• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Nmap stands for “Network Mapper“, is one of the best open-source utility available now for network discovery and security auditing. 

    Nmap sends packets and analyzes the response it gets to discover hosts and services on a computer network. It is one of the most widely used port scanners available today to help you find open ports and detecting security risks on a network.

    This is the first step for an attacker to get information about the network of targets and identify a potential way to launch an attack. An attacker will know about the services running on open ports along with their version, which helps in determining vulnerabilities for the corresponding version.

    It is popularly known as System Administrator’s Swiss Army Knife owing its ability to serve multiple purposes – probing computer networks, host discovery, port scan, vulnerability detection, OS detection, version detection, etc. Its cross-platform utility.

    If you do not like working in the command-line interface, it is also available in a GUI – Zenmap, the official Nmap Security Scanner GUI.

    Installation

    We will demonstrate the installation of Nmap on two commonly used Linux distribution – CentOS and Ubuntu. It is available as a package in most Linux distribution’s repository.

    Installing Nmap On CentOS 6/7.x

    • To install the Nmap package on CentOS, run the command:
    sudo yum install nmap
    $sudo yum install nmap
    Loaded plugins: fastestmirror, security
    Setting up Install Process
    Loading mirror speeds from cached hostfile
     * base: mirror.vcu.edu
     * centos-sclo-rh: mirror.cc.columbia.edu
     * centos-sclo-sclo: mirror.rackspace.com
     * epel: reflector.westga.edu
     * extras: centos5.zswap.net
     * updates: mirror.jaleco.com
    Resolving Dependencies
    --> Running transaction check
    ---> Package nmap.x86_64 2:5.51-6.el6 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ======================================================================================================================================================================================================================================================
     Package                                                  Arch                                                       Version                                                           Repository                                                Size
    ======================================================================================================================================================================================================================================================
    Installing:
     nmap                                                     x86_64                                                     2:5.51-6.el6                                                      base                                                     2.8 M
    
    Transaction Summary
    ======================================================================================================================================================================================================================================================
    Install       1 Package(s)
    
    Total download size: 2.8 M
    Installed size: 9.7 M
    Is this ok [y/N]:
    • The system will prompt to confirm and complete the installation. Type y and press Enter
    Is this ok [y/N]: y
    Downloading Packages:
    nmap-5.51-6.el6.x86_64.rpm                                                                                                                                                                                                     | 2.8 MB     00:00     
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : 2:nmap-5.51-6.el6.x86_64                                                                                                                                                                                                           1/1 
      Verifying  : 2:nmap-5.51-6.el6.x86_64                                                                                                                                                                                                           1/1 
    
    Installed:
      nmap.x86_64 2:5.51-6.el6                                                                                                                                                                                                                            
    
    Complete!
    $
    • Check if it was installed successfully and the version installed, execute the below command.
    $nmap -version
    
    Nmap version 5.51 ( http://nmap.org )

    Installing Nmap on CentOS 8.x

    • We will use DNF to install.
    $sudo dnf install nmap -y
    Last metadata expiration check: 0:58:54 ago on Fri 18 Sep 2020 07:04:54 PM UTC.
    Dependencies resolved.
    ======================================================================================================================================================================================================================================================
     Package                                                    Architecture                                            Version                                                          Repository                                                  Size
    ======================================================================================================================================================================================================================================================
    Installing:
     nmap                                                       x86_64                                                  2:7.70-5.el8                                                     AppStream                                                  5.8 M
    Installing dependencies:
     nmap-ncat                                                  x86_64                                                  2:7.70-5.el8                                                     AppStream                                                  237 k
    
    Transaction Summary
    ======================================================================================================================================================================================================================================================
    Install  2 Packages
    
