How to use NMAP? First of all you have to get Nmap from the official website here. In this guide we will cover the Windows version of NMAP. At the time of this writing the newest version of NMAP is 6.47, thus we will download and install the Latest release self-installer: nmap-6.47-setup.exe
. After the installation is completed we are ready to use nmap. We can either use nmap in CLI mode or we can simply use the GUI. In this guide we will use the GUI (just run
Nmap - Zenmap GUI).
NMAP is probably the most known tool for port scanning and network testing. It is so powerful that can be used as well for good and by hackers as a starting point for malicious activities.
Find open ports on devices in a network
NMAP Parameters
Nmap has a lot of commands, but in this example we will list the commands that we use in this guide. Usually it will be more than enought for most people.
Here is the meaning of the parameters that we use in our examples:
- -T4 -T <0-5>: This is how aggressive the scan should be performed. -T0 is very slow. -T5 is very fast. We use -T4, which is the most common value used. It can alert IDS systems, but it's very fast. -T0 for example is very slow, because it scans one port at time and for big networks it will take forever;
- -sS this is a TCP SYN scan. This kind of scan is capable of scanning even thousands of ports per second. This kind of scan "asks" the devices to start a TCP connection, but it doesn't acknowledge it, so no TCP connection is done. For this reason it is considered to be stealthy.
- -sU is a UPD scan.
- -sSU is combination of UDP and TCP port scanning.
- T: specifies that this port should be checked as TCP. In case of UDP the parameter is U:
- -iL Specifies the input file that contains the list of hosts/networks. Nmap requires to have the path of the .txt file with the IP addresses or ranges
- -oN Specifies the output file that will contain the information that npmap will write while scanning the network. This is the "normal" output.
- -oX Saves the output data in XML format
- -oA Saves the output data in XML, Normal and Grepable format
- --append-output With this option on, nmap will create an output .txt file if there is such a file yet or, if there is already a file with the provided name, it will add the new collected information below. Without this option nmap overwrites the output file.
- –open If you want to avoid nmap listing devices that do not have any port open this option is what you are looking for. It will list only the devices that have at least one port open or "maybe open"
- -n Will give you only the IP address, without hostname. It will make the scan significanly faster.
Input file - input IP or ranges
These are the nmap supported input formats that you can put on the -iL input file:
- IP addresses - One per line (ie. 192.168.1.1, 192.168.1.2, etc)
- Hostnames - One per line (ie. hostnamepc1, hostnamerouter2, etc)
- CIDR - One per line (ie. 192.168.1.0/24, 192.168.0.0/16, etc)
- IPv6 - One per line (ie. fd62:207f:13cd:185f:xxxx:xxxx:xxxx:xxxx, etc)
- Octet ranges - One per line (ie. 192.168.3-5,7.1)
Find devices that have SNMP on
If you are searching devices that have SNMP on and configured on the 161 port we need to bear in mind that usually SNMP works in UDP, however it happens to configure SNMP to accept TCP connections (usually for authorisation purposes), thus we have 3 possible basic commands that will help us find SNMP devices
Find SNMP devices on TCP
nmap -T4 -sS -p T:161 -iL c:\input.txt -oN c:\output.txt --append-output –open
Find SNMP devices on UDP
nmap -T4 -sU -p 161 -iL c:\input.txt -oN c:\output.txt --append-output –open
Find SNMP devices on UDP and TCP in one command
nmap -T4 -sSU -p 161 -iL c:\input.txt -oN c:\output.txt --append-output -open
Scan a list of ports
This example shows how we can write the command in order to scan the TCP ports 21,22,23,24,25,80,139,161. We can list all of them one by one, or we can write port ranges as in the example below
Scan a TCP port range
nmap -T4 -sS -p T:21-25,80,139,161 -iL c:\src_netlist.txt -oN c:\pingNports_out.txt --append-output –open
Scan a TCP port range and one UPD port
nmap -T4 -sSU -p T:21-25,80,139,161,U:161 -iL c:\src_netlist.txt -oN c:\pingNports_out.txt --append-output –open
Export in XML format
The Normal output of nmap that we get thanks to -oN can be hard to edit later. Especially if you scan a big network and you need to put the output data in Excel and use data filters.
For this reason it is a good idea to Export in Excel or in all the nmap supported output formats. In case a format is not good, you can take the data from the other output file that better suits your needs.
Export in XML format
In order to save the export file in a standard XML format you should use -oX instead than -oN. For example:
nmap -T4 -sU -p 161 -iL c:\input.txt -oX c:\output.xml --append-output –open
Export in XML, Normal and Grepable format
The following example shows how to save the data in 3 formats. This command not only saves the data in XML, but it will save it in Normal and Grepable format (very useful for filtering with Grep or even with Notepad++)
nmap -T4 -sU -p 161 -iL c:\input.txt -oA c:\output.xml --append-output –open
How to open the nmap XML exports in Microsoft Excel
Using XLS stylesheet
When trying to open with Excel the XML that NMAP generated you may see this window:

Excel is asking if you want to open it in a standard way, you whether you want to open it using the nmap standard stylesheet (something that works like a CSS stylesheet)
If you decide to open it using the "Open the file with the following stylesheet applied" you may get an error message such as:

This error happens more often in x64 operating systems such as Windows 7. In order to correct this error you need to open the XML file and change the path to the nmap.xls stylesheet. For example usually you have to replace:
<?xml-stylesheet href="file:///C:/Program Files/Nmap/nmap.xsl" type="text/xsl"?>
with
<?xml-stylesheet href="file:\\\C:\Program Files (x86)\Nmap\nmap.xsl" type="text/xsl"?>
When you manage to open the XML with the nmap stylesheet you will see a well formatted XML file that is more similar to a Web Page with hyperlinks. However you may still get an error like:

In order to fix this error you have to open the .xml file with a text editor and delete the whole line that starts with <!DOCTYPE, and then save it and try again.
Using standard Excel XML handling
Open the .xml with excel and when prompted, select "Open the file without applying a stylesheet"

and the choose "as an XML table"
and the file will open in a nice excel table with headers and the possibility to use the filters straight away.
How to open the Normal txt report in Excel
If you well edit the .txt file that Nmap generates, you will be able to open it in Excel and every device will be on its own row, and the results will be in separate columns. Follow the steps:
- Open the normal nmap txt output with Notepad++
- In the replace window, select Extended Search mode
- In the same window search \n\r and replace it with \r\n
- Then search \r\n and replace it with \t
- Then search \r and repleace it with nothing... just leave it empty
- Then search Nmap scan report for and repleace it with nothing... just leave it empty
- Delete the first and last line
- Import in in excel
If you have questions or comments feel free to contact me or leave a comment below
Leave a comment