Six Ways to Level Up Your nmap Game


What is nmap?

nmap is a network exploration tool and security / port scanner.

If you’ve heard of it, and you’re like me, you’ve most likely used it like this:


ie, you’ve pointed it at an IP address and observed the output:

Starting Nmap 7.60 ( ) at 2018-11-24 18:36 GMT
Nmap scan report for localhost (
Host is up (0.00033s latency).
Not shown: 991 closed ports
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
443/tcp   open  https
631/tcp   open  ipp
5432/tcp  open  postgresql
8080/tcp  open  http-proxy
9002/tcp  open  dynamid
50000/tcp open  ibm-db2

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

which tells you the open ports on a host.

I used nmap like this for years, but only recently grokked the manual to see what else it could do. Here’s a quick look and some of the more useful things I found out.

1) Scan a Network

As its description implies, nmap can scan a range of IP addresses. You can do this in a couple of ways.

If you want to use a CIDR range, you can scan like this:


which will scan the whole range. The address may be different depending on the network you are on.

Or, if you’re less comfortable with CIDR, you can use a glob like this:

nmap 192.168.1.*

I use this to work out which machines are active on my home network:

nmap -sn

where the -sn flag skips the default port scan.

2) Scan All Ports

One gotcha about nmap is that it doesn’t scan all ports by default. Instead it ‘scans the 1,000 most common ports for each protocol’. Quite often you might want to find _any_ open ports on the hosts. You can achieve this with:

nmap -p- localhost

where the -p flag indicates the ports to scan and the - means ‘all of them’.

Beware that this (and many other nmap activities, but especially this) can trigger all sorts of network security tripwires, so be sure that it’s OK to run this on the network, and don’t be surprised if you get booted from the network either. I get round this in the example above by running it locally.

You can also specify the specific service you want to find by its name in /etc/services. One I use commonly is:

nmap -p domain

which tells me all the DNS servers on the network.

3) Get service versions

You can use the -sV flag to get more information on service versions. This command tells me that I’m running a couple of dnsmasq servers on my local network, and their versions.

$ nmap -sV -p domain | grep -E '(scan report for|open)'
Nmap scan report for Ians-MBP.home (
Nmap scan report for cage.home (
53/tcp open domain dnsmasq 2.79
Nmap scan report for Ians-Air-2.home (
Nmap scan report for basquiat.home (
Nmap scan report for Google-Home-Mini.home (
Nmap scan report for dali.home (
53/tcp open domain dnsmasq 2.79
Nmap scan report for Google-Home-Mini.home (
Nmap scan report for api.home (

nmap does this by having a database of versions and their behaviours, and under the hood runs various commands to interrogate and match to these versions.

This can be useful to figure out whether you have any services that appear vulnerable to attackers if they were to scan your network and may need upgrading.

4) Use -A for more data

There are further options to tune the version scan. For example, --version-all takes more time and does more probing to ensure a version match. Using this in addition to the -A flag, which also enables other detection techniques to be used as well:

$ nmap -A -p 443 --version-all

Starting Nmap 7.60 ( ) at 2018-11-25 11:55 GMT
Nmap scan report for basquiat.home (
Host is up (0.00054s latency).

443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject:
| Subject Alternative Name:
| Not valid before: 2018-09-28T01:01:51
|_Not valid after: 2018-12-27T01:01:51
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 12.78 seconds

The amount of detail can be surprisingly rich and useful.

5) Find out what nmap is up to

nmap isn’t very chatty and can take a long time to return a result, so like many other command line tools, it offers a verbosity (-v) and debug (-d) flags that can tell you more about what’s going on:

nmap -vv -dd -sn

Adding an extra v or d will make nmap more chatty if needed:

Ping Scan Timing: About 31.25% done; ETC: 12:32 (0:01:08 remaining) 
ultrascan_host_probe_update called for machine state HOST_DOWN -> HOST_DOWN (trynum 1 time: 2002984) 
ultrascan_host_probe_update called for machine state HOST_DOWN -> HOST_DOWN (trynum 1 time: 2002937) 
ultrascan_host_probe_update called for machine state HOST_DOWN -> HOST_DOWN (trynum 1 time: 2002893)

6) Script your own scans with NSE

nmap uses the ‘Netmap Scripting Engine’ to run these probing scripts and generate the output. It uses the Lua programming language to achieve this.

On my machine these scripts are located in /usr/share/nmap/scripts. You can call them like this:

nmap --script=http-sitemap-generator

There are all sorts of cool-looking scripts in there that may be useful to you, relating to everything from apache server status to xserver access.

More information is available here.

If you like this, you might like one of my books:

Learn Bash the Hard Way

Learn Git the Hard Way

Learn Terraform the Hard Way


If you liked this post, you might also like these:

Ten Things I Wish I’d Known About bash

Centralise Your Bash History

How (and Why) I Run My Own DNS Servers

My Favourite Secret Weapon – strace

A Complete Chef Infrastructure on Your Laptop


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s