nmap Command

nmap (Network Mapper) is an extremely powerful open-source tool for network exploration and security auditing. It can discover hosts, services, operating systems, and potential vulnerabilities on a network. Note: Running nmap scans on networks you do not own is illegal in many countries. Always have permission.

Host Discovery (Ping Scans)

Discover Hosts in a Subnet

nmap -sn 192.168.1.0/24

This is a "ping scan". It discovers which hosts are online in the specified subnet without performing a port scan. It's a fast way to see what's active on your local network.

Port Scanning Techniques

Default TCP Scan

nmap scanme.nmap.org

Performs a default scan, which includes a ping scan and a TCP scan of the 1000 most common ports.

Scan Specific Ports

nmap -p 22,80,443 192.168.1.1

The -p flag allows you to specify which ports to scan. You can use commas for individual ports and hyphens for ranges (e.g., -p 1-1024).

Fast Scan (Fewer Ports)

nmap -F 192.168.1.1

The -F flag scans the 100 most common ports, which is much faster than the default 1000.

TCP SYN Scan (Stealth Scan)

sudo nmap -sS 192.168.1.1

This is the default scan type when run with root privileges. It's often called a "stealth scan" because it never completes a full TCP connection, making it less likely to be logged. It's fast and efficient.

Service and OS Detection

Detect Service Versions

nmap -sV scanme.nmap.org

The -sV flag probes open ports to determine the exact service and version running on them (e.g., Apache httpd 2.4.52).

Detect Operating System

sudo nmap -O scanme.nmap.org

The -O flag enables OS detection, which attempts to identify the operating system of the target host based on its network fingerprint.

Aggressive Scan (All-in-one)

sudo nmap -A scanme.nmap.org

The -A flag enables an "aggressive" scan, which is a shortcut for enabling OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). It provides a wealth of information.