Installation

If you are on a Linux machine, which doesn’t have NMAP by default, you could install Nmap using

sudo apt-get install nmap

Nmap also runs on Linux, Microsoft Windows, Solaris, HP-UX and BSD variants (including Mac OS X), AmigaOS and SGI IRIX. If you would like to download Nmap,  you could go over to Nmap download page (http://nmap.org/download.html).

Usage

The basic syntax of aNmap scan is

nmap [Scan type(s)] [options] {target specifications}

The target field could either be a hostname, IP address, networks or even a file containing all the targets (using the –iL options)
If a port is not specified in the scan, Nmap will scan only the well-known ports (1-1023).

Here is a complete list of various options which could be used in Nmap.

TARGET SPECIFICATION:

-iL        Input from list of hosts/networks
-iR       Choose random targets
--exclude <host1[,host2][,host3],...>   Exclude hosts/networks
--excludefile<exclude_file>    Exclude list from file

HOST DISCOVERY:

-sL       List Scan - list targets to scan
-sP       Ping Scan - go no further than determining if host is online
-P0      Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]    TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM     ICMP echo, timestamp, and netmask request discovery probes
-n/-R    Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>        Specify custom DNS servers
--system-dns   Use OS's DNS resolver

SCAN TECHNIQUES:

-sS/sT/sA/sW/sM        : TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX        TCP :  Null, FIN, and Xmas scans
--scanflags<flags>      : Customize TCP scan flags
-sI<zombie host[:probeport]> : Idlescan
-sO : IP protocol scan
-b <ftp relay host> : FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

-p <port ranges> : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F         Fast - Scan only the ports listed in the nmap-services file)

-r          Scan ports consecutively - don't randomize