Top Nmap Commands for System Admins

Nov 04, 2021

Network Mapper (Nmap) is an open-source Linux command-line tool for network exploration and security auditing. With Nmap, server administrators can reveal services and hosts quickly, scan for open ports and search for security issues. The Nmap tool can assess and discover local and remote open ports as well as network information and hosts.

Top Nmap Commands in Linux with Examples

There is no way to set up an Nmap tutorial without outlining its commands. Here's a quick rundown of some common functions of Nmap you can try:

  1. Ping Scanning

A ping scan returns information on every IP active on your network.

You can use the following command to execute a ping scan:

> nmap -sp

Note: You can run a single host command to scan a single host for 1000 well-known ports—ports that are used by popular services such as SNTP, apache, and SQL.

Here's how to run this command:

> nmap

  1. Port Scanning

There are many ways to execute a scan for ports. The main differences between the varying types of port scans are whether they cover UDP or TCP ports and if they run a TCP connection.

For example, the TCP Connect scan actively queries every host and requests a response, while the UDP scan uses UDP packets to scan DNS, SNMP, and DHCP ports to do the same job.

Let's assess the different port scanning types below.

Using the -p parameters to run a single-port scan:

> nmap -p 973

Using a TCP connection to scan information about a particular connection type—provided you specify the type of port:

> nmap -p T:7777, 973

Using hyphens to separate a range of ports:

> nmap -p 76–973

Using the -top-ports flag to specify the top n ports to scan:

> nmap --top-ports 10

  1. Host Scanning

Host scanning provides IT professionals and network administrators with detailed information on a specific host or a wide range of IP addresses which include their latency, MAC address, and any description associated with that address. 

As a result, this will allow you to quickly identify and eliminate suspicious hosts connected to your network. You can use the following commands to execute a host scan:

Writing all the IP addresses in one row allows the tools to scan all of the hosts simultaneously:

> nmap

Using the asterisk (*) to scan all of the subnets at one go:

> nmap 192.164.1.*

Adding commas to separate the IP address endings instead of typing entire domains:

> nmap,2,3,4

Using a hyphen to define a range of IP addresses:

> nmap–255

Note: If you want to scan a hostname, you need to replace the IP address for the host.

  1. OS Scanning

Nmap can also provide script scanning, operating system detection, traceroute and version detection. Also, OS scanning is claimed as one of the most powerful features of the tool.

OS scanning involves Nmap sending TCP and UDP packets to a particular port before evaluating its response. This scan then compares the response to a strong operating systems database and returns information on a host’s OS.

You can use the following command to execute an OS scan:

> nmap -sV

Disclaimer: OS detection may not always be precise. However, it does a good job of getting a pen tester closer to their target.

  1. Stealth Scanning

Running a stealth scan involves analyzing the response after sending an SYN packet. If SYN or ACK is received, it indicates the port is open and you can open a TCP connection.

Keep in mind that a stealth scan never completes the three-way handshake, so the target may face difficulty knowing the scanning system.

Use the following command to run a stealth scan:

> nmap -sS

  1. Scan the Most Popular Ports

As the name suggests, this command auto-scans the most popular ports of a host. This can come in handy for users who run Nmap on a home server.

You can use the following to execute this Nmap command:

> nmap --top-ports n

Replace the ‘n’ in the above command for the number of ports you want to scan. Nmap will quickly scan that many ports.

  1. Output to a File

You can also add an extension to your commands if you want to output your Nmap scan results to a file.

Use the following command:

If you want to output the results to an XML file: -oX output.xml

If you want to output the results to a text file: -oN output.txt

  1. Disable DNS Name Resolution

You can use this Nmap command to accelerate your Nmap scan by using the -n parameter, which may disable reverse DNS resolution. This is highly recommended when starting Nmap scanning for a big network.

We’ll explain how this Nmap command works using an example.

Let’s assume you want to turn off DNS resolution for the basic ping scan. In order to do this, you’ll have to add -n.

Here’s how you can run the command:

> nmap -sp -n


As a cybersecurity expert, system administrator and network administrator, learning Nmap can significantly amp up your network security, more so when used alongside other cybersecurity tools.

Nmap assures you an effective and efficient way to perform regular network audits that keeps hackers at bay while improving your knowledge about your own network. You can also scan and uncover vital information concerning your host, firewall, OS and ports, which can help network administrators do their job better. 

Are you searching for a reliable management tool that can help you solve network and system vulnerabilities issues? If yes, try Topia. Topia is a vulnerability management tool that helps CISOs as well IT managers make informed security decisions.


Photo by Febiyan on Unsplash

Written by

Kent Weigle

Recent Posts

  • 1

    What is Patch Management?

    Kent Weigle December 09, 2021
  • 2

    A Step in the Right Direction – Binding Operation Directive 22-01

    Kent Weigle December 31, 2021
  • 3

    What is Configuration Management?

    Kent Weigle December 09, 2021
  • 4

    What is Automated Patching?

    Kent Weigle December 09, 2021
  • 5

    What is Risk-Based Vulnerability Management?

    Kent Weigle December 09, 2021

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 30-day trial