Nmap is a free Open source tool for network/system administrators and security professionals which can be used to discover, monitor, and troubleshoot TCP/IP systems and networks.

Basic IP details:


IPv4 details:

ifconfig |grep inet

Public Ip Details:

curl ipecho.net/plain ; echo

Basic Nmap Usage:


sudo nmap -A [IP/Domain] | nmap -A

sudo nmap -T2 [IP/Domain] | nmap -A example.com

sudo nmap -T4 [IP/Domain] | nmap -A example.com

Scanning Multiple Ip Addresses

nmap [target1 target2 etc] | nmap

Scanning Range of Addresses

nmap [Range of addresses] | nmap

Scanning Entire Subnets

nmap [Network/CIDR] | nmap

The above example instructs Nmap to scan the entire network using CIDR notation. CIDR notation consists of the network address and subnet mask (in binary bits) separated by a slash.

nmap scan

Scanning a list of addresses in a text file

nmap -iL FileOfAddresses.txt

Exclude Ip’s from Scan

nmap [targets] --exclude [target(s)] | nmap --exclude | nmap --exclude
nmap [targets] --excludefile [list.txt] | nmap --excludefile list.txt

Running a Traceroute

traceroute [IP/Domain]

nmap scan

Command Line Arguments

-T/0-5 Numbers range from 0-5 where 5 is the fastest and 0 is the slowest.
5 Being the fastest, while 0 being nmap leaving no page unturned

-A This options makes Nmap make an effort in identifying the target OS, services and the versions.
It also does traceroute and applies NSE scripts to detect additional information. This is a quite noisy scan as it applies many different scans. The NSE scripts applied is the default setting of scripts.

The -A option is equivalent to applying the following options to your scan: -sC -sV -O –traceroute

-v Increased verbosity. This will give your extra information in the data outputted by Nmap.

-sS Perform a TCP SYN connect scan. Nmap will send a TCP SYN packet just like any normal application would do. If the port is open the application must reply with SYN/ACK, however to prevent half-open connections Nmap will send a RST to tear down the connection again.

-sP option will perform an ARP ping and return the MAC addresses of the discovered system. This executes, Nmap with root privileges for additional ping functionality

Scanning Ipv6 Address

nmap -6 [target] | nmap -6 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Don’t Ping

By default, before Nmap attempts to scan a system for open ports it will first ping the target to see if it is online. This is useful when scanning hosts that are protected by a firewall that blocks ping probes.

nmap -PN [target] | nmap -PN

Ping Scan

nmap -sP [target] | nmap -sP

This option is useful when you want to perform a quick search of the target network to see which hosts are online without actually scanning the target(s) for open ports. Execute Nmap with root privileges for additional ping functionality. When doing this, the -sP option will perform an ARP ping and return the MAC addresses of the discovered system(s).


The TCP SYN ping sends a SYN packet to the target system and listens for a response. This alternative discovery method is useful for systems that are configured to block standard ICMP pings.

nmap -PS[port1,port1,etc] [target] | nmap -PS divyendra.com

The default port for -PS is 80, but others can be specified using the following syntax: nmap -PS22,25,80,443 etc.


nmap -PA[port1,port1,etc] [target] | nmap -PA

The -PA performs a TCP ACK ping on the specified target. attempts to discover hosts by responding to TCP connections that are nonexistent in an attempt to solicit a response from the target. Like other ping options, it is useful in situations where standard ICMP pings are blocked.

UDP Ping

nmap -PU[port1,port1,etc] [target] | nmap -PU

The -PU option performs a UDP ping on the target system. While most firewalled systems will block this type of connection, some poorly configured systems may allow it if they are only configured to filter TCP connections.


nmap -PY[port1,port1,etc] [target] | nmap -PY

The -PY parameter instructs Nmap to perform an SCTP INIT ping. It attempts to locate hosts using the Stream Control Transmission Protocol (SCTP). SCTP is typically used on systems for IP based telephony.

ICMP Echo Ping

The -PE option sends a standard ICMP ping to the target to see if it replies. This type of discovery works best on local networks where ICMP packets can be transmitted with few restrictions. Many internet hosts, however, are configured not respond to ICMP packets for security reasons.

ICMP Timestamp Ping

While most firewalled systems are configured to block ICMP echo requests, some improperly configured systems may still reply to ICMP timestamp requests. This makes -PP useful for attempting to solicit responses from firewalled targets.

ICMP Address Mask Ping

Similar to the -PP option, -PM attempts to ping the specified host using alternative ICMP registers. This type of ping can occasionally sneak past a firewall that is configured to block standard echo requests.

IP Protocol Ping

An IP protocol ping sends packets with the specified protocol to the target. If no protocols are specified the default protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP) are used. To ping using a custom set of protocols, use the following syntax: nmap -PO1,2,4,etc.

nmap -PO[protocol1,protocol2,etc] [target]

ARP Ping

The -PR option instructs Nmap to perform an ARP (Address Resolution Protocol) ping on the specified target. The -PR option is automatically implied when scanning the local network. This type of discovery is much faster than the other ping methods. It also has the added benefit of being more accurate because LAN hosts can’t block ARP requests (even if they are behind a firewall).


The information displayed is similar to the traceroute or tracepath commands found on Unix and Linux systems – with the added bonus of Nmap’s tracing being functionally superior to these commands.

nmap --traceroute [target]

Force Reverse DNS Resolution

By default, Nmap will only do reverse DNS for hosts that appear to be online. The -R option is useful when performing reconnaissance on a block of IP addresses as Nmap will try to resolve the reverse DNS information of every IP address. The reverse DNS information can reveal interesting information about the target IP address (even if it is offline or blocking Nmap’s probes). Use -n to disable reverse DNS resolution or nmap -n [target]. Reverse DNS dramatically can significantly slow an Nmap scan. Using the -n option greatly reduces scanning times – especially when scanning a large number of hosts.

nmap -R [target]

Alternative DNS Lookup Method

The –system-dns option instructs Nmap to use the host system’s DNS resolver instead of its own internal method.

nmap --system-dns [target]

Manually Specify DNS Server(s)

The –dns-servers option is used to manually specify DNS servers to be queried when scanning. Nmap’s default behavior will use the DNS servers configured on your local system for name resolution. The –dns-servers option allows you to specify one or more alternative servers for Nmap to query. This can be useful for systems that do not have DNS configured or if you want to prevent your scan lookups from appearing in your locally configured DNS server’s log file.

Creating a Host List

The -sL option will display a list and performs a reverse DNS lookup of the specified IP addresses.

nmap -sL [target]

The above scan shows the results of the DNS names for the specified systems. This scan is useful for identifying the IP addresses and DNS names for the specified targets without sending any packets to them. Many DNS names can reveal interesting information about an IP address including what it used for or where it is located.