Here are some Nmap usage examples, from the simple and
routine to a little more complex and esoteric. Some actual
IP addresses and domain names are used to make things
more concrete. In their place you should substitute
your own network. While I don't think
port scanning other networks is or should be illegal, some network
administrators don't appreciate unsolicited scanning of their networks and may
complain. Getting permission first is the best approach.
For testing purposes, you have permission to scan the host
This permission only includes
scanning via Nmap and not testing exploits or denial of service
attacks. To conserve bandwidth, please do not initiate more than
a dozen scans against that host per day. If this free scanning
target service is abused, it will be taken down and Nmap will
Failed to resolve given hostname/IP:
scanme.nmap.org. These permissions also apply to
the hosts scanme2.nmap.org,
scanme3.nmap.org, and so on, though those hosts
do not currently exist.
nmap -v scanme.nmap.org
This option scans all reserved TCP ports on the machine
scanme.nmap.org . The
option enables verbose mode.
nmap -sS -O scanme.nmap.org/24
Launches a stealth SYN scan against each machine that is
up out of the 256 IPs on the class C sized network where
Scanme resides. It also tries to determine what
operating system is running on each host that is up and
running. This requires root privileges because of the SYN scan
and OS detection.
nmap -sV -p 22,53,110,143,4564
Launches host enumeration and a TCP scan at the first half
of each of the 255 possible eight-bit subnets in the 198.116 class B
address space. This tests whether the systems run SSH, DNS, POP3,
or IMAP on their standard ports, or anything on port 4564. For any
of these ports found open, version detection is used to determine
what application is running.
nmap -v -iR 100000 -Pn -p 80
Asks Nmap to choose 100,000 hosts at random and scan them
for web servers (port 80). Host enumeration is disabled with
-Pn since first sending a couple probes to
determine whether a host is up is wasteful when you are only
probing one port on each target host anyway.
nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG
This scans 4096 IPs for any web servers (without pinging
them) and saves the output in grepable and XML formats.