1. Scan One Host or IP Address

Scan  Specific IP Address :

$ nmap

Scan server by  Hostname :

$ nmap server.valeurbit.com

Increase the  Level of Detail of  scan results:

$ nmap -v server.valeurbit.com
$ nmap -vv server.valeurbit.com

2. Scanning Multiple IP Addresses

Scan  Multiple IP Addresses :

$ nmap
$ namp,2,3

Scan  Subnet :

$ nmap
$ nmap 192.168.1. *

Scan  IP Address Range  ( –

$ nmap

3. Searching for Active Computers on the Net

Scan the network for  Active Hosts :

$ nmap -sn

4. Scanning the Host List from File

Scanning a list of hosts / networks from a  File :

$ nmap -iL input.txt

File format:

# Entries can be submitted in any of the formats with which it works
# Nmap from the command line (IP addresses, hostnames, CIDR, IPv6, or octet
# ranges). Entries must be separated by one or more spaces, tabs
# or line breaks.

$ cat input.txt

5. Excluding IP / Hosts / Networks from Scanning

Exclude Targets  from Nmap scans:

$ nmap --exclude
$ nmap --exclude
$ nmap --exclude,2,3

Exclude List of  hosts taken from file:

$ nmap --excludefile exclude.txt

The excluded hosts file format is the same as above.

6. Scanning Specific Ports

Scan  One Port :

$ nmap -p 80

Scan  Multiple Ports :

$ nmap -p 80,443

Scan  Port Range :

$ nmap -p 80-1000

Scan  All Ports :

$ nmap -p "*"

Scan some of the most  Common Ports :

$ nmap --top-ports 5
$ nmap --top-ports 10

7. Determine Supported IP Protocols

Determine which  IP Protocols  (TCP, UDP, ICMP, etc.) the scanned host supports:

$ nmap -sO

8. Scanning TCP / UDP Ports

Scan  all TCP Ports :

$ nmap -sT

Scan  specific TCP Ports :

$ nmap -p T: 80

Scan  all UDP Ports :

$ nmap -sU

Scan  specific UDP Ports :

$ nmap -p U: 53

Combining scans of different ports:

$ nmap -p U: 53,79,113, T: 21-25,80,443,8080

9. Fast Scan

Activate  Fast  Scan Mode :

$ nmap -F

*  Scans fewer ports than normal scan.

10. Show Port Status Reason

Show  Reason Nmap thinks the port is in a particular state:

$ nmap --reason

11. Show Only Open Ports

Show  Only Open Ports  (or possibly open):

$ nmap --open

12. Definition of OS

One of the most well-known features of Nmap is remote OS detection based on analysis of the TCP / IP stack.

Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.

After running many tests, Nmap compares the results with its database and, when a match is found, displays information about the OS.

Enable  OS Detection :

$ nmap -O

13. Determining the Version of the Services

Enable  Service Version Detection :

$ nmap -sV

*  Determines the versions of programs running on the remote server.

14. Firewall detection

Find out if the computer is protected by any  Packet Filters  or  Firewall :

$ nmap -sA

15. Spoofing MAC Address

Spoof  MAC Addresses :

$ nmap --spoof-mac 00: 11: 22: 33: 44: 55

Spoof MAC Address with  Random MAC :

$ nmap --spoof-mac 0

16. Scanning the Firewall for Vulnerabilities

These three types of scans exploit an invisible loophole in the  TCP RFC to distinguish between open and closed ports.

When an RFC-compliant system is scanned, any packet that does not have the SYN, RST, or ACK bit set will cause an RST to be sent in response if the port is closed, or no response if the port is open.

Because none of these bits are set, then any combination of the three remaining bits (FIN, PSH and URG) will be correct.

TCP Null  Scan:

$ nmap -sN

*  No bits are set (Flags in TCP header 0).

TCP Fin  Scan:

$ nmap -sF

*  Only the TCP FIN bit is set.

TCP Xmas  scan:

$ nmap -sX

*  FIN, PSH and URG flags are set (the package glows like a Christmas tree).

Hosts using a firewall may not respond to standard ICMP pings.

