Network Mapper, or nmap, is a powerful tool for exploring a network environment. It identifies nodes and is often able to report back available services, operating system versions, hostnames, IP addresses, MAC addresses, network devices (switches, routers), network printers, etc. The nmap utility has a great many options. It also has a GUI version called Zenmap.
The nmap utility may be used initially to audit and document the network. In troubleshooting, having such documentation is essential. It can also be used directly in the troubleshooting process to confirm whether expected components are in place or if there have been changes to the network environment.
Syntax
The syntax of the nmap command is:
# nmap [options] {target}
If you encounter the below error while running the nmap command:
nmap: command not found
you may try installing the below package as per your choice of distribution:
| OS Distribution | Command |
|---|---|
| OS X | brew install nmap |
| Debian | apt-get install nmap |
| Ubuntu | apt-get install nmap |
| Alpine | apk add nmap |
| Arch Linux | pacman -S nmap |
| Kali Linux | apt-get install nmap |
| CentOS | yum install nmap |
| Fedora | dnf install nmap |
| Raspbian | apt-get install nmap |
nmap Command Examples
1. Check if an IP address is up, and guess the remote host’s operating system:
# nmap -O ip_or_hostname
2. Try to determine whether the specified hosts are up (ping scan) and what their names are:
# nmap -sn ip_or_hostname optional_another_address
3. Also enable scripts, service detection, OS fingerprinting and traceroute:
# nmap -A address_or_addresses
4. Scan a specific list of ports (use ‘-p-‘ for all ports from 1 to 65535):
# nmap -p port1,port2,...,portN address_or_addresses
5. Perform service and version detection of the top 1000 ports using default NSE scripts; writing results (‘-oN’) to output file:
# nmap -sC -sV -oN top-1000-ports.txt address_or_addresses
6. Scan target(s) carefully using ‘default and safe’ NSE scripts:
# nmap --script "default and safe" address_or_addresses
7. Scan web server running on standard ports 80 and 443 using all available ‘http-*’ NSE scripts:
# nmap --script "http-*" address_or_addresses -p 80,443
8. Perform a stealthy very slow scan (‘-T0’) trying to avoid detection by IDS/IPS and use decoy (‘-D’) source IP addresses:
# nmap -T0 -D decoy1_ipaddress,decoy2_ipaddress,...,decoyN_ipaddress address_or_addresses