Using nmap from the Command Line

The command line syntax for nmap is similar to any other command line-based utility. Each option is specified one after another on the same line, separated by a space and in no particular order. Nmap uses Unix-style command line syntax by preceding option abbreviations with a single hyphen (-) and non-abbreviated options with two hyphens (--).

The nmap command

nmap -v –p 80 ––randomize_hosts 192.168.0.*
will run nmap with the verbose option (-v), scan only port 80 (-p80), and randomize the selected hosts (--randomize_hosts) across the range of through Notice that the abbreviated –v and –p commands use only one hyphen and the non-abbreviated ––randomize_hosts option uses two hyphens.

Nmap Target Specifications
Nmap provides many methods of specifying a scan target. The target specification can be placed anywhere on the command line.

A single IP address or hostname can be specified on the command line without any wildcards or lists. For example, the command (nmap will perform an nmap scan to the address.

A group of hosts can be specified in "slash notation," sometimes referred to as a Classless Inter-Domain Routing (CIDR, pronounced "cider") block notation. The term slash notation refers to the forward-slash that is placed between the IP network address and the number of subnet mask bits. A host specification of references a subnet mask of 24 bits, which would scan everything between and

Hyphens, commas, and asterisks can also be used to create a list of hosts. The nmap host specification of 192.168.1-2.* would scan everything between and This could also be specified as 192.168.1,2.0-255, or as 192.168.1-2.1,2-5,6-255. Watch those commas and periods!

The nmap man page throws another twist to the target specification by specifying the networks as the variable values. For example, *.*.1.5 would scan all devices between and (that's a total of 65,535 possible devices!).

Privileged Access
To have access to all possible options, nmap should always be run by a privileged user. A system's privileged users can create custom Ethernet packets that bypass the checks that are normally done by the operating system. With these custom "raw" packets, nmap can manufacture packet header combinations that induce unique responses from the remote stations. These responses then provide nmap with much more information than would normally be available to a non-privileged user.

On a Unix-based system, privileged access means that nmap should run as root, and on Windows-based systems nmap should have Administrator rights. Lack of privileged access doesn't mean that nmap won't work, but certain scanning methods and program options will not be available. In the cases where an option isn't available because of the current permissions, nmap will provide this message:
You requested a scan type which requires r00t privileges, and you do not have them.

Where applicable, the operational details between a privileged and non-privileged user have been detailed in the scan type descriptions of this document.