Try the following methods to detect connected hosts if the firewall is blocking standard ICMP pings:

# TCP SYN Ping
$ nmap -sn -PS

# TCP ACK Ping
$ nmap -sn -PA

# UDP Ping
$ nmap -sn -PU

# Ping over IP Protocol
$ nmap -sn -PO

# ARP Ping
$ nmap -sn -PR

The last three commands must be run as root.

17. Covert Scan

TCP SYN  scan:

$ nmap -sS

*  Known as scanning with half-open connections, as it does not open full TCP connections.

18. Disable Host Discovery (No Ping)

Do not ping hosts before scanning:

$ nmap -Pn

19. Disable DNS Usage

Never perform reverse DNS resolution for every active IP address found:

$ nmap -n

20. Saving Nmap Scan Results to File

Save Nmap scan result to  Text File :

$ nmap> output.txt
$ nmap -oN output.txt

Save Nmap Scan Result to  XML File :

$ nmap -oX output.xml

Anonymous Port Scanning: Nmap + Tor + ProxyChains

Installing Tor + Nmap + ProxyChains

To perform anonymous port scanning, we need to install the following programs:

torAnonymizing Network for TCP
nmapNetwork Port Scanner
proxychainsRedirects connections through proxy servers


Install the  Tor  client from the standard repositories:

$ sudo apt-get install tor


Install Nmap:

$ sudo apt-get install nmap


Install ProxyChains:

$ sudo apt-get install proxychains

ProxyChains  is already configured to work with Tor by default  .

You can verify this by looking at  /etc/proxychains.conf.

The last lines of the config should look like this:

# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 9050

Anonymous Port Scanning Over Tor

Run the following command to  scan anonymously with Nmap over the  Tor network :

$ proxychains nmap -sT -PN -n -sV -p 80,443,21,22 217.xx.xx.xx
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 6.00 (http://nmap.org) at 2014-03-24 17:34 EET
| S-chain | - <> -<><>-217.xx.xx.xx:443-<><>-OK
| S-chain | - <> -<><>-217.xx.xx.xx:21-<><>-OK
| S-chain | - <> -<><>-217.xx.xx.xx:80-<><>-OK
| S-chain | - <> -<><>-217.xx.xx.xx:22-<--denied

Nmap scan report for 217.xx.xx.xx
Host is up (0.14s latency).
21 / tcp open ftp Pure-FTPd
22 / tcp closed ssh
80 / tcp open http Apache httpd 2.2.26 ((CentOS))
443 / tcp open ssl / http Apache httpd 2.2.26 ((CentOS))

In the scan logs, we can see a ‘chain’ that goes from the  Tor proxy ( to the host being scanned (217.xx.xx.xx).

Nmap over Tor: Bypassing Node Blocking

We may face a situation where the scan fails due to the fact that the Tor exit nodes are blocked (banned by the host being scanned).

A way out of this situation can be adding an ordinary public proxy server to the ‘chain’  .

This is done by editing  /etc/proxychains.conf and adding a new entry at the end of  [ProxyList]  (also make sure the random_chain option  is  off).

# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 9050
socks4 1080

The new ‘chain’ goes through the  Tor proxy ( to the public proxy server we specified   ( and then to the scanned host (217.xx.xx.xx).

$ proxychains nmap -sT -PN -n -sV -p 21 217.xx.xx.xx
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 6.00 (http://nmap.org) at 2014-03-25 11:05 EET
| S-chain | - <> -<>-<><>-217.xx.xx.xx:21-<><>-OK
| S-chain | - <> -<>-<><>-217.xx.xx.xx:21-<><>-OK
Nmap scan report for 217.xx.xx.xx
Host is up (1.2s latency).
21 / tcp open ftp Pure-FTPd

In the examples above, I run  nmap  with the following options:

-sTfull TCP scan
-PNskip host discovery
-nnever resolve DNS (to avoid DNS leaks)
-sVdetermine service version
-pwhich ports to scan

Scanning through Tor is very slow. Therefore, in the examples above, I only scanned certain ports.