Introduction
In the world of system administration and computer security, knowing the devices and services exposed on a network is essential. Nmap (Network Mapper) is an open‑source tool that allows you to perform port scans and host discovery quickly and efficiently. In this article you will learn from installation to the most advanced scans, with practical examples you can apply in your Linux environment.
What is nmap
Nmap is a port scanner that uses custom IP packets to determine which hosts are available on a network, what services those hosts offer, what operating systems they are running, and what kind of filters or firewalls may be present. Its flexibility stems from the wide variety of scanning techniques (TCP connect, SYN stealth, UDP, etc.) and the NSE script engine that extends its capabilities.
Installation on Linux
Most distributions include nmap in their repositories. On Debian/Ubuntu you can install it with:
sudo apt updatesudo apt install nmap
On Fedora or CentOS use:
sudo dnf install nmap
To verify the installation, run nmap --version and you should see the version number and release date.
Basic port scan
The simplest command is to scan a specific host:
nmap 192.168.1.10This performs a SYN stealth scan (-sS) by default if you have root privileges, or a full connect scan (-sT) if you do not. The result shows the open ports, their state, and the associated service.
You can specify a port range:
nmap -p 1-1000 192.168.1.10Or scan all ports:
nmap -p- 192.168.1.10Service and version detection
To obtain more information about what service is behind each open port, use the -sV option:
nmap -sV 192.168.1.10Nmap will send specific probes and compare the responses with its service fingerprint database, returning the software version (for example, Apache 2.4.41, OpenSSH 7.9).
If you also want an aggressive OS detection, combine -O with --osscan-guess:
nmap -O --osscan-guess 192.168.1.10Host discovery on a network
When you need to know which devices are active on a subnet, nmap offers host discovery via ARP, ICMP, or TCP ping. A quick network scan looks like this:
nmap -sn 192.168.1.0/24The -sn flag tells nmap to perform only host discovery, without scanning ports. This is useful for inventorying devices before a deeper analysis.
Advanced scanning with NSE scripts
The Nmap Scripting Engine (NSE) allows you to run automated tasks such as vulnerability detection, service information extraction, or even lightweight exploitation. Some useful scripts are:
http-title: retrieves the title of a web page.ssl-cert: displays information about the SSL/TLS certificate.vuln: checks for known vulnerabilities according to the CVE database.
To run one or several scripts, use the --script flag:
nmap --script http-title,ssl-cert 192.168.1.10You can use wildcards to load all scripts of a category:
nmap --script vuln 192.168.1.10Best practices and precautions
Although nmap is a powerful tool, its use must be responsible and ethical:
- Always obtain explicit permission before scanning networks that do not belong to you.
- Prefer less intrusive scans (such as
-sS) when working in production environments. - Save the results to a file for auditing:
nmap -oA resultado 192.168.1.0/24generates three formats (normal, greppable, and XML). - Keep nmap updated to benefit from the latest signatures and scripts.
Conclusion
Nmap has become an essential component of any system administrator’s or security professional’s toolkit. From a simple port scan to complex security audits with NSE scripts, its flexibility and power make it indispensable. With the examples and recommendations presented here, you will be ready to explore and protect your Linux networks in an informed and secure manner.
This post is also available in ESPAÑOL.