First page Back Continue Last page Overview Text


The nmap program supports many options. With it you can effectively scan a network for open ports and do OS finger printing. But nmap can be perceived as an attack on a network. In some cases, a well configured firewall will temporarily disable packets from the “attacking” host. There some experimental options which allow you to do a “zombie” scan which will make the host believe the packets are coming from somwhere else. Obviously, this could definitely be construed as an aggressive attack (WARNING).

To scan a host that does not reply to pings:

# nmap -P0 <hostname>

To scan for hosts for ones which have either smtp or ssh ports open on the 192.168.1 network.

$ nmap -p 22,25 192.168.1.*

To scan for the SNMP port (UDP) on the 192.168.1 network:

# nmap -sU -p 161 192.168.1.*

(Note: RFC 1812 documents a limiting of ICMP error rate which most Unix/Linux hosts have implemented. This will greatly slow down the rate at which you can do UDP scanning. Many non-Unix OS's do not implement the suggestions of RFC 1812 though which makes scanning those hosts extremely quick.)

To do a finger print scan on a host:

# nmap -O localhost
tarting nmap V. 3.00 ( )
Interesting ports on localhost (
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
111/tcp open sunrpc
631/tcp open ipp
6000/tcp open X11
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.123 days (since Thu Mar 20 08:52:45 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds