*ARGS.TECH | BLOG | Working with Network Mapper (Nmap) in Linux: A Practical Guide
BLOG

Working with Network Mapper (Nmap) in Linux: A Practical Guide

Learn how to audit your network, discover devices, and analyze security using the industry-standard Nmap tool.


Introduction


Nmap (Network Mapper) is the world's most popular open-source network scanner. Originally designed to locate hosts on large networks, it has evolved into a powerful tool for security auditing and vulnerability detection.


Whether you are a System Administrator managing an inventory, or a DevOps engineer checking firewall rules, Nmap is an essential CLI tool. It can determine:

  • What hosts are available on the network.
  • What services (application name and version) those hosts are offering.
  • What operating systems (and OS versions) they are running.
  • What type of packet filters/firewalls are in use.


This guide will walk you through the essential commands to get started.


Step 1: Installation


On Debian-based systems (like Ubuntu, Kali Linux, or Debian itself), Nmap is available in the default repositories.


First, update your package list and install Nmap:

xinit@localhost:~$ sudo apt update && sudo apt install nmap -y


Step 2: Verify installation


After the installation is complete, it is good practice to verify the installed version and view the basic help menu. This confirms the tool is ready to use.


Check the version and help output:

xinit@localhost:~$ nmap --help


Step 3: Basic host scanning


The simplest scan involves targeting a single IP address or domain name. By default, Nmap scans the 1,000 most common TCP ports to see if they are open.


Scan a specific target (replace with your target IP):

xinit@localhost:~$ nmap 192.168.8.198

What you will see: Nmap will report which ports are "Open" (accepting connections), "Closed", or "Filtered" (blocked by a firewall).


Step 4: Aggressive scan (detailed information)


If you need more than just open ports, use the -A (aggressive) flag. This enables OS detection, version detection, script scanning, and traceroute all at once. It provides a very comprehensive report but is "noisier" in network logs.


Run an aggressive scan against a domain or IP:

xinit@localhost:~$ nmap -A example.com

What you will see: You will see details like "Apache httpd 2.4.41" instead of just "http", and potentially the Linux kernel version or Windows version running on the server.


Step 5: Scanning behind firewalls (no ping)


By default, Nmap attempts to "ping" a host to see if it is online before scanning ports. If a server blocks ping requests (ICMP), Nmap might falsely report it as "down." The -Pn flag treats the host as online and skips the ping check, forcing a full port scan.


Scan a target that blocks ping requests:

xinit@localhost:~$ nmap -A -Pn 192.168.8.180

Use case: This is critical for scanning Windows servers or firewalled infrastructure that drops ICMP packets.


Step 6: Scanning an entire subnet


You can scan a whole network range using CIDR notation (e.g., /24). This is useful for inventory management to find every active device on your local network.


Scan the network range from 192.168.8.1 to 192.168.8.255:

xinit@localhost:~$ nmap 192.168.8.0/24


Step 7: Detecting MAC addresses (network discovery)


If you want to quickly find connected devices and their physical MAC addresses without scanning every single port, use the Ping Scan (previously -sP, now -sn). We can combine this with awk to format the output cleanly, showing only the IP and the MAC address.


Note: Requires sudo to read MAC addresses.


Perform a discovery scan and format the output:

xinit@localhost:~$ sudo nmap -sn 192.168.8.0/24 | awk '/Nmap scan report for/{printf $5;}/MAC Address:/{print " => "$3;}' | sort

Result: You get a clean list mapping IP addresses to MAC addresses.


Step 8: Operating system detection


Nmap can analyze how a device responds to specific network packets to guess its Operating System (OS Fingerprinting). This requires root privileges.


Use the -O flag to detect the target OS:

xinit@localhost:~$ sudo nmap -O 192.168.8.110


Step 9: Service version detection


Knowing port 80 is open is useful, but knowing what is running on port 80 is better. The -sV flag probes open ports to determine the service and version info.


Detect service versions:

xinit@localhost:~$ sudo nmap -sV 192.168.8.110


Step 10: Nmap best practices (speed & verbosity)


When scanning large networks, default settings can be slow. You can speed up the scan using "Timing Templates" (-T).

  • -T0 to -T2: Very slow (stealthy).
  • -T3: Normal (default).
  • -T4: Aggressive (Recommended for broadband/LAN).
  • -T5: Insane (Can crash targets or miss ports).


You can also increase verbosity with -v or -vv to see what Nmap is doing in real-time.


Run a fast, verbose scan with OS detection:

xinit@localhost:~$ sudo nmap -T4 -vv -A 192.168.8.110


Conclusion


Nmap is a deep tool with hundreds of options, but these commands cover 90% of daily administrative tasks. Whether you are troubleshooting a connection or securing your perimeter, mastering these flags is the first step in network analysis.


Remember: Only scan networks and devices that you own or have explicit permission to audit.

Top button