Installation
If you are on a Linux machine, which doesn’t have NMAP by default, you could install Nmap using
sudo apt-get install nmap
Nmap also runs on Linux, Microsoft Windows, Solaris, HP-UX and BSD variants (including Mac OS X), AmigaOS and SGI IRIX. If you would like to download Nmap, you could go over to Nmap download page (http://nmap.org/download.html).
Usage
The basic syntax of aNmap scan is
nmap [Scan type(s)] [options] {target specifications}
The target field could either be a hostname, IP address, networks or even a file containing all the targets (using the –iL options)
If a port is not specified in the scan, Nmap will scan only the well-known ports (1-1023).
Here is a complete list of various options which could be used in Nmap.
TARGET SPECIFICATION:
-iL Input from list of hosts/networks
-iR Choose random targets
--exclude <host1[,host2][,host3],...> Exclude hosts/networks
--excludefile<exclude_file> Exclude list from file
HOST DISCOVERY:
-sL List Scan - list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist] TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
-n/-R Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...> Specify custom DNS servers
--system-dns Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM : TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX TCP : Null, FIN, and Xmas scans
--scanflags<flags> : Customize TCP scan flags
-sI<zombie host[:probeport]> : Idlescan
-sO : IP protocol scan
-b <ftp relay host> : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges> : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F Fast - Scan only the ports listed in the nmap-services file)
-r Scan ports consecutively - don't randomize