Nmap

The Nmap aka Network Mapper is an open source and a very versatile tool for Linuxsystem/network administrators. Nmap is used for exploring networks, perform security scans,network audit and finding open ports on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest.
Nmap is..
Flexible:
Supports advanced techniques for mapping out networks filled with IP filters,firewalls,routers,and other obstacles.This includes many port scanning mechanisms (both TCP & UDP),OS detection,version detection,ping sweeps.
Powerful
Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
Portable
Most operating systems are supported,including Linux,Microsoft Windows,FreeBSD,Solaris,Mac OS X,HP-UX,NetBSD and more.
Easy
Nmap offers a rich set of advanced features for power users,you can start out as simply as "nmap -v -A targethost"(For example:nmap -v -A www.computaholics.in).Both traditional command line and graphical (GUI) versions are available to suit your preference.Binaries are available for those who do not wish to compile Nmap from source.For Help You Can Just Type "nmap -h" command.
Free
primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks.Nmap is available for free download,and also comes with full source code that you may modify and redistribute under the terms of the license.
Well Documented
Significant effort has been put into comprehensive and up-to-date man pages,whitepapers, tutorials.
Supported
While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users.

Download Nmap
Official Download Link Of Nmap
Nmap 7 is now available! [release notes | download]
Nmap 6.49BETA2 is now available! See the release notes or go straight to the download page!
Nmap 6.49BETA1 is now available! See the release notes or go straight to the download page!

Nmap installation guide
How to install nmap Ubuntu/Debain systems
$ sudo apt-get install nmap
Run/start Nmap by typing nmap ,For Help Type  $ nmap -h

To Install nmap in yum packaged system Centos/RHEL
$ yum install nmap -y
To install from rpm Pcakge
$ rpm -ivh nmap{version_of_package}.deb
To Install from .deb package file if you have downloaded
$ dpkg -i nmap{version_of_package}.deb
Install GUI version of nmap ZenMap in ubuntu/linux:
$ sudo apt-get install zenmap
Install Umit in ubuntu/linux, the graphical network scanner:
$ sudo apt-get install umit
Install NmapSI4 in ubuntu/Linux: 
$ sudo apt-get install nmapsi4

Nmap Commands/Nmap Examples
1. Scan a System with Hostname and IP Address
Scan using Hostname
nmap host-name-here
$ nmap server1.computaholics.in
[[email protected] ~]# nmap server1.computaholics.in

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-03 15:42 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.415 seconds
You have new mail in /var/spool/mail/root
Scan using IP Address
nmap IP-address-here
$nmap 172.16.6.152
[[email protected] ~]# nmap 172.16.6.152

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-03 11:04 EST
Interesting ports on server1.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
958/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.465 seconds
You have new mail in /var/spool/mail/root
2.Scan a whole Subnet
scan a whole subnet or IP range with Nmap by providing * wildcard with it.
$nmap 172.16.6.*
[[email protected] ~]# nmap 172.16.6.*

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-03 16:11 EST
Interesting ports on server1.computaholics.in (172.16.6.152):
Not shown: 1677 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
851/tcp open  unknown

Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds
You have new mail in /var/spool/mail/root
3. Scan Multiple Servers using last octet of IP address
Perform scans on multiple IP address by simple specifying last octet of IP address. For example, here I performing a scan on IP addresses 172.16.6.152, 172.16.6.153 and 172.16.6.154. or 172.16.6.152,153,154
$nmap 172.16.6.152,153,154
[[email protected] ~]# nmap 172.16.6.152,153,154

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0316:09 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook

Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds
You have new mail in /var/spool/mail/root
$nmap 172.16.6.152,172.16.6.153,172.16.6.154
[[email protected] ~]# nmap 172.16.6.152,172.16.6.153,172.16.6.154

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0316:09 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds
You have new mail in /var/spool/mail/root
4. Scan an IP Address Range
You can specify an IP range while performing scan with Nmap.for example 172.16.6.152-160
$nmap 172.16.6.152-160
[[email protected] ~]# nmap 172.16.6.152-160

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0316:09 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds
5. Scan Network Excluding Remote Hosts
You can exclude some hosts while performing a full network scan or when you are scanning with wildcards with “–exclude” option.
$nmap 172.16.6.* --exclude 172.16.6.100
[[email protected] ~]# nmap 172.16.6.* --exclude 172.16.6.100
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0316:16 EST
Interesting ports on server2.computaholics.in (172.16.6.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds
You have new mail in /var/spool/mail/root
6. Scan OS information and Traceroute
With Nmap, you can detect which OS and version is running on the remote host. To enable OS & version detection, script scanning and traceroute, we can use “-A” option with NMAP.
$nmap -A 172.16.6.152
[[email protected] ~]# nmap -A 172.16.6.152
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0316:25 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.3 ((CentOS))
111/tcp  open  rpcbind  2 (rpc #100000)
957/tcp  open  status   1 (rpc #100024)
3306/tcp open  mysql   MySQL (unauthorized)
8888/tcp open  http    lighttpd 1.4.32
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Uptime 0.169 days (since Mon Nov 11 12:22:15 2013)

Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds
You have new mail in /var/spool/mail/root
7. Enable OS Detection with Nmap
$nmap -O server2.computaholics.in
[[email protected] ~]# nmap -O server2.computaholics.in

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0317:40 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS
R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Uptime 0.221 days (since Mon Nov 11 12:22:16 2013)

