We earn commission when you buy through affiliate links.

This does not influence our reviews or recommendations.Learn more.

Nmapsends packets and analyzes the response it gets to discover hosts and services on a computer connection.

Here in the example shown above, we scan scanme.nmap.com, which has authorized itself to be scanned.

Scanning multiple hosts is easy!

The above command will scan for all 256 IP addresses in the subnet.

The above command will scan only for ports 22, 80, and 443 on the IP addresses mentioned.

The above command will scan for ports 1 to 500 on the host mentioned.

Using-p-will scan all 65535 ports.

you’ve got the option to save the results of its scans in different file formats.

Normal mode will give you the output as you see it on your screen.

We could export the results in XML format.

It is one of the most used file formats as most programming languages have libraries for XML parsing.

We get the output in a format that is very easily used with the grep command.

It uses the leet, replacing letters with their visually alike number representations.

This output format is not useful for any particular case and was included only as a joke.

Various Nmap scan types

This is the basic form of TCP scanning and involves no stealth.

A successful connection indicates an open port.

This is the default scan punch in Nmap uses when executed by anunprivileged user.

As we could see in the example above, an SYN scan could not be executed with non-privileged users.

If no flag is specified, by default, Nmap scans for TCP ports.

To scan for UDP port we have to use the-sUflag, as shown below.

This is often referred to as Ping sweep.

In previously released versions of Nmap, -sn was known as -sP.

-sn> Ping scan.

-n> Ignore the DNS resolution and speed up the scan.

-v> Add verbose to get more information of scan.

-oG> Provides the output in grepable format.

-> Hyphen redirects the grepable output to standard output, which is then piped to grep.

-iv> Ignore the lines having the word down.

We could see only four hosts are alive out of 256 IP addresses scanned in the subnet.

It could be enabled with the-Oflag.

Below is the command

Nmap also helps scanning services running and their version information from open ports.

This is helpful in scanning services running on vulnerable versions and could be updated to mitigate the risk.

We could pass-Aargument to perform an aggressive scan.

For example http://scanme.nmap.org/has authorized itself to be scanned.

You could read in detail on theofficial website.

Check out how to installNmap on Windows.