If you just want a quick look at what’s listening on a Linux machine, the one-liner is:
1 | nmap -sS -O 127.0.0.1 |
That’s an nmap SYN scan with OS detection against your own loopback interface. If you’ve never used nmap before, that command is a fine first step — but the tool can do a lot more than that, and a little context helps.
What nmap actually is, and how to use it without being scary.
Nmap (“Network Mapper”) is the de facto open-source port scanner and network-discovery tool. It’s been around since 1997, ships in every major Linux distro’s package manager, and is the same thing security teams, sysadmins, and CTF players reach for when they need to know what’s running on a host.
At its simplest, you give nmap a target and it tells you which TCP/UDP ports are open, what services are likely behind them, and (with a bit of coaxing) what OS is on the other end.
The flags in the original command
- -sS — “SYN scan” (also called “half-open” or “stealth” scan). Nmap sends a TCP SYN packet, watches for the SYN/ACK reply, and then sends RST instead of completing the handshake. It’s faster than a full TCP connect and slightly less noisy in logs. Requires root (or CAP_NET_RAW) because it crafts raw packets.
- -O — OS fingerprinting. Nmap sends a series of probes and compares the responses against its database to guess the operating system. Also requires root.
If you don’t have root, drop -sS and -O and use the default TCP connect scan, which works as a regular user:
1 | nmap 127.0.0.1 |
A handful of nmap recipes worth knowing
Scan a whole subnet. Useful for figuring out what’s on your home network:
1 | nmap -sn 192.168.1.0/24 |
-sn is “ping scan” — discover hosts without scanning ports. Quick way to map out who’s alive on a LAN.
Scan specific ports. By default nmap scans the 1000 most common ports. Sometimes you want a specific range or a full sweep:
1 2 3 | nmap -p 22,80,443 example.com # specific ports nmap -p 1-65535 example.com # all 65k ports nmap -p- example.com # shorthand for the same |
Service and version detection. Beyond just “port 80 is open,” find out it’s nginx 1.18.0:
1 | nmap -sV example.com |
The kitchen-sink scan. A common starting point in CTFs and engagements:
1 | nmap -sC -sV -O -p- 10.10.10.5 |
-sC runs the default NSE (Nmap Scripting Engine) script set, which probes for common misconfigurations and grabs banners; -sV does service-version detection; -O guesses the OS; -p- covers all ports. This takes a while but gives you the most information per invocation.
Save output for later. When the scan takes 20 minutes, you don’t want to scroll back through your terminal:
1 | nmap -sC -sV -oA myscan example.com |
-oA myscan writes three files: myscan.nmap (human-readable), myscan.gnmap (grep-friendly), and myscan.xml (for tools that consume nmap output programmatically).
Local alternatives when you only care about your own machine
If the question is “what’s listening on this machine” — not “what does the network see” — nmap is overkill. Two builtins are usually faster:
1 2 | ss -tulpn # listening TCP/UDP sockets with PIDs (modern, replaces netstat) lsof -i -P -n # everything with an open network file descriptor |
The big difference: ss and lsof read the kernel’s socket table directly and tell you exactly what’s listening, including the process name and PID. nmap actively probes from outside, which can miss services bound to 127.0.0.1 only (well — not for a localhost scan, but you get the idea), and finds whatever a real attacker would see. Both viewpoints are useful; they answer slightly different questions.
One important caveat — only scan what you’re allowed to scan
Port scanning machines you don’t own or have explicit permission to test is a gray area at best and a crime at worst, depending on jurisdiction. The Computer Fraud and Abuse Act in the US, the Computer Misuse Act in the UK, and similar laws elsewhere have all been used against unauthorized scans, even “harmless” ones.
Safe targets for learning nmap:
- 127.0.0.1 and your own machine’s IPs.
- Your own home network (your router and the devices on it).
- scanme.nmap.org — a host the nmap project explicitly puts up for people to practice scans against.
- CTF platforms (Hack The Box, TryHackMe) — purpose-built target environments where scanning is the expected behavior.
- Customer or employer infrastructure only when you have written authorization for a security assessment.
For everything else, assume “don’t scan it” is the right answer. The technical capability is the easy part; the social/legal part is what separates a security professional from someone explaining themselves to a lawyer.