Beginner’s Guide to Using nmap

nmap is a network scanning tool which can be used for a whole variety of network discovery tasks including port scanning, service enumeration and OS fingerprinting.

To install nmap on Ubuntu or Raspbian use:

sudo apt-get install nmap

For Linux versions that use yum, like Fedora, run this as root:

yum install nmap

The simplest invocation is just to supply a hostname or IP address of a machine that you want to scan. nmap will then scan the machine to see which ports are open. For example:


All TCP/IP connections use a port number to uniquely identify each network service. For example, web browser connections are made on port 80; emails are sent on port 25 and downloaded on port 110; secure shell connections are made on port 22; and so on. When nmap does a port scan, it shows which ports are open and able to receive connections. In turn, this indicates which services are running on the remote machine.

From a security point of view, the less services which are running on a host, the more secure it is. This is because there are less “holes” that an attacker can use to try and access the machine. It is also a useful way to perform a preliminary check to see if a service is running (and accepting connections). A quick scan of my Ubuntu server looks like this:


To discover which software is providing the server behind each of the open ports use the -sV option:

nmap -sV

Here are the results from a Raspberry Pi:


nmap has correctly discovered that the OpenSSH server is being used to provide a SSH service on the Pi. The tool also notes that the Pi is running Linux!

nmap is able to perform advanced operating system detection using the -O option. For operating system detection, nmap needs to be run with root privileges. For Ubuntu and Raspbian:

sudo nmap -O

Here is the output from a scan performed against a Windows XP machine:


If you want to scan more than one host at a time, nmap allows you to specify multiple addresses or use address ranges. To scan more than one host just add extra addresses to the parameter list (with each one separated by a SPACE). For example to scan for open ports on, and, use:


To specify an address range use the dash symbol. For example to scan the first five hosts on your network you could use:


The output would look something like this:


The first host found is the router supplied by my Internet Service Provider (on address and the second one is my Raspberry Pi (on

Although nmap is simple to use, it offers a range of advanced features. The next part in this series will touch on some of the more advanced uses, but in closing here is a short list of other commands you might find useful:

To check if a specific port is open use -p followed by the port number or the port name, for example:

nmap -p ssh

It can be combined with the -sV flag to determine the version of the software attached to that port:

nmap -p ssh -sV

To discover which hosts are alive on your network use the -sn flag. This will just ping the hosts specified in the address range. For example:

nmap -sn

As a closing word of warning, don’t run scans against hosts that you don’t control or have permission to scan. Excessive scanning can be interpreted as an attack or could disrupt services unnecessarily.

Image credit: fiber Network Server by BigStockPhoto