in Resources

Nmap Installation on Linux: A Comprehensive Guide with Real-World Examples

Dear reader, welcome to my in-depth guide on installing and using Nmap on Linux. As an experienced network analyst, I‘m excited to share my knowledge to help you master this incredible security tool. By the end of this guide, you‘ll have Nmap up and running and be well on your way to discovering and protecting your network. So let‘s get started!

What is Nmap?

For those new to network security, Nmap (short for "Network Mapper") is an open source tool used to scan networks and gather information about the live hosts, services, and vulnerabilities.

Nmap has been around for over 20 years and has become the de facto standard for network discovery and security auditing. Over those two decades, Nmap has been downloaded over 30 million times and is included in many cybersecurity distros such as Kali Linux.

According to Nmap‘s own data, their tool is used regularly by over two-thirds of the Fortune 50 and US federal government agencies. So you can rest assured that by installing Nmap, you‘re using an industry-proven and trusted security tool.

Now that you know what Nmap is in a nutshell, let‘s look at some of its incredible capabilities:

  • Host discovery – Find live hosts on a network, even if they are stealthy and don‘t respond to ping.

  • Port scanning – Scan TCP and UDP ports to determine which are open and what services/applications are listening.

  • Version detection – Interrogate open ports to identify service versions to detect vulnerabilities.

  • OS fingerprinting – Determine the operating system running on remote hosts based on how they respond to probes.

  • Network mapping – Discover large networks including devices and topology.

  • Scriptable – Extend capabilities through Nmap Scripting Engine (NSE) scripts.

As you can see, Nmap gives you incredible visibility and power when it comes to understanding networks and securing them. Next, we‘ll cover the process of installing it on Linux.

Installing Nmap on Linux

One of the great things about Nmap is that it runs on all major operating systems. Here we‘ll focus specifically on installing on Linux since it offers the most flexibility and power for Nmap scanning.

Most Linux distributions include Nmap in their package repositories. That means installation is as simple as using the system package manager. However, some older distros may not have the latest Nmap version, or it may not be available at all. In those cases, you can always compile from source.

In this section we‘ll cover installation methods for the most common distros:

  • Debian/Ubuntu
  • Red Hat/CentOS
  • Arch Linux
  • Compiling from source

But first, let‘s quickly cover the prerequisites:

Prerequisites

Nmap relies on raw packet access to the network, which requires root privileges on Linux. So you‘ll need to run installation commands and later scans with sudo or as root.

Also, make sure you have an updated package index before installing. On Debian/Ubuntu:

sudo apt update

And on RHEL/CentOS:

sudo yum update

Okay, with that out of the way, let‘s get Nmap installed!

Installing on Debian/Ubuntu

On Debian, Ubuntu, and all derivatives, you can use the apt package manager:

sudo apt install nmap

Once installed, verify you have the latest stable version:

nmap -V
# Nmap version 7.80 ( https://nmap.org )

If your distro is behind, you can optionally add the official Nmap repository to always stay current.

For example:

sudo apt install software-properties-common
sudo add-apt-repository ppa:nmap/stable
sudo apt update && sudo apt install nmap

This will give you the bleeding edge Nmap versions. But for most purposes the stable repo version is recommended.

Installing on RHEL/CentOS

On RedHat, CentOS, and other RHEL-based distros, use Yum: 

sudo yum install nmap

Verify with:

nmap -V
# Nmap version 7.70 ( https://nmap.org )

RHEL systems tend to have older package versions. If you want the latest Nmap, configure the official repo:

sudo yum install wget
wget https://nmap.org/dist/nmap-7.80-1.x86_64.rpm
sudo rpm -ivh nmap-7.80-1.x86_64.rpm

Installing on Arch Linux

For Arch Linux and Manjaro, Nmap is available in the Community repository:

sudo pacman -S nmap

Validate you have the latest version installed:

nmap -V
# Nmap version 7.80 ( https://nmap.org )

Arch moves fast so this will ensure you have the most up-to-date Nmap from upstream.

Compiling from Source

If for some reason a packaged Nmap version isn‘t available for your distro, compiling it yourself is straightforward.

First install the prerequisite libraries:

sudo apt install build-essential libpcap-dev libpcre3-dev libssl-dev liblua5.3-dev

Or on RHEL/CentOS:

sudo yum install gcc make libpcap-devel pcre-devel openssl-devel lua-devel

Now grab the latest source tarball from nmap.org: 

wget https://nmap.org/dist/nmap-7.80.tar.bz2

Extract the files:

tar xf nmap-7.80.tar.bz2

cd into the extracted directory and configure: 

cd nmap-7.80
./configure

Finally, compile and install:

make
sudo make install

This will compile Nmap from source and install the nmap executable in /usr/local/bin/.

And there you have it! Nmap is now installed on your Linux system. Next we‘ll go over some real-world examples to start leveraging the powerful network scanning capabilities it offers.

Nmap Usage and Examples

Now for the fun stuff! In this section I‘ll demonstrate practical examples of using Nmap to scan networks.

We‘ll cover:

  • Scanning your own server/network
  • Scanning from an external vantage point
  • Going stealthy
  • Determining services/versions
  • Detecting OS and vulnerabilities
  • Useful options and switches

I encourage you to follow along with these examples to get hands-on experience with Nmap. Just be sure you have permission to scan networks and hosts or use the designated practice targets like scanme.nmap.org.