    Total download size: 6.1 M
    Installed size: 25 M
    Downloading Packages:
    (1/2): nmap-ncat-7.70-5.el8.x86_64.rpm                                                                                                                                                                                669 kB/s | 237 kB     00:00    
    (2/2): nmap-7.70-5.el8.x86_64.rpm                                                                                                                                                                                     9.2 MB/s | 5.8 MB     00:00    
    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Total                                                                                                                                                                                                                 8.0 MB/s | 6.1 MB     00:00     
    Running transaction check
    Transaction check succeeded.
    Running transaction test
    Transaction test succeeded.
    Running transaction
      Preparing        :                                                                                                                                                                                                                              1/1 
      Installing       : nmap-ncat-2:7.70-5.el8.x86_64                                                                                                                                                                                                1/2 
      Running scriptlet: nmap-ncat-2:7.70-5.el8.x86_64                                                                                                                                                                                                1/2 
      Installing       : nmap-2:7.70-5.el8.x86_64                                                                                                                                                                                                     2/2 
      Running scriptlet: nmap-2:7.70-5.el8.x86_64                                                                                                                                                                                                     2/2 
      Verifying        : nmap-2:7.70-5.el8.x86_64                                                                                                                                                                                                     1/2 
      Verifying        : nmap-ncat-2:7.70-5.el8.x86_64                                                                                                                                                                                                2/2 
    
    Installed:
      nmap-2:7.70-5.el8.x86_64                                                                                                nmap-ncat-2:7.70-5.el8.x86_64                                                                                               
    
    Complete!
    $

    With -y option, DNF/YUM will install the specified package without asking for confirmation.

    DNF(Dandified Yum) is the new package manager in RHEL/CentOS 8 which can be used to install packages. It is the next-generation version of the YUM( Yellowdog Updater Modified) and intended to be a substitution of YUM in RPM-based systems.

    • And, to verify the installation. 
    $nmap -version
    Nmap version 7.70 ( https://nmap.org )
    Platform: x86_64-redhat-linux-gnu
    Compiled with: liblua-5.3.3 openssl-1.1.1 libpcre-8.42 libpcap-1.9.0-PRE-GIT nmap-libdnet-1.12 ipv6
    Compiled without: libssh2 libz
    Available nsock engines: epoll poll select

    Ubuntu

    • Run the below command to make sure all packages are up-to-date on the Ubuntu server.
    sudo apt-get update
    • Execute the below command to install
    $sudo apt-get install nmap -y
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following package was automatically installed and is no longer required:
      libnuma1
    Use 'sudo apt autoremove' to remove it.
    The following additional packages will be installed:
      libblas3 liblinear4 liblua5.3-0 lua-lpeg nmap-common
    Suggested packages:
      liblinear-tools liblinear-dev ncat ndiff zenmap
    The following NEW packages will be installed:
      libblas3 liblinear4 liblua5.3-0 lua-lpeg nmap nmap-common
    0 upgraded, 6 newly installed, 0 to remove and 30 not upgraded.
    Need to get 5669 kB of archives.
    After this operation, 26.8 MB of additional disk space will be used.
    Get:1 http://us-west1.gce.archive.ubuntu.com/ubuntu focal/main amd64 libblas3 amd64 3.9.0-1build1 [142 kB]
    Get:2 http://us-west1.gce.archive.ubuntu.com/ubuntu focal/universe amd64 liblinear4 amd64 2.3.0+dfsg-3build1 [41.7 kB]
    Get:3 http://us-west1.gce.archive.ubuntu.com/ubuntu focal/main amd64 liblua5.3-0 amd64 5.3.3-1.1ubuntu2 [116 kB]
    Get:4 http://us-west1.gce.archive.ubuntu.com/ubuntu focal/universe amd64 lua-lpeg amd64 1.0.2-1 [31.4 kB]
    Get:5 http://us-west1.gce.archive.ubuntu.com/ubuntu focal/universe amd64 nmap-common all 7.80+dfsg1-2build1 [3676 kB]
    Get:6 http://us-west1.gce.archive.ubuntu.com/ubuntu focal/universe amd64 nmap amd64 7.80+dfsg1-2build1 [1662 kB]
    Fetched 5669 kB in 1s (7683 kB/s)
    Selecting previously unselected package libblas3:amd64.
    (Reading database ... 62831 files and directories currently installed.)
    Preparing to unpack .../0-libblas3_3.9.0-1build1_amd64.deb ...
    Unpacking libblas3:amd64 (3.9.0-1build1) ...
    Selecting previously unselected package liblinear4:amd64.
    Preparing to unpack .../1-liblinear4_2.3.0+dfsg-3build1_amd64.deb ...
    Unpacking liblinear4:amd64 (2.3.0+dfsg-3build1) ...
    Selecting previously unselected package liblua5.3-0:amd64.
    Preparing to unpack .../2-liblua5.3-0_5.3.3-1.1ubuntu2_amd64.deb ...
    Unpacking liblua5.3-0:amd64 (5.3.3-1.1ubuntu2) ...
    Selecting previously unselected package lua-lpeg:amd64.
    Preparing to unpack .../3-lua-lpeg_1.0.2-1_amd64.deb ...
    Unpacking lua-lpeg:amd64 (1.0.2-1) ...
    Selecting previously unselected package nmap-common.
    Preparing to unpack .../4-nmap-common_7.80+dfsg1-2build1_all.deb ...
    Unpacking nmap-common (7.80+dfsg1-2build1) ...
    Selecting previously unselected package nmap.
    Preparing to unpack .../5-nmap_7.80+dfsg1-2build1_amd64.deb ...
    Unpacking nmap (7.80+dfsg1-2build1) ...
    Setting up lua-lpeg:amd64 (1.0.2-1) ...
    Setting up libblas3:amd64 (3.9.0-1build1) ...
    update-alternatives: using /usr/lib/x86_64-linux-gnu/blas/libblas.so.3 to provide /usr/lib/x86_64-linux-gnu/libblas.so.3 (libblas.so.3-x86_64-linux-gnu) in auto mode
    Setting up nmap-common (7.80+dfsg1-2build1) ...
    Setting up liblua5.3-0:amd64 (5.3.3-1.1ubuntu2) ...
    Setting up liblinear4:amd64 (2.3.0+dfsg-3build1) ...
    Setting up nmap (7.80+dfsg1-2build1) ...
    Processing triggers for man-db (2.9.1-1) ...
    Processing triggers for libc-bin (2.31-0ubuntu9) ...
    • And, run the -version to ensure it is installed.
    $nmap -version
    Nmap version 7.80 ( https://nmap.org )
    Platform: x86_64-pc-linux-gnu
    Compiled with: liblua-5.3.3 openssl-1.1.1d nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
    Compiled without:
    Available nsock engines: epoll poll select

    Real-time Nmap Usage Example

    We will see a few examples illustrating the usage of the Nmap command.

    Scan for open ports

    Syntax for nmap

    nmap [Scan Type(s)] [Options] {target specification}

    Target specification could be a hostname, IP address, domain name, network, subnet, etc.

    Scan a domain

    nmap scanme.nmap.org
    $nmap scanme.nmap.org
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-18 20:14 UTC
    Nmap scan report for scanme.nmap.org (45.33.32.156)
    Host is up (0.025s latency).
    Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
    Not shown: 995 closed ports
    PORT      STATE    SERVICE
    22/tcp    open     ssh
    25/tcp    filtered smtp
    80/tcp    open     http
    9929/tcp  open     nping-echo
    31337/tcp open     Elite
    
    Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds

    With no flags, Nmap will, by default –

    • Scan for the top 1000 commonly used ports (list of these ports can be modified in the nmap-services file).
    • Nmap with attempt a TCP SYN connection to ports when running with a privileged user.
    • Sends ICMP echo requests to target hosts to confirm if it is alive or not.
    • Will perform a DNS reverse lookup to get the hostname.

    We could see four open ports, one filtered port, and 995 closed ports in the output shown above. A port that cannot be determined by Nmap if it is closed or open, which may be due to a firewall, is filtered.

    Here in the example shown above, we scan scanme.nmap.com, which has authorized itself to be scanned.

    nmap -F scanme.nmap.org

    You could also use the fast scan option -F to scan only the top 100 most commonly used ports of each protocol it is asked to scan.

    Scan IP address

    nmap 192.168.0.7
    $nmap 192.168.0.7
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-18 20:12 UTC
    Nmap scan report for server-1.geekflare.com (192.168.0.7)
    Host is up (0.034s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    
    Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds

    Scan a subnet

    nmap 192.168.0.0/24
    $nmap 192.168.0.0/24
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-18 20:15 UTC
    Nmap scan report for server-1.geekflare.com (192.168.0.7)
    Host is up (0.044s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    
    Nmap scan report for server-2.geekflare.com (192.168.0.8)
    Host is up (0.046s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    
    Nmap scan report for server-3.geekflare.com (192.168.0.9)
    Host is up (0.043s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    
    Nmap scan report for server-4.geekflare.com (192.168.0.10)
    Host is up (0.044s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    
    Nmap done: 256 IP addresses (4 hosts up) scanned in 4.67 seconds

    Scanning multiple hosts

    Scanning multiple hosts is easy!

