Master Nmap: Your Step-by-Step Command Guide

jinia
By -jinia
May 17, 2025


Nmap (Network Mapper) is one of the most powerful and widely used network scanning tools in cybersecurity. It helps administrators and ethical hackers discover hosts, services, open ports, vulnerabilities, and much more within a network.

In this ultimate guide, we will cover every Nmap command in detail, explaining each option and how it works. Whether you're a beginner or an advanced user, this guide will help you master Nmap.

Table of Contents

  1. What is Nmap?
  2. Installing Nmap
  3. Basic Nmap Scans
  4. Port Scanning Techniques
  5. Host Discovery
  6. Service and Version Detection
  7. OS Detection
  8. Firewall & IDS Evasion
  9. Nmap Scripting Engine (NSE)
  10. Output Formats
  11. Advanced Nmap Commands
  12. Conclusion

What is Nmap?

Nmap is an open-source network scanning tool used for:

  • Network Discovery (Finding live hosts)
  • Port Scanning (Checking open/closed ports)
  • Service Detection (Identifying running services)
  • OS Fingerprinting (Detecting operating systems)
  • Vulnerability Scanning (Using NSE scripts)

It is used by security professionals, penetration testers, and network administrators for security auditing and network exploration.

Installing Nmap

Nmap is available for Windows, Linux, and macOS.

Installation on Linux (Debian/Ubuntu)

sudo apt update && sudo apt install nmap -y

Installation on macOS (Homebrew)

brew install nmap

Installation on Windows

Download the installer from Nmap Official Website.

Basic Nmap Scans

1. Scan a Single Target

nmap target.com
  • This scans the most common 1000 ports on target.com.

2. Scan Multiple Targets

nmap 192.168.1.1 192.168.1.2
  • Scans two IPs.

3. Scan a Range of IPs

nmap 192.168.1.1-100
  • Scans from 192.168.1.1 to 192.168.1.100.

4. Scan a Subnet

nmap 192.168.1.0/24
  • Scans all 254 hosts in the 192.168.1.0 subnet.

5. Scan from a List of Targets

nmap -iL targets.txt
  • Reads IPs/hostnames from a file (targets.txt).

Port Scanning Techniques

6. Scan Specific Ports

nmap -p 80,443,22 target.com
  • Only scans ports 80 (HTTP), 443 (HTTPS), and 22 (SSH).

7. Scan All Ports (1-65535)

nmap -p- target.com
  • Checks all 65,535 ports (Very slow).

8. Fast Scan (Top 100 Ports)

nmap -F target.com
  • Scans top 100 ports instead of 1000.

9. TCP SYN Scan (Stealth Scan)

nmap -sS target.com
  • Default scan, doesn't complete TCP handshake (stealthy).

10. TCP Connect Scan

nmap -sT target.com
  • Completes full TCP connection (more detectable).

11. UDP Scan

nmap -sU target.com
  • Scans UDP ports (slower than TCP).

12. Scan Most Common Ports with Service Detection

nmap -sV target.com
  • Detects service versions on open ports.

Host Discovery

13. Ping Scan (No Port Scan)

nmap -sn 192.168.1.0/24
  • Only checks which hosts are online (no port scan).

14. Disable DNS Resolution (Faster Scan)

nmap -n target.com
  • Skips DNS resolution for faster scanning.

15. Force DNS Resolution

nmap -R target.com
  • Always performs reverse DNS lookup.

Service and Version Detection

16. Detect Service Versions

nmap -sV target.com
  • Shows software versions (e.g., Apache 2.4.7).

17. Aggressive Version Detection

nmap -A target.com
  • Enables OS detection, version detection, script scanning, and traceroute.

OS Detection

18. Detect Remote OS

nmap -O target.com
  • Attempts to guess the operating system.

19. Enable OS & Version Detection

nmap -A target.com
  • Combines -sV, -O, and script scanning.

Firewall & IDS Evasion

20. Fragmented Packets (Evade Firewalls)

nmap -f target.com
  • Splits packets into smaller fragments to evade detection.

21. Use Decoy IPs (Hide Your IP)

nmap -D RND:10 target.com
  • Scans with 10 random decoy IPs to hide your real IP.

22. Slow Scan (Avoid Detection)

nmap -T1 target.com
  • Very slow scan to avoid triggering alarms.

Nmap Scripting Engine (NSE)

Nmap allows custom scripts for advanced scanning.

23. Run a Specific NSE Script

nmap --script=http-title target.com
  • Extracts the website title.

24. Run Multiple Scripts

nmap --script=http-title,http-headers target.com
  • Runs two scripts at once.

25. Run All Scripts in a Category

nmap --script=vuln target.com
  • Runs all vulnerability detection scripts.

Output Formats

26. Save Results to a Text File

nmap -oN scan.txt target.com
  • Normal output format.

27. Save Results in XML Format

nmap -oX scan.xml target.com
  • XML format for parsing.

28. Save Results in All Formats

nmap -oA scan target.com
  • Saves in normal, XML, and grepable formats.

Advanced Nmap Commands

29. Scan IPv6 Targets

nmap -6 target.com
  • Scans IPv6 addresses.

30. Traceroute to Target

nmap --traceroute target.com
  • Shows network path to the target.

31. Scan with Custom Timing

nmap -T4 target.com
  • Aggressive timing (T0=slowest, T5=fastest).

32. Scan Using a Specific Source Port

nmap -g 53 target.com
  • Uses port 53 (DNS) as source port.

Conclusion

Nmap is an essential tool for network scanning, security auditing, and penetration testing. This guide covered all major Nmap commands, from basic scans to advanced evasion techniques.

Next Steps:

  • ✅ Practice scanning your own network (with permission).
  • ✅ Learn Nmap Scripting Engine (NSE) for deeper analysis.
  • ✅ Combine Nmap with tools like Metasploit for penetration testing.

If you found this guide helpful, share it with others learning cybersecurity! 🚀

Final Words

Nmap is powerful but should be used ethically. Unauthorized scanning can be illegal. Always get proper authorization before scanning networks.

🔹 Happy Scanning! 🔹

Tags:

You Might Like

Show more
Cybersecurity
Share to other apps
Copy Post Link