Nmap ("Network Mapper") is an open source tool for network exploration and security scanner. It was designed to rapidly scan large networks.

Install nmap

To install nmap on RHEL based Linux distributions, type the following yum command:


# yum install nmap

==========================================================================================
 Package           Arch                Version                    Repository         Size
==========================================================================================
Installing:
nmap               x86_64              2:6.40-7.el7               sl                3.9 M

Transaction Summary
==========================================================================================
Install  1 Package

Total download size: 3.9 M
Installed size: 16 M
Is this ok [y/d/N]: y

Installed:
  nmap.x86_64 2:6.40-7.el7       


How do I use nmap command?

To find out nmap version, run:

# nmap --version
Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.1e libpcre-8.32 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

To scan an IP address or a host name (FQDN), run:

# nmap localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-16 23:12 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000015s latency).
Not shown: 989 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
111/tcp   open  rpcbind
1094/tcp  open  rootd
2049/tcp  open  nfs
2288/tcp  open  netml
2811/tcp  open  gsiftp
5432/tcp  open  postgresql
8443/tcp  open  https-alt
8649/tcp  open  unknown
11111/tcp open  vce

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Getting more information out of the remote system

The -v option forces verbose output and the -A optipn enables OS detection and Version detection, Script scanning and traceroute in a single command:
# nmap -v -A fibrevillage.com

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-16 23:15 PDT
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 23:15
Scanning fibrevillage.com (192.168.1.134) [1 port]
Completed ARP Ping Scan at 23:15, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:15
Scanning fibrevillage.com (192.168.1.134) [1000 ports]
Discovered open port 111/tcp on 192.168.1.134
Discovered open port 22/tcp on 192.168.1.134
Discovered open port 1094/tcp on 192.168.1.134
Discovered open port 8649/tcp on 192.168.1.134
Completed SYN Stealth Scan at 23:15, 0.03s elapsed (1000 total ports)
Initiating Service scan at 23:15
Scanning 4 services on fibrevillage.com (192.168.1.134)
Completed Service scan at 23:15, 6.03s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against fibrevillage.com (192.168.1.134)
NSE: Script scanning 192.168.1.134.
Initiating NSE at 23:15
Completed NSE at 23:15, 5.01s elapsed
Nmap scan report for fibrevillage.com (192.168.1.134)
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 5.3 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
111/tcp  open  rpcbind    2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          53121/udp  status
|_  100024  1          53703/tcp  status
1094/tcp open  rootd?
8649/tcp open  tcpwrapped
MAC Address: 00:21:5E:55:95:A4 (IBM)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.1 - 3.2
Uptime guess: 17.839 days (since Tue Aug 30 03:07:33 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.15 ms fibrevillage.com (192.168.1.134)

NSE: Script Post-scanning.
Initiating NSE at 23:15
Completed NSE at 23:15, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.46 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.294KB)

To scan a range of IP addresses

# nmap 192.168.1.1-50

To scan an entire subnet

# nmap 192.168.1.0/24

Ping only scan

# nmap -sP 192.168.1.1

TCP SYN scan

# nmap -sS 192.168.1.1

UDP scan

# nmap -sU 192.168.1.1

IP protocol scan

# nmap -sO 192.168.1.1

Scan multi ports at a time

Scan port 80, 25, 443, and 110

# nmap -p 80,25,443,110 192.168.1.1

Scan port ranges 1024-2048

# nmap -p 1024-2048 192.168.1.1

Operating system detection

# nmap -O --osscan-guess 192.168.1.1