nmap Command Recipes

Network mapper is the powerful yet simple tool which can be used to scan surroundings. In simple terms command nmap can be used to scan connected devices in the network.

Why Learn about Nmap ?

For beginners Nmap command can be used to trouble shoot the network. Otherwise if you are planning to become the security expert, ethical hacker or penetration tester having knowledge about how to use Namp command is must and should. It would be the great tool in your arsenal

Features of Tool Nmap

Features and usage of Nmap is

  • Scan Hosts
  • Scan Open Ports
  • Unveil Vulnerabilities
  • Gather Information

Scan the ports on the remote server(machine) specific IP

sudo nmap <ip address>

To scan single IP and host

sudo nmap

Scan the IP range by specifying the last octet

sudo nmap 

Above command scans the IP address of range to

Scan the specific port on selected target

sudo nmap -p 80 

Above command scans the specified port 80 on target

Port Scanning

Namp command can be used to scan specific ports, or range of ports on desired host

nmap -p <port number> <ip>

Scan the port 80 on the host

nmap -p 80

For example scan the range of port from 20 to 2024

nmap -p 20-2024

Nmap ping Scan

Nmap ping scan is used to identify hosts in any given or targeted network. It is the quite strait forward and easiest way to identify hosts in the network. downside of the ping scan which is based on ICMP protocol is that some networks or targeted hosts sometimes block the IP based or ICMP based ping packets.

nmap -sp 

Scan Multiple Hosts

Simple way to scan multiple hosts, where each host separated by space. Following command without any options will list all open ports on mentioned hosts

nmap  google.com

Output would look like as follows having list of open ports on targeted hosts

Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-31 06:57 UTC
Nmap scan report for googe.com (
Host is up (0.0076s latency).
Not shown: 995 filtered ports
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
5000/tcp closed upnp
8000/tcp closed http-alt

Nmap scan report for dns.google (
Host is up (0.0011s latency).
Not shown: 998 filtered ports
53/tcp  open  domain
443/tcp open  https

Nmap done: 2 IP addresses (2 hosts up) scanned in 7.09 seconds

Scan the consecutive IP Addresses


Above command would scan IP addresses, such as,, and

Scan Significan Ports

Scan the most significant or popular ports using the command line option –top-ports

nmap --top-ports 25

Above command scans the top 25 ports on the host

Scan Port Range

Scan range of ports on selected host

nmap -p 2024-4048

Also, it is possible to scan specific port(s)

nmap -p 80,8080,800,443

Scan IP Range

Nmap command can be used to scan range of IP address to check what ports are open.

Scan range of IP addresses by providing the block using CIDR notation


According the above command, given that the CIDR IP range encodes Netmask and IP range to which makes up of total 1024 IP address that namp scans.

Another way is to specify the range using hyphen (-) for the last octet of IP address


Above command scan the IP addresses from to inclusive

If you want to scan the All Ip addresses in single octet, us the wildcard as follows

nmap 192.168.4.* 

You wanted to scan all addresses in the given range but wanted to exclude few hosts. In such a case you use the command line option –exclude

nmap -p 192.168.4.*.  --exclude 

Scan Using TCP/UDP

One of the super power of nmap is that making use of TCP and UDP to scan. This is helpful to gain more insights as compared to traditional ICMP based scans

Typical scan using TCP

nmap -sT

Typical scan using UDP

nmap -sU

Host Discovery

If you are looking to identify number of hosts that are up in the network instead of scanning of ports on each host. Use the command line option -sn

nmap -sn 

Above command lists all hosts that are up along with MAC address

We can also perform the List scan (-sL) in which nmap does not send any packets instead it lists all IP addresses in the range and reports total number of IP addresses at the end. But, it still does the reverse DNS resolution. This command will be helpful to perform the sanity check and run preliminary scan on the targeted network without sending packets such that we can be sure that we are targeting right network or company only.

nmap -sL 192.168.40/22
Perform a Ping Only Scannmap -sP [target]nmap -sP
Don’t Pingnmap -PN [target]nmap -PN
TCP SYN Pingnmap -PS [target]nmap -PS
TCP ACK Pingnmap -PA [target]nmap -PA
UDP Pingnmap -PU [target]nmap -PU
SCTP INIT Pingnmap -PY [target]nmap -PY
ICMP Echo Pingnmap -PE [target]nmap -PE
ICMP Timestamp Pingnmap -PP [target]nmap -PP
CMP Address Mask Pingnmap -PM [target]nmap -PM
IP Protocol Pingnmap -PO [target]nmap -PO

Disable Name Resolution

Sometimes name resolution amount to tremendous time, to speed up the process you can disable the DNS name resolution using the option -n command line parameter

nmap -p 53 -n 

Dump scan results to file

To save the results to text file instead of standard output

nmap -oN output.txt  example.com 

It is also possible to export results in XML format

nmap -oX output.xml getkt.com

Scanning for Malware

Capabilities of Nmap never ends, it is most potent tool capable of detecting the malware and backdoors by scanning common services like SMPT, SMB, IRC, Ldentd and Vsftpd. It can perform the proliferate scan by linking to updated VirusTota and Google Safe browsing DBs

nmap -sV --script=http-malware-host

perform the scan by linking to Google Malware database to check signatures

nmap -p80 --script http-google-malware example.com

OS & Service Detection

Following command enables you to detect OS and Services on remote host

nmap -A -T4 

Attacks Using Nmap

To launch simple DoS attack using slowloris vulnerability using NSE known as “Nmap Scripting Engine” .

nmap -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true

Strait forward simple FTP brute force attack

nmap --script ftp-brute -p 21

Brute force attack on MySQL

nmap -p 3036 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=passwds.txt

Brute force attack on wordpress

nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true'
Default image
Naveen T aka neotam. Programming language agnostic, Software architect, Python expert, Networking & DevOps engineer & consultant with 7+ years of experience in creating serious web applications, real time event-driven non blocking applications and database driven applications ranging from small scale to enterprise grade. website
Leave a Reply