NMAP commands with examples to scan all ports EASILY

Nmap commands examples to scan all ports
Nmap commands examples to scan all ports

NMAP commands with examples Introduction

In this tutorial we will discuss about NMAP commands with examples, NMAP has multiple options to use with. It is used to scan all ports in a computer, discover services and hosts on a computer in a network. Earlier NMAP tool was available only in Linux, but now this utility can be found in Windows, HP-UX, and other Linux distribution. We will also discuss about do's and dont's of NMAP commands and how some people miss-using it.
Through out this tutorial we will see many real life NMAP examples.
Also check out  the Wiki on NMAP.


1.How does NMAP work2.What is NMAP and what is it used for
3.What is the purpose of a port scan4.What NMAP command shouldn't be used for
5.What does Nmap filtered mean6.NMAP download
7.NMAP install8.NMAP scan all ports
9.NMAP scan single port10.NMAP show only open ports
11.Show filtered and unfiltered ports12.NMAP Port scan from file
13.Exclude host from file14.NMAP exclude file option
15.NMAP Subnet scan16.Scan TCP ports
17.Scan specific TCP port18.Scan UDP ports
19.Scan specific UDP port20.SCTP INIT scan
21.NMAP command for TCP Window scan22.NMAP scan flags
23.NMAP examples of Service detection with version24.Operating System detection
25.NMAP port scan with reason26.NMAP top ports scan
27.Skip ports scan with (-sn)28.Port scan with no ping (-Pn)
29.Which IP Protocol supported by Host30.NMAP scan all ports using TCP SYN
31.NMAP fastest scan of ports32.NMAP decoy scan
33.NMAP idle scan (Zombie scan)34.NMAP output options (o)
35.NMAP version36.Man NMAP

How does NMAP work ?

NMAP sends special packets to the destination computer and records and examine the received response from the target computer.

What is Nmap and what is it used for?

NMAP stands for Network Mapper. It is primarily used for security scanning of a computer and network. With this application one can scan all ports and discover open ports, services, hosts on the network and also detect Operating system used by the remote computer.

What is the purpose of a port scan?

The purpose of the port scan is to identify open ports of a computer in the network. Port scanning is both used by the Network administrator and a Hacker. Administrator uses port scanning to identify open ports so that the network security shouldn't be compromised.
On the other hands Hackers use it for the purpose of finding vulnerability to attack and harm the network.
Nmap commands is also used for auditing security and firewall in a network, and network mapping as well.

What NMAP commands shouldn't be used for?

Some people use NMAP commands for UN-ethical hacking to gain unauthorized access to a network. NMAP shouldn't be used for such things, rather it should be used for Network and System Administration purposes, as unauthorized scanning of ports is completely illegal in many jurisdictions.

What does Nmap filtered mean?

There are four states of any port in the network. Open, closed, filtered and unfiltered.
Filtered mean that there is a firewall which is blocking the network, thus Nmap cannot identify if the port is closed or open.

NMAP download

To download and install nmap from binary rpm packages for your Linux system use the following commands.

# rpm -vhU https://nmap.org/dist/nmap-7.40-1.x86_64.rpm        [For 64 bit OS]
# rpm -vhU https://nmap.org/dist/nmap-7.40-1.i686.rpm          [For 32 bit OS]

Or you can download the latest NMAP version available from here.

NMAP install

To install Nmap from YUM repository or on RHEL based system do the following.

# yum install nmap

To install NMAP on Debian based system, use 'apt' tool.

# apt-get install nmap

Nmap scan all ports

To scan all ports of any IP, server host name or any website type the following.

# nmap           [IP scan]
# nmap system host name       [Your server host name]
# nmap www.example.com        [Website scan]

To see the host name of any server, use the below command

# hostname

NMAP scan single port

Instead of scanning all the ports of an IP, you can scan a single port or range of ports.

To scan a single port do the following.

# nmap -p 995
Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-29 02:09 IST
Nmap scan report for
Host is up (0.00017s latency).
995/tcp open  pop3s
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

To scan range of ports, use the below command. In the given example we will scan port in a range from 1 to 200

# nmap -p 1-200
Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-29 02:14 IST
Nmap scan report for
Host is up (0.000021s latency).
Not shown: 195 closed ports
22/tcp  open  ssh
80/tcp  open  http
110/tcp open  pop3
111/tcp open  rpcbind
143/tcp open  imap

NMAP show only open ports

The below nmap command with option '--open' is used to display only open ports of any IP.

# nmap --open
Nmap scan report for
Host is up (0.00076s latency).
Not shown: 998 filtered ports
25/tcp  open   smtp
80/tcp  open   http

Show filtered and unfiltered ports

As explained above that filtered ports are ports which are blocked by Firewall. The below command is useful to verify weather ports are filtered or unfiltered. It is also called TCP ACK scan as it arrange in detail firewall rulesets.