Nmap finished: 1 IP address (1 host up) scanned in 11.064 seconds
You have new mail in /var/spool/mail/root
8. Scan a Host to Detect Firewall
$nmap -sA 172.16.6.152
[[email protected] ~]# nmap -sA 172.16.6.152
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0316:27 EST
All 1680 scanned ports on server2.computaholics.in (172.16.6.152) are UNfiltered
Nmap finished: 1 IP address (1 host up) scanned in 0.382 seconds
You have new mail in /var/spool/mail/root
9. Scan a Host to check its protected by Firewall
nmap -PN 172.16.6.152
[[email protected] ~]# nmap -PN 172.16.6.152
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0316:30 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds
10.Find out Live hosts in a Network
$nmap -sP 172.16.6.*
[[email protected] ~]# nmap -sP 172.16.6.*
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-03 11:01 EST
Host server1.computaholics.in (172.16.6.152) appears to be up.
Host server2.computaholics.in (172.16.6.153) appears to be up.
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds
11. Perform a Fast Scan
$nmap -F 172.16.6.152
[[email protected] ~]# nmap -F 172.16.6.152
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0316:47 EST
Interesting ports on server2.computaholics.in (192.168.0.101):
Not shown: 1234 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
8888/tcp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds
12. Find Nmap version
nmap -V
[[email protected] ~]# nmap -V

Nmap version 4.11 ( http://www.insecure.org/nmap/ )
You have new mail in /var/spool/mail/root
13. Scan Ports Consecutively
$nmap -r 172.16.6.152
[[email protected] ~]# nmap -r 172.16.6.152
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0316:52 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds
14. Print Host interfaces and Routes
$nmap --iflist
[[email protected] ~]# nmap --iflist

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0317:07 EST
************************INTERFACES************************
DEV  (SHORT) IP/MASK          TYPE     UP MAC
lo   (lo)    127.0.0.1/8      loopback up
eth0 (eth0)  172.16.6.152/24 ethernet up 08:00:27:11:C7:89

**************************ROUTES**************************
DST/MASK      DEV  GATEWAY
172.16.6.152/0 eth0
169.254.0.0/0 eth0
15. Scan for specific Port
$nmap -p 80 server2.computaholics.in
[[email protected] ~]# nmap -p 80 server2.computaholics.in

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0317:12 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
PORT   STATE SERVICE
80/tcp open  http
Nmap finished: 1 IP address (1 host up) sca
16. Scan a TCP Port
nmap -p T:8888,80 server2.computaholics.in
[[email protected] ~]# nmap -p T:8888,80 server2.computaholics.in

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0317:15 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
PORT     STATE SERVICE
80/tcp   open  http
8888/tcp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds
17. Scan a UDP Port
-sU (UDP scans):-UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the --data, --data-string, or --data-length options are specified
$nmap -sU 53 server2.computaholics.in
[[email protected] ~]# nmap -sU 53 server2.computaholics.in

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0317:15 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
PORT     STATE SERVICE
53/udp   open  http
8888/udp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds
18. Scan Multiple Ports
nmap -p 80,443 172.16.6.152
[[email protected] ~]# nmap -p 80,443 172.16.6.152

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-03 10:56 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https
Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds
19. Scan Ports by Network Range
$nmap -p 80-160 172.16.6.152
[[email protected] ~]#  nmap -p 80-160 172.16.6.152
20. Find Host Services version Numbers
Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones
$nmap -sV 172.16.6.152
[[email protected] ~]# nmap -sV 172.16.6.152

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0317:48 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.3 ((CentOS))
111/tcp  open  rpcbind  2 (rpc #100000)
957/tcp  open  status   1 (rpc #100024)
3306/tcp open  mysql   MySQL (unauthorized)
8888/tcp open  http    lighttpd 1.4.32
Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds
21. Scan remote hosts using TCP ACK (PA) and TCP Syn (PS)
$nmap -PS 172.16.6.152
[[email protected] ~]# nmap -PS 172.16.6.152
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0317:51 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.360 seconds
You have new mail in /var/spool/mail/root
22. Scan Remote host for specific ports with TCP ACK
$nmap -PA -p 22,80 172.16.6.152
[[email protected] ~]# nmap -PA -p 22,80 172.16.6.152

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0318:02 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
Nmap finished: 1 IP address (1 host up) scanned in 0.166 seconds
You have new mail in /var/spool/mail/root
23. Scan Remote host for specific ports with TCP Syn
$nmap -PS -p 22,80 172.16.6.152
[[email protected] ~]# nmap -PS -p 22,80 172.16.6.152

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0318:08 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
Nmap finished: 1 IP address (1 host up) scanned in 0.165 seconds
You have new mail in /var/spool/mail/root
24. Perform a stealthy Scan
-sS (TCP SYN scan):-SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.
$nmap -sS 172.16.6.152

[[email protected] ~]# nmap -sS 172.16.6.152
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0318:10 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.383 seconds
You have new mail in /var/spool/mail/root
25. Check most commonly used Ports with TCP Syn
-sT (TCP connect scan):-TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
$nmap -sT 172.16.6.152
[[email protected] ~]# nmap -sT 172.16.6.152
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0318:12 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 0.406 seconds
You have new mail in /var/spool/mail/root
26. Perform a tcp null scan to fool a firewall
Null scan (-sN)-Does not set any bits (TCP flag header is 0)
$nmap -sN 172.16.6.152
[[email protected] ~]# nmap -sN 172.16.6.152

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-03-0319:01 EST
Interesting ports on server2.computaholics.in (172.16.6.152):
Not shown: 1674 closed ports
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
80/tcp   open|filtered http
111/tcp  open|filtered rpcbind
957/tcp  open|filtered unknown
3306/tcp open|filtered mysql
8888/tcp open|filtered sun-answerbook
Nmap finished: 1 IP address (1 host up) scanned in 1.584 seconds
You have new mail in /var/spool/mail/root