Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Reference: https://nmap.org/book/man.html#man-description

Where is using Nmap

Nmap is use in windows, Unix, Linux, MacOS, Android and other OS. Nmap is cross-platform software. Nmap run in the different OS.

How To Does Work Nmap

Nmap works by checking a network for hosts and services. Once found, the software platform sends information to those hosts and services which then respond. Nmap reads and interprets the response that comes back and uses the information to create a map of the network. The map that is created includes detailed information on what each port is doing and who (or what) is using it, how the hosts are connecting, what is and is not making it through the firewall, and listing any security issues that come up.

How is all of that accomplished? Nmap utilizes a complex system of scripts that communicate with every part of the network. The scripts act as communication tools between the network components and their human users. The scripts that Nmap uses are capable of vulnerability detection, backdoor detection, vulnerability exploitation, and network discovery. Nmap is an extremely powerful piece of software, but there does tend to be a good deal of background knowledge required to use it correctly.

Internet security companies can use Nmap to scan a system and understand what weaknesses exist that a hacker could potentially exploit. As the program is open-source and free, it is one of the more common tools used for scanning networks for open ports and other weaknesses. At Holm Security, we use this technology in a very effective way, as we provide an excellent web-based security service, which ensures that the clients’ ports remain securely closed to those not granted permission.

Reference: https://www.holmsecurity.com/blog/what-is-nmap

What Nmap Is Used For

Nmap not use for attack. Nmap is use for information gathering. Nmap is a powerful information gathering. The nmap using for active information gathering also powerfull use scanning data from server or client computer in network or website.

What Is Nmap Features

Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features.

Reference: https://en.wikipedia.org/wiki/Nmap

NMAP And Using

Nmap various parameters take it. Program runned with its this parameters. Parameters can be used in many different ways.

For example: If you want get info about OS and info version: -sV and -O are used. The use in terminal:

$ nmap [Target ip or domain address] -sV -O

1. Ping Scanning

A ping scan returns information on every IP active on your network.

You can use the following command to execute a ping scan:

nmap -sp 192.168.1.1/24

2. Port Scanning

There are tons of ways to execute a scan for ports. The main differences between the varying types of port scans are whether they cover TCP or UDP ports and if they run a TCP connection.

For instance, the TCP Connect scan actively queries every host and requests a response, while the UDP scan uses UDP packets to scan DNS, SNMP, and DHCP ports to do the same job.

Let's review the different port scanning types below.

Using the -p param to run a single-port scan:

nmap -p 973 192.164.0.1

Using a TCP connection to scan information about a particular connection type—provided you specify the type of port:

nmap -p T:7777, 973 192.164.0.1

Using hyphens to separate a range of ports:

nmap -p 76–973 192.164.0.1

Using the -top-ports flag to specify the top n ports to scan:

nmap --top-ports 10 scanme.nmap.org

3. Host Scanning

Host scanning gives you detailed information on a specific host or a range of IP addresses, including their latency, MAC address, and any description associated with that address. In turn, this will allow you to quickly identify and eliminate suspicious hosts connected to your network.

You can use the following commands to execute a host scan:

Writing all the IP addresses in one row, allowing the tools to scan all of the hosts simultaneously:

nmap 192.164.1.1 192.164.0.2 192.164.0.2

Using the asterisk (*) to scan all of the subnets at one go:

nmap 192.164.1.*

Adding commas to separate the IP address endings instead of typing entire domains:

nmap 192.164.0.1,2,3,4

Using a hyphen to define a range of IP addresses:

nmap 192.164.0.0–255

Note: If you want to scan a hostname, you simply have to replace the IP address for the host.

4. OS Scanning

Nmap can also provide operating system detection, script scanning, version detection, and traceroute. In fact, OS scanning is claimed as one of the most powerful features of the tool.

OS scanning involves Nmap sending TCP and UDP packets to a particular port before analyzing its response. This scan then compares the response to a 2600-strong operating systems database and returns information on a host’s OS (and version).

You can use the following command to execute an OS scan:

nmap -sV scanme.nmap.org

Disclaimer: OS detection may not always be accurate. Still, it does a fairly good job at getting a pen tester closer to their target.

5. Stealth Scanning

Running a stealth scan involves analyzing the response after sending an SYN packet. If SYN or ACK is received, it indicates the port is open, and you can open a TCP connection.

Keep in mind that a stealth scan never completes the 3-way handshake, so the target may face difficulty determining the scanning system.

Use the following command to run a stealth scan:

nmap -sS scanme.nmap.org

6. Scan the Most Popular Ports

As the name suggests, this command auto-scans several 'most popular' ports of a host. This can come in handy for users who run Nmap on a home server.

You can use the following to execute this Nmap command:

nmap --top-ports n 192.168.1.106

Replace the ‘n’ in the above command for the number of ports you want to scan. Nmap will quickly scan that many ports.

7. Output to a File

You can add an extension to your commands if you want to output your Nmap scan results to a file.

Use the following command:

• If you want to output the results to a text file: -oN output.txt
• If you want to output the results to an XML file: -oX output.xml

8. Disable DNS Name Resolution

You can use this Nmap command to accelerate your Nmap scan using the -n parameter, which may disable reverse DNS resolution. We highly recommend this when starting Nmap scanning for a large network.

Let us explain how this Nmap command works using an example.

Suppose you want to turn off DNS resolution for the basic ping scan. To do this, you’ll have to add -n.

Here’s how you can run the command:

nmap -sp -n 192.100.1.1/24

For source info: https://www.upguard.com/blog/how-to-use-nmap

nmap --help Command For General Arguments

You can get the output values of many parameters with nmap --help.

Nmap 7.92SVN ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --noninteractive: Disable runtime interactions via keyboard
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

For source:https://svn.nmap.org/nmap/docs/nmap.usage.txt