# nmap -sA
Nmap scan report for
Host is up (0.00073s latency).
Not shown: 998 filtered ports
25/tcp    unfiltered  smtp
80/tcp    unfiltered  http

Nmap Port scan from file

Create a file called 'ipscan.txt' and insert into it IP's you want to scan. Now, use the file to scan IP as given below.

# nmap -iL ipscan.txt 

Exclude host from file

While doing a port scan of number of IP's from a file, you can exclude host you don't want to scan. Look at the below example.
Here we are excluding from the list.

# cat ipscan.txt
# nmap --exclude -iL ipscan.txt

NMAP exclude file option

Take for an example you have to exlude number of IP's for port scan from the list. In that case doing a manual exclude would be a bother.
With 'excludefile' option you can exclude number of IP's at a time from the file. Here, we have created a file called 'ipnotscan.txt' where we have specified IP's to be excluded while scanning.

# nmap --excludefile ipnotscan.txt -iL ipscan.txt

Nmap Subnet scan

To scan subnet mask, use the Nmap command as given below.

# nmap

Scan TCP ports

Scan ports which are using TCP to connect. The below nmap command will scan for all TCP ports

# nmap -sT
22/tcp   open  ssh
80/tcp   open  http
110/tcp  open  pop3

Scan specific TCP port

You can opt to scan just one specific TCP port rather than all TCP ports. Use the command as given to scan port 25 (smtp)

# nmap -s T 25
Nmap scan report for
Host is up (0.00061s latency).
Not shown: 998 filtered ports
25/tcp  open    smtp
80/tcp  open    http

Scan UDP ports

Scan ports which are using UDP to connect.

# nmap -sU
111/udp  open          rpcbind
5353/udp open|filtered zeroconf

Scan specific UDP port

To scan specific UDP ports do the following. In the below example we will scan port 111 (rpcbind)

# nmap -s U 111
Nmap scan report for
Host is up (0.00066s latency).
All 1000 scanned ports on are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds


SCTP INIT scan is the combination of TCP and UDP SCAN with newly added features like multi streaming and multi homing. It's main advantage is that even in a firewall restricted network it is capable of doing fastest scan of thousand ports in a few second. The option 'Y' is used with NMAP commands for SCTP INIT scan. See the given example.

Multi streaming = It is technique to send multiple data at the same time where each data or stream has its own unique job.

Multi homing = A single system configured with multiple interfaces and IP addresses.

# nmap -sY
Nmap scan report for
Host is up (0.000020s latency).
All 778 scanned ports on are filtered
Nmap done: 1 IP address (1 host up) scanned in 1 second

NMAP commands for TCP Window scan

TCP Window scan is similar to ACK scan. However, it can identify open TCP ports.It determines the status of port by the RST response from the port of system. If the system returns positive TCP Windows size, then the packet is sent by an open port. But if the value is negative then it is sent from the closed ports.

# nmap -v -sW
Initiating Ping Scan at 13:23
Scanning [4 ports]
Completed Ping Scan at 13:23, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:23
Completed Parallel DNS resolution of 1 host. at 13:23, 0.09s elapsed
Initiating Window Scan at 13:23
Scanning [1000 ports]
Completed Window Scan at 13:23, 14.04s elapsed (1000 total ports)
Nmap scan report for
Host is up (0.013s latency).
Not shown: 997 filtered ports
25/tcp  closed   smtp
80/tcp  closed   http
443/tcp closed  https

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.25 seconds
Raw packets sent: 3008 (120.312KB) | Rcvd: 15 (604B)

NMAP scan flags

With NMAP scan flags you will be able to make your own custom TCP scan. You can choose any random TCP flags for host scanning. The option is '--scanflags'. You can either use numerical or symbolic argument with --scanflags. The list of scanflag arguments that can be used with NMAP commands are as follows.

ACK: Acknowledge
CWR: Congestion Window Reduced
CE: Congestion Experienced
ECN: Echo
ECE (ECN-Echo)
ECT: ECN-Capable Transport
FIN: Finish/End
NS: (Nonce Sum)
PSH: Push
RST: Reset
SYN: Synchronize
URG: Urgent

You can use the above arguments in any way you like. For example

# nmap sA --scanflags URGACK


# nmap sF --scanflags ECTECEFIN

Nmap examples of Service detection with version

The following nmap commands is used for service detection.

# nmap -sV
Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-29 03:05 IST
Nmap scan report for
Host is up (0.000024s latency).
Not shown: 992 closed ports
22/tcp   open  ssh      OpenSSH 6.6.1 (protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
110/tcp  open  pop3     Dovecot pop3d

Operating System detection

Look at the following Nmap example to detect what OS Your remote system is using.

# nmap -A

NMAP port scan with reason

With Nmap commands you can also find out the reason for the state of any port, do the following with '--reason' option.