Okay, ready? Let‘s start mapping some networks!

Scanning Your Own Servers & Network

When getting started with Nmap, it‘s best to practice on your own infrastructure to get familiar with it.

Start by scanning a single server to see what ports are open:

sudo nmap 192.168.1.100

This will scan the 1000 most common TCP ports on the host 192.168.1.100. The output will show you which ports are open, closed, or filtered.

Next, expand to scan your whole subnet for live hosts. The -sn disables port scan (we just want host discovery):

sudo nmap -sn 192.168.1.0/24

Now you have a list of all the live devices on your network!

You can build on these simple scans to run more advanced functions like service detection, OS fingerprinting, vulnerability scanning, and more. We‘ll cover examples of those next.

External Scans

In addition to scanning your internal network, you can use Nmap remotely to get an external perspective.

Run an external scan of your public IP address:

sudo nmap -T4 scanme.nmap.org

This will scan from the outside-in to determine what ports are visible to the public internet. The -T4 sets a faster timing profile.

You can also scan other public servers like Google:

sudo nmap -T4 google.com

Use these types of external scans to audit the attack surface of your servers as visible from the internet.

Stealth Scans

One of Nmap‘s most useful features is the ability to perform "stealth" scans that are less likely to be detected by the target.

For example, a TCP SYN scan:

sudo nmap -sS 192.168.1.100

This never completes the full three-way handshake, making it less conspicuous.

Or a UDP scan:

sudo nmap -sU -T4 192.168.1.100

Many firewalls and IDS systems won‘t notice a UDP scan since there is no real connection.

Use stealth scans any time you want to minimize detection and avoid tipping off the target.

Service and Version Detection

Finding open ports is useful, but even more valuable is determining what services and application versions are actually running on those ports.

The -sV option enables version scanning: 

sudo nmap -sV 192.168.1.100

This will probe each open port to figure out whether it‘s HTTP, MySQL, SSH, SMB etc. It will also attempt to grab the exact version number like Apache 2.4.7.

You can feed this service and version info into vulnerability scanners to find weak spots and exploits.

OS Fingerprinting

Along with services and versions, Nmap can also detect the operating system on each live host.

OS fingerprinting is activated with the -O flag:

sudo nmap -O 192.168.1.100

Nmap maintains an extensive OS fingerprint database to make highly educated guesses about each host‘s OS.

Why does OS matter? Because vulnerabilities and exploits are often specific to certain operating systems and versions.

Vulnerability Scanning

Speaking of vulnerabilities, you can leverage Nmap for basic vulnerability detection using the Nmap Scripting Engine.

Some useful vulnerability scanning scripts:

  • http-vuln-cve2010-2861 – Checks for an HTTP MD5 exploit
  • smb-vuln-ms06-025 – Detects Windows SMB vulnerabilities
  • vulners – Checks for any associated CVEs in open services

For example: 

sudo nmap --script vulners 192.168.1.100

This will scan the target host for all vulnerabilities associated with the discovered services and their versions.

While it‘s no substitute for a dedicated vulnerability scanner like Nessus, Nmap definitely lets you spot basic security holes.

Useful Options and Switches

We‘ve only scratched the surface of what‘s possible with Nmap. Here is a quick reference of some useful options and switches:

  • -p- – Scan all TCP ports instead of just top 1000
  • -pU: – Scan UDP ports
  • -T4 – Faster scan, scale of 0 to 5
  • -A – Enables OS, version, script scanning
  • -oN file.txt – Save normal output to file
  • --open – Show only open (or possibly open) ports
  • -n – Never do reverse DNS resolution
  • -v – Increase verbosity level (use -vv or more)
  • --reason – Show reason for port state (open|closed|filtered)
  • -Pn – Treat all hosts as online – skip host discovery

Check out the full list of options in the Nmap man pages.

Optimizing Nmap Performance

As you can see, Nmap is hugely powerful. But with great power comes some complexity. Here are some tips to optimize your scans and get the most out of Nmap:

  • Update Nmap – Use the newest version for speed and accuracy improvements

  • Run as root – Nmap requires raw packet access for most scan types

  • Ping sweep first – Discover live hosts then scan, don‘t scan entire subnets

  • Use hostgroups – Break large scans into smaller batches

  • Scan from different locations – Leverage closer scan vantage points to go faster

  • Adjust timing – Use -T3 or higher timing template for faster scans

  • Disable reverse DNS – Add -n to avoid slow DNS lookups

  • Save output – Don‘t print to screen for large scan jobs

  • Stay legal – Only scan your own networks or with explicit permission

Following these best practices will help your Nmap scanning be more efficient, stealthy, and complete.

Closing Thoughts

Well there you have it! We‘ve walked through installing Nmap on Linux systems, real-world usage examples, and optimization tips. You should now have a solid foundation to start leveraging Nmap‘s incredible power to discover and map your networks.

Nmap represents an invaluable tool for any cybersecurity professional, network admin, or IT specialist. Take some time to scan your own infrastructure and get comfortable with the different scan types and options.

Remember to always scan responsibly and never target any network or host without permission!

I hope this guide has demystified the world‘s best open source port scanner. Go forth and Nmap to your heart‘s content! Let me know if you have any other questions.

Happy scanning!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.