    • Add hostnames or IP addresses you want to scan one after another in a row
    nmap 192.168.0.1 192.168.0.3 192.168.0.4
    • Use comma

    Above mentioned command could also be written as below to avoid mentioning the IP address again

    nmap 192.168.0.1,3,4
    • Use hyphens (-) to specify the IP address range as shown below
    nmap 192.168.0.1-20

    The above command will scan the first twenty hosts of the sub-network.

    • Use wild cards to scan entire subnet –
    nmap 192.168.0.*

    The above command will scan for all 256 IP addresses in the subnet.

    • Read Hosts from a file

    You could specify all the hosts required to be scanned in a file and use the command below –

    nmap -iL /tmp/hostfile

    Example of host file –

    cat /tmp/hostfile
    
    192.168.0.1,2,4
    
    scanme.nmap.org
    
    10.0.0-255.1-254
    • Exclude hosts from search

    You could exclude a few hosts from a group search if you want.

    nmap 192.168.0.* --exclude 192.168.0.2
    
    nmap 192.168.0.1-40 --exclude 192.168.0.5,6,7

    You could also exclude hosts from your search using the –excludefile flag

    nmap 192.168.0.* --excludefile /tmp/hosts.txt

    Nmap Port Selection

    To scan specific ports on a system, instead of the default top 1000 commonly used ports, you could use -p parameter. 

    nmap -p 22,80,443 192.168.0.2-50
    $nmap -p 22,80,443 192.168.0.2-50
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 20:18 UTC
    Nmap scan report for server-1.geekflare.com (192.168.0.7)
    Host is up (0.00018s latency).
    
    PORT    STATE  SERVICE
    22/tcp  open   ssh
    80/tcp  closed http
    443/tcp closed https
    
    Nmap scan report for server-2.geekflare.com (192.168.0.8)
    Host is up (0.00094s latency).
    
    PORT    STATE  SERVICE
    22/tcp  open   ssh
    80/tcp  closed http
    443/tcp closed https
    
    Nmap scan report for server-3.geekflare.com (192.168.0.9)
    Host is up (0.00092s latency).
    
    PORT    STATE  SERVICE
    22/tcp  open   ssh
    80/tcp  closed http
    443/tcp closed https
    
    Nmap scan report for server-4.geekflare.com (192.168.0.10)
    Host is up (0.00089s latency).
    
    PORT    STATE  SERVICE
    22/tcp  open   ssh
    80/tcp  closed http
    443/tcp closed https
    
    Nmap done: 49 IP addresses (4 hosts up) scanned in 1.65 seconds

    The above command will scan only for ports 22, 80, and 443 on the IP addresses mentioned.

    nmap -p 1-500 192.168.0.2

    The above command will scan for ports 1 to 500 on the host mentioned.

    nmap -p- 192.168.0.2

    Using -p- will scan all 65535 ports.

    Redirecting output to a file

    By default, Nmap prints the output on the terminal, but when scanning a large network, it is better to save the results in a file for better analysis. You can save the results of its scans in different file formats.

    Normal output format [-oN]

    Normal mode will give you the output as you see it on your screen.

    nmap -oN /tmp/scanResult.txt 192.168.0.0/24

    XML output format [-oX]

    We could export the results in XML format. It is one of the most used file formats as most programming languages have libraries for XML parsing.

    nmap -oX /tmp/scanResult.xml 192.168.0.0/24

    Grepable Output format [-oG]

    We get the output in a format that is very easily used with the grep command. The output could later be fed to command-line utilities like – awk, grep, sed to perform additional operations as required.

    nmap -oG /tmp/scanResult.txt 192.168.0.0/24

    Script kiddie output [-oS]

    It uses the “leet”, replacing letters with their visually alike number representations. This output format is not useful for any particular case and was included only as a joke.

