Figure 1.9: Example of NMAP target scan [4 targets].

Exclude Targets From NAMP Scan

This method does what it says – it excludes a target or list of targets from a scan using the –exclude command-line option. This method can be helpful when scanning an extensive range of IPs. 

Syntax for NMAP target(s) exclusion:

nmap <targets> --exclude <target(s)>

As seen in Figure 1.10, the –exclude option accepts single hosts, whole networks (using CIDR notation), or specific ranges.

Nmap commands - scan with exclude option. Source: nudesystems.com
Figure 1.10: Example of NMAP –exclude option.

Using A Text file To Exclude Targets From Nmap Scan

As we saw before, we can use an input text file containing the list of IPs we want to scan with Nmap. In the same way, we can use a text file consisting of specific IPs or a range of IPs we wish to exclude from our scan. The targets listed in Figure 1.11 are excluded from the scan.

NMAP Syntax to exclude a list of targets using an input text file:

nmap <targets> --excludefile <filename.txt>
Nmap commands - scan with exclude option and input file IPs. Source: nudesystems.com
Figure 1.11: Example of a text file containing the IPs to exclude from a NMAP scan.
Nmap commands - scan with exclude option input file IPs. Source: nudesystems.com
Figure 1.12: Example of NMAP –exclude scan using an input file [ips_exclude.txt]

Performing NMAP Aggresive Scan

The Nmap aggressive scan picks several of the most frequently used Nmap options and provides a quick substitute to typing a long string of command-line arguments. The -A parameter is a shorthand for several specialized options (such as -O, –traceroute, -sC, etc.). I will cover all these options in detail in a future post. 

The syntax for Nmap aggressive scan is the following:

nmap -A <target>
Nmap commands - aggressive scan. Source: nudesystems.com
Figure 1.13: Example of NMAP commands – aggressive scan

As you can see in Figure 1.13, the Nmap aggressive scan provides way more details about a target host than the other scan examples provided so far in this guide. 

For instance, we can see the target host is a Windows machine. We can extract its hostname, MAC address, list of open ports, etc., and suspect this machine might have its firewall disabled.

NMAP Target Scan For IPv6

IPv6 target scan is supported in Nmap except for scanning multiple targets using CIDR, and IP ranges as they are not supported/needed for IPv6 addressing. 

Syntax for Nmap IPv6 scan:

nmap -6 <target IPv6 address>

TIP: For a -6 scan to work, both host and target systems must support the IPv6 protocol.

Nmap commands - IPv6 scan. Source: nudesystems.com
Figure 1.14: Example of NMAP IPv6 scan.


Take some more time to read and practice the above basic Nmap commands.

Found this NMAP tutorial useful? Consider sharing it with your friends and colleagues.

Feeling ready? Go ahead and learn the NMAP Host Discovery Flags And How To Use Them.

Leonard Cucos

Leonard Cucos is an engineer with over 20 years of IT/Telco experience managing large UNIX/Linux-based server infrastructures, IP and Optics core networks, Information Security [red/blue], Data Science, and FinTech.