By Konstantinos Patronas

How to Use Nmap to Scan Subnets for Common Ports

Nmap is one of the most powerful tools for discovering devices and services on a network. Whether you’re assessing security…

How to Use Nmap to Scan Subnets for Common Ports

Nmap is one of the most powerful tools for discovering devices and services on a network. Whether you’re assessing security, troubleshooting, or just learning, knowing how to scan an entire subnet for common ports is an essential skill.

This guide will show you step by step how to do it safely and effectively.

What You Need

A Linux, macOS, or Windows machine with Nmap installed

  • Install on Linux:
sudo apt install nmap
  • Install on macOS:
brew install nmap
  • Windows:

Download nmap from https://nmap.org/

Understanding Subnets

A subnet is a block of IP addresses. For example:

192.168.1.0/24 covers addresses 192.168.1.1 through 192.168.1.254.

If you’re unsure what subnet you’re on, you can find your local IP and subnet mask on Linux using:

ip addr show

Look for something like:

inet 192.168.1.25/24

That tells you your subnet is 192.168.1.0/24.

Common Ports to Scan

Here are some frequently used ports:

  • 22 SSH
  • 23 Telnet
  • 80 HTTP
  • 443 HTTPS
  • 3389 Remote Desktop (RDP)
  • 445 SMB (Windows shares)
  • 53 DNS

Basic Subnet Scan

To scan for the most common ports on all hosts in the subnet, run:

nmap 192.168.1.0/24

This performs a default scan, which probes ~1,000 common ports.

Scan Specific Ports

To narrow it down to just the ports you care about:

nmap -p 22,80,443,3389 192.168.1.0/24

Explanation:

  • -p specifies the ports.
  • The subnet defines the range of IPs.

Example output:

Nmap scan report for 192.168.1.10 
PORT     STATE SERVICE 
22/tcp   open  ssh 
80/tcp   open  http 
443/tcp  closed https 
3389/tcp closed ms-wbt-server

Add Service Version Detection

If you’d like to see what software is running on those ports:

nmap -sV -p 22,80,443,3389 192.168.1.0/24

-sV tells Nmap to grab banners and attempt to identify services and versions.

Save the Results

To save your scan results to a file:

nmap -p 22,80,443,3389 -oN scan_results.txt 192.168.1.0/24
  • -oN saves in a human-readable format.
  • You can also use -oG (grepable) or -oX (XML).

Faster Scanning with Ping Sweep

If your subnet has many inactive hosts, first find live hosts with a ping sweep:

nmap -sn 192.168.1.0/24

Then scan only those hosts:

nmap -iL <(nmap -sn -oG - 192.168.1.0/24 | awk '/Up$/{print $2}') -p 22,80,443,3389

This saves time by skipping offline IPs.

Recap

Here are a few handy Nmap commands for subnet scanning:

1️⃣ Default scan of all common ports:

nmap 192.168.1.0/24

2️⃣ Scan specific ports:

nmap -p 22,80,443,3389 192.168.1.0/24

3️⃣ Detect service versions

nmap -sV -p 22,80,443,3389 192.168.1.0/24

4️⃣ Save to a file:

nmap -oN results.txt -p 22,80,443,3389 192.168.1.0/24

Happy scanning — and scan responsibly!