1. Home
  2. Network Admin

How to use Nmap from the command line on Linux

Nmap is a powerful network scanning tool for Linux, BSD, and other operating systems. It has dozens of excellent features, such as scanning IP addresses for open ports, mapping active devices on a network, identifying services running on scan targets, and so much more.

In this guide, we’ll go over how to use this powerful network administration tool on Linux, and cover how to make use of some of it’s most useful features, including host scanning, network mapping, and much more!

Note: Nmap is a command-line tool. If you need a good network mapping tool but aren’t a fan of the terminal, check out Zenmap. It’s a GUI front-end for Nmap that has the same features but packed into a slick interface.

Scan a single host

One of Nmap’s most basic features is its ability to scan a target (AKA host) for open ports, system information, etc. To start a scan, launch a terminal window on Linux by pressing Ctrl + Alt + T or Ctrl + Shift + T. From there, elevate the terminal to Root with su or sudo -s.

su -

Or

sudo -s

After gaining Root access in the terminal, it’s possible to do a basic scan by running nmap along with the target IP address, hostname, or website.

Note: for Nmap to scan remote website domain names, you may need to add http:// in front of the address.

nmap target-local-or-remote-ip-address

Need to figure out the operating system your target is running? Use the O option.

nmap -O target-local-or-remote-ip-address

Running the scan with the O command reveals OS information about the target Nmap scans, but for some, this isn’t enough information. Luckily, the V command-line switch can display even more information (open ports, etc.)

nmap -O -v target-local-or-remote-ip-address

For even more info, feel free to use the V switch twice.

nmap -O -vv target-local-or-remote-ip-address

Scan multiple hosts

With Nmap, it is possible to scan multiple hosts at a time. To do it, write out the command you’d be using for a single target but add on other addresses at the end of the command. For example, to check what two separate targets operating systems are, you’d do:

nmap -O target-local-or-remote-ip-address-1 target-local-or-remote-ip-address-2

To find more information about the two hosts scanned above, use the V switch.

nmap -O -v target-local-or-remote-ip-address-1 target-local-or-remote-ip-address-2

or

nmap -O -vv target-local-or-remote-ip-address-1 target-local-or-remote-ip-address-2

Nmap doesn’t have a limit to how many individual hostnames or IP addresses you add to the end of the command, so feel free to add as many as you need!

Scan IP-range

Scanning individual hosts by listing them one after another is one way to go about things. Still, if you have a whole lot of computers or network devices to look at, it’s smarter to do an IP-range scan with Nmap.

To do a scan of an IP-range, run Nmap against an IP, use the sn switch. For example, to scan a local network running on the 192.168.1 range, try the following example.

Note: be sure to replace the X and Y in the command below to the maximum IP number to scan to. Such as 0-50, 1-100, etc.

nmap -sS 192.168.1.X-Y

Want to have more information in your IP range scan, consider adding in the O and VV command-line switches.

nmap -sS -O -vv 192.168.1.X-Y

If your network operates on 10.196.1.1, try:

nmap -sS 10.196.1.X-Y

Or

nmap -sS -O -vv 10.196.1.X-Y

Don’t use 10.196.1.1 or 192.168.1.0? Figure out the range of IPs you’d like to scan and use the following example below.

Note: Nmap can scan any range of IP addresses. For best results, consult your local network’s router IP and start from there.

nmap -sS x.x.x.x-yy

Or

nmap -sS -O -vv x.x.x.x-yy 

Scan Subnet

Using the Nmap tool to look through a range of IP addresses is effective. An alternative to scanning a range is to scan all devices in a Subnet. To do this, enter the base IP of your router (or whatever you use to deliver a network connection to every computer on the network) and use the /24 notation.

For example, to scan every IP address on a router running from the base IP address of 192.168.1.1, you’d do:

nmap -sS 192.168.1.1/24

For more information with this scan, add in O and VV.

nmap -sS -O -vv 192.168.1.1/24

Or, for a router device with the base IP address of 10.196 .1.1, try this command instead.

nmap -sS 10.196.1.1/24

Or, for more info, do:

nmap -sS -O -vv 10.196.1.1/24

The 192.168.1.1 and 10.196.1.1 examples should work for most. However, those aren’t the only starting IP addresses that exist. If you need to scan devices on a Subnet and don’t use these base IPs, try the following example:

nmap -sS x.x.x.x/24

Or

nmap -sS -O -vv x.x.x.x/24

More Nmap information

In this guide, we just scratched the surface of what the Nmap can do on Linux. If you’re interested in learning even more about it, run nmap with the –help switch. It’ll print out every option and command available.

nmap --help

Leave a comment