Nmap is a port scanner included in many distributions of Linux and other UNIX like systems. It can be used to scan machines in a network in a variety of different ways.

Command Line Options

Nmap Usage

Nmap is run from the command line, so you run it just like all other command line programs. For the most part, nmap will run without needing root access, but for certain scans, you will have to be root. This is because nmap sometimes needs to create raw packets.

Things To Try

Try scanning scanme.nmap.org with the different flags listed above from netsec-playground.cs.northwestern.edu. You can use sudo from netsec-playground. Look through the output and see how the scan results differ. A typical nmap command line looks like this:

$ sudo nmap -A -sS -P0 -p 1-65535 scanme.nmap.org

Nmap allows you to easily scan an entire subnet. Before running this command, discuss with your partner which IP addresses it will scan. Be careful when scanning subnets, though. If you specify something like by accident, you'll actually be scanning half of the internet.

$ sudo nmap -A -sS -P0

You can run the following scan without root privilege. Why?

$ nmap -sT -p 1-65535 scanme.nmap.org

Read the man page:

$ man nmap


Try scanning the vulnerable VM with nmap used for the Nessus lab at There is a service located in the port range 1400-1600, use ncat and nmap to exploit it (maybe with the help of some searching online). Note that you will have to scan from hamsa since the VM is firewalled and therefore you cannot use scans that require root access.