    nmap -oS /tmp/scanResult scanme.nmap.org
    $nmap -oS /tmp/scanResult scanme.nmap.org
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 20:34 UTC
    Nmap scan report for scanme.nmap.org (45.33.32.156)
    Host is up (0.053s latency).
    Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
    Not shown: 995 closed ports
    PORT      STATE    SERVICE
    22/tcp    open     ssh
    25/tcp    filtered smtp
    80/tcp    open     http
    9929/tcp  open     nping-echo
    31337/tcp open     Elite
    
    Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds
    $
    $cat /tmp/scanResult
    $tart|Ng Nmap 7.70 ( httpz://NmAp.oRg ) aT 2020-09-18 20:34 UTc
    Nmap $can rEp0rt f0r Scanm3.nmap.0rg (45.33.32.156)
    H0st iS up (0.053s lat3ncy).
    Other addreSSes for $canm3.nmap.0Rg (n0t scanN3D): 2600:3c01::f03c:91ff:fE18:bb2f
    Not sh0wn: 995 clOs3d p0rtS
    P0rT      $TAT3    S3RV|C3
    22/TCp    op3n     Ssh
    25/tcp    f1ltEr3d $mtp
    80/tCp    op3n     http
    9929/tcp  Open     Nping-ech0
    31337/tCP 0pen     3litE
    
    Nmap d0n3: 1 Ip addRe$s (1 hO$t up) $CANN3d In 2.12 s3C0nDz

    Various Nmap scan types

    TCP Connect Scan [-sT]

    This is the basic form of TCP scanning and involves no stealth. It attempts to establish a complete connection with the range ports specified with a complete three-way handshake exchange (SYN -> SYN/ACK -> ACK). A successful connection indicates an open port.

    This is the default scan type Nmap uses when executed by an unprivileged user.

    nmap -sT 192.168.0.1
    $nmap -sT 192.168.0.7
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 19:52 UTC
    Nmap scan report for server-1.geekflare.com (192.168.0.7)
    Host is up (0.00042s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    
    Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

    TCP SYN Scan [-sS]

    Also known as a half-open scan, it is stealthier than TCP connect scan as it never establishes a complete connection. TCP SYN scan is the default scan type when executed as a privileged user, and unprivileged users will not have the permission to run this scan as it requires privileges to raw socket / raw packet.

    nmap -sS 192.168.0.1
    $sudo nmap -sS 192.168.0.7
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 19:51 UTC
    Nmap scan report for server-1.geekflare.com (192.168.0.7)
    Host is up (0.00022s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    
    Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
    $nmap -sS 192.168.0.1
    You requested a scan type which requires root privileges.
    QUITTING!

    As we could see in the example above, an SYN scan could not be executed with non-privileged users.

    UDP scan [-sU]

    If no flag is specified, by default, Nmap scans for TCP ports. To scan for UDP port we have to use the -sU flag, as shown below.

    $sudo nmap -sU 192.168.0.8
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 19:44 UTC
    Nmap scan report for server-2.geekflare.com (192.168.0.8)
    Host is up (0.00036s latency).
    Not shown: 999 closed ports
    PORT     STATE         SERVICE
    5355/udp open|filtered llmnr
    
    Nmap done: 1 IP address (1 host up) scanned in 999.27 seconds

    Ping Scan [-sn]

    This is highly useful when you only need to know whether the host is alive or not and do not need information about open ports on the hosts.

    This is often referred to as ‘Ping sweep’. In previously released versions of Nmap, -sn was known as -sP.

    nmap -sn 192.168.1.0/24
    $nmap -sn 192.168.1.0/24
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 19:39 UTC
    Nmap scan report for server-7.geekflare.com (192.168.1.2)
    Host is up (0.033s latency).
    Nmap scan report for server-10.geekflare.com (192.168.1.3)
    Host is up (0.035s latency).
    Nmap scan report for server-13.geekflare.com (192.168.1.4)
    Host is up (0.10s latency).
    Nmap done: 256 IP addresses (3 hosts up) scanned in 9.85 seconds

    In the above example, we could see, in the specified target subnet, out of 256 IP addresses scanned, only three hosts are up.

    nmap -sn -n -v 192.168.0.0/24 -oG - | grep -iv down

    -sn –> Ping scan.

    -n –> Ignore the DNS resolution and speed up the scan.

    -v –> Add verbose to get more information of scan.

    -oG –> Provides the output in grepable format.

    - –> Hyphen redirects the grepable output to standard output, which is then piped to grep.

    -iv –> Ignore the lines having the word ‘down’.

    $nmap -sn -n -v 192.168.0.0/24 -oG - | grep -iv down
    # Nmap 7.70 scan initiated Fri Sep 18 19:40:17 2020 as: nmap -sn -n -v -oG - 192.168.0.0/24
    # Ports scanned: TCP(0;) UDP(0;) SCTP(0;) PROTOCOLS(0;)
    Host: 192.168.0.7 ()    Status: Up
    Host: 192.168.0.8 ()    Status: Up
    Host: 192.168.0.9 ()    Status: Up
    Host: 192.168.0.10 ()   Status: Up
    # Nmap done at Fri Sep 18 19:40:20 2020 -- 256 IP addresses (4 hosts up) scanned in 2.91 seconds

    We could see only four hosts are alive out of 256 IP addresses scanned in the subnet.

    OS and Service Version Detection

    OS Scanning

    In addition to port scanning and host discovery, Nmap could also provide information about the underlying operating system. Nmap has one of the largest operating system fingerprint databases and can identify operating systems by analyzing their response to TCP/IP probes.

    It could be enabled with the -O flag. Below is the command –

    nmap -O localhost
    $sudo nmap -O localhost
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 19:32 UTC
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.000012s latency).
    Other addresses for localhost (not scanned): ::1
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    Device type: general purpose
    Running: Linux 3.X
    OS CPE: cpe:/o:linux:linux_kernel:3
    OS details: Linux 3.7 - 3.10
    Network Distance: 0 hops
    
    OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 3.89 seconds

    Version Scanning

    Nmap also helps scanning services running and their version information from open ports. This is helpful in scanning services running on vulnerable versions and could be updated to mitigate the risk.

    It could be enabled with -sV

    nmap -sV localhost
    $sudo nmap -sV localhost
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 19:35 UTC
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.000010s latency).
    Other addresses for localhost (not scanned): ::1
    Not shown: 999 closed ports
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds

    Aggressive Scan

    Nmap performs an aggressive and advanced scan as well that enables OS detection -O, script scanning -sC, version scanning -sV, and traceroute --traceroute.

    We could pass -A argument to perform an aggressive scan.

    $sudo nmap -A scanme.nmap.org
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 20:26 UTC
    Nmap scan report for scanme.nmap.org (45.33.32.156)
    Host is up (0.051s latency).
    Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
    Not shown: 995 closed ports
    PORT      STATE    SERVICE    VERSION
    22/tcp    open     ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
    |   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
    |   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
    |_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
    25/tcp    filtered smtp
    80/tcp    open     http       Apache httpd 2.4.7 ((Ubuntu))
    |_http-server-header: Apache/2.4.7 (Ubuntu)
    |_http-title: Go ahead and ScanMe!
    9929/tcp  open     nping-echo Nping echo
    31337/tcp open     tcpwrapped
    Aggressive OS guesses: Linux 2.6.32 (94%), Linux 3.2 - 4.9 (94%), Linux 2.6.32 - 3.10 (94%), Linux 3.4 - 3.10 (93%), Linux 3.1 (92%), Linux 3.2 (92%), Linux 3.3 (92%), Synology DiskStation Manager 5.2-5644 (92%), Netgear RAIDiator 4.2.28 (92%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 7 hops
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    TRACEROUTE (using port 143/tcp)
    HOP RTT      ADDRESS
    1   48.15 ms 72.14.239.197
    2   52.74 ms 209.85.253.9
    3   49.54 ms 142.250.234.59
    4   49.99 ms 108.170.242.251
    5   50.70 ms 213.52.131.176
    6   50.85 ms 173.230.159.71
    7   53.40 ms scanme.nmap.org (45.33.32.156)
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 259.05 seconds
    $$sudo nmap -A scanme.nmap.org
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 20:33 UTC
    Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
    NSE Timing: About 0.00% done

    Legal issues with port scanning

    It is always advisable to get written authorization/permission from the owner of the target network before initializing any scan.

    For example –  http://scanme.nmap.org/ has authorized itself to be scanned. You could read in detail on the official website.

    What’s next?

    Check out how to install Nmap on Windows.