Description
Nmap (Network Mapper) is the industry-standard open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available, what services they are running, what operating systems and versions are in use, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Installation
BASH
# Debian/Ubuntu
sudo apt install nmap
# macOS
brew install nmap
# From source
wget https://nmap.org/dist/nmap-7.94.tar.bz2
tar xvf nmap-7.94.tar.bz2
cd nmap-7.94
./configure && make && sudo make installBasic Usage
BASH
# Quick scan (top 1000 ports)
nmap target.com
# Scan specific ports
nmap -p 80,443,8080 target.com
# Scan all ports
nmap -p- target.com
# Service version detection
nmap -sV target.com
# OS detection
nmap -O target.comAdvanced Usage
BASH
# Aggressive scan (OS + version + scripts + traceroute)
nmap -A target.com
# SYN scan (stealth)
sudo nmap -sS target.com
# UDP scan
sudo nmap -sU target.com
# Script scanning
nmap --script vuln target.com
nmap --script http-enum target.com
nmap --script ssl-enum-ciphers -p 443 target.com
# Scan a subnet
nmap -sn 192.168.1.0/24
# Output to all formats
nmap -oA scan-results target.com
# Timing templates (0-5, 5 is fastest)
nmap -T4 target.com
# Skip host discovery
nmap -Pn target.com
# Fragment packets (evasion)
nmap -f target.com
# Specific NSE scripts
nmap --script "http-*" -p 80,443 target.comCommon Workflows
BASH
# Full TCP scan with version detection
nmap -sV -sC -p- -T4 target.com -oA full-scan
# Quick recon scan
nmap -sV --top-ports 100 target.com
# Vulnerability assessment
nmap --script vuln -p 80,443 target.com
# Web server enumeration
nmap -sV -p 80,443,8080,8443 --script http-enum,http-title,http-headers target.com
# Scan from list
nmap -iL targets.txt -sV -oA batch-scan