# nmap --reason -p 990
Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-29 13:28 IST
Nmap scan report for 
Host is up, received reset (0.0059s latency).
990/tcp closed ftps    reset

NMAP top ports scan

With the option '--top-ports' you can scan the most common top ports of any host or IP. For example, you can scan top 2 or 3 ports of any IP.

Scanning of top 2 ports

# nmap --top-ports 2
Nmap scan report for
Host is up (0.00075s latency).
23/tcp filtered telnet
80/tcp open http

Scanning of top 3 ports

# nmap --top-ports 3
Nmap scan report for
Host is up (0.00070s latency).
23/tcp filtered telnet
80/tcp open http
443/tcp filtered https

Skip ports scan with (-sn)

The option '-sn' is used to skip port scan when the host is discovered during scanning. In most of the cases discovery of hosts and knowing the available active machines and servers in a network is more important than port discovery. For any System Administrator this command is very useful when they need to count the numbers of machines and servers in the network. As it doesn't scan ports, it won't show you the states of running services.

# nmap -sn
Nmap scan report for
Host is up (0.00056s latency).

Port scan with no ping (-Pn)

The '-Pn' option is also used to disable host discovery. It skips ping during scanning. The '-Pn' flag considers all hosts as online regardless if it can ping host or not. Hence, even if any of the port is filtered during scanning, it shows you up.

# nmap -Pn
Nmap scan report for
Host is up (0.00062s latency).
Not shown: 998 filtered ports
25/tcp open  smtp
80/tcp open  http


Which IP Protocol supported by Host

So, how to determine which IP protocols are supported by host. You can determine by NMAP option 'O'. See the below example of using it.

# nmap -sO
Nmap scan report for
Host is up (0.000030s latency).
Not shown: 249 closed protocols
1         open           icmp
2         open|filtered  igmp
6         open           tcp
17        open           udp
103       open|filtered  pim
136       open|filtered  udplite
255       open|filtered  unknown

NMAP scan all ports using TCP SYN

To scan all ports using TCP SYN, use the below NMAP command
# nmap -sS
What is SYN?

When a TCP connection starts between the client and the server, then there is a exchange of messages between the two.
The client sends SYN message to the server to request for a connection. The server acknowledges it by sending SYN-ACK message back to the client.
The client again responds to the message by sending ACK and this way the client and the server connection is established.
SYN = Synchronize

What is SYN flood?
SYN Flood is used by the attackers where they sends continuous SYN request to the target server for consuming its resources and not responding to the server with a valid ACK message , thus making the server unresponsive to others. this is called DOS (Denial Of Service) attack.

NMAP fastest scan of ports

You can use option 'T5' with NMAP command to do the  fastest scanning of all open ports, servers, computers and other devices. For example.

# nmap -T5 

The above command is very aggressive. There is a speed template range between 0 to 5 where 0 states very slow and 5 states very fast. So, T5 is the fastest and T0 would be very slow. when scanning.

NMAP decoy scan

With option '-D'  you can do the decoy scan of any system or servers in the network.  Its a technique of hiding your IP addresses while scanning any IP or host. Their IDS (Intrusion Detection System) /IPS (Intrusion Prevention System) won't be able to tell which IP was scanning them as their IDS will report scan from various IP addresses.

# nmap -n -D,,

NMAP idle scan (Zombie scan)

Idle scan or zombie scan is a TCP port scan which is used to know the services available in a computer and it is accomplished by sending fake packet to the target system. In the network the packet will appear as if they are sent from some other system (zombie system). The condition is that the zombie machine must be up and running.  The option 'I' is used with NMAP.
See the below nmap example, the first IP is the zombie IP which we want to appear as the zombie host.

# nmap -sI

To avoid ping from your true IP use '-Pn' with NMAP command.

# nmap -Pn -sI
Nmap scan report for
Host is up.
1/tcp     unknown tcpmux
3/tcp     unknown compressnet
4/tcp     unknown unknown
6/tcp     unknown unknown
7/tcp     unknown echo
9/tcp     unknown discard
13/tcp    unknown daytime
17/tcp    unknown qotd
19/tcp    unknown chargen
20/tcp    unknown ftp-data
21/tcp    unknown ftp
22/tcp    unknown ssh
23/tcp    unknown telnet
24/tcp    unknown priv-mail
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

NMAP output options (o)

There are number of ways you can save nmap command output. For example you can save the output to a text file or an XML file.

To save output to an XML file use the command as given below.

# nmap -oX outfile.xml

To save output of nmap command in a text file.

# nmap -oN outfile.txt 

Similarly, to save the output in all formats, do the following.

# nmap -oA outfile

NMAP version

To know nmap version you have installed, type the following command.

# nmap --version

Man Nmap

To know more about options you can use with Nmap commands, search the man page.

$ man nmap

Or you can check out this man page link of nmap.

That's it with the tutorial NMAP commands with examples to scan all ports. If you like this article, please share.

Download Our Free eBook now

Linux and UNIX Shell scripting ebook

Be the first to comment

Leave a Reply

Your email address will not be published.