Nmap security monitoring tool

How to scan a network using nmap on Linux


Nmap is a security scanning tool (network mapper) that is used to discover hosts and services on a computer network. Nmap accomplishes this by sending specially crafted packets of data to the target hosts and then analyses the responses back. Nmap can identify ports that are open and identify the host operating system in most cases. Nmap was designed to quickly scan large networks although it is often used against selected IP addresses.

Nmap is often used as a security auditing tool. Nmap can be used to see what connections are active.

Nmap Features

Host Discovery - Analysing responses from ping commands and open ports.

Port Scanner - Scans through a range of ports to determine if they are open or not.

Version Detection - nmap can interrogate listening network services and determine application names and numbers.

Operating System Detection - nmap can identify known operating systems.

Nmap installation guide

nmap can normally be installed direct from your systems standard repositories. Below are examples of installing nmap using Debian/Ubuntu, CentOS/RHEL and openSUSE Linux distributions. To install nmap, simply follow the instructions that match your operating system.

Install nmap for Ubuntu/Debian based systems

To install nmap on a Debian based system issue the commands below. The first command is used to update your system with the latest versions of available packages. This command is then followed by the install command. Reply "Y" when asked to install the relevant package and any dependencies.


$ sudo apt-get update
$ sudo apt install nmap

Install nmap for RHEL - CentOS systems

To install nmap on a Red hat Enterprise Linux system or a Red Hat based system, issue the following "dnf" command.


# dnf install nmap

Install nmap for openSUSE Distributions

To install nmap on an openSUSE system, issue the following "zypper" command.


# zypper install nmap

Nmap command examples

The following section illustrates some of the functionality of the nmap command. In the following examples I will use a Linux Mint installation to issue our commands from.

Scan a single IP address

In the following example, we are going to run a scan against a single IP address with no additional parameters passed.


john@mint01a:~$ nmap 192.168.0.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-25 13:31 BST
Nmap scan report for mint01a (192.168.0.33)
Host is up (0.000085s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

In the above example, our target IP address was scanned. The following ports were found to be open.

Port 22: Used for ssh connections.

Scan with OS Detection

nmap has the ability to scan a server and identify the OS. To attempt to identify an Operating System, we can issue the command against our target server.

nmap -v -A 192.168.0.33


john@mint01a:~$ nmap -v -A 192.168.0.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-25 13:37 BST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating Ping Scan at 13:37
Scanning 192.168.0.33 [2 ports]
Completed Ping Scan at 13:37, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:37
Completed Parallel DNS resolution of 1 host. at 13:37, 0.03s elapsed
Initiating Connect Scan at 13:37
Scanning mint01a (192.168.0.33) [1000 ports]
Discovered open port 22/tcp on 192.168.0.33
Completed Connect Scan at 13:37, 0.02s elapsed (1000 total ports)
Initiating Service scan at 13:37
Scanning 1 service on mint01a (192.168.0.33)
Completed Service scan at 13:37, 0.01s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.0.33.
Initiating NSE at 13:37
Completed NSE at 13:37, 0.09s elapsed
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Nmap scan report for mint01a (192.168.0.33)
Host is up (0.000077s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds

From the above, we can see that the scan identified the system as an Ubuntu based system, which is correct for my Linux Mint system.

Test scan a server

If you do not have any servers to scan, then nmap, offers a test address you can use to test out various functionality.

The following address can be used for testing purposes. Address: scanme.nmap.org.

Below is an example of nmap running against the test address.


john@mint01a:~$ nmap -A -T4 scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-25 13:42 BST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.17s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
|   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
80/tcp    open  http       Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
9929/tcp  open  nping-echo Nping echo
31337/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.97 seconds

For further help with the "nmap" command, issue the following command: "man nmap" or "nmap -h".