How to Use Nmap in Termux — Complete Network Scanning Guide for Beginners (2026)
How to Use Nmap in Termux — Network Scanning for Beginners (2026 Guide)
- Introduction — Why Nmap in Termux?
- What Is Nmap and How Does It Work?
- Installing Nmap in Termux (Step-by-Step)
- Basic Nmap Commands Every Beginner Must Know
- Advanced Nmap Scanning Techniques
- Practical Use Cases — Real-World Network Scanning
- Common Errors and Fixes
- Pro Tips for Using Nmap Like a Pro
- Nmap Scan Type Comparison Table
- Frequently Asked Questions
- Conclusion
// 00 — Introduction: Why Learn Nmap in Termux?
If you've ever wondered what devices are connected to your network, which ports are open on your own server, or how cybersecurity professionals map out a target environment before a penetration test — the answer to all of those questions is Nmap. Learning how to use Nmap in Termux is one of the most valuable skills you can pick up as an aspiring cybersecurity enthusiast, a networking student, or even a curious Android user who wants to understand how the internet actually works under the hood.
Nmap, short for Network Mapper, is a free, open-source tool that has been around since 1997. It is used by system administrators, security researchers, and ethical hackers worldwide to discover hosts on a network, enumerate open ports, detect running services and their versions, and even fingerprint the operating system of remote machines. Despite being a command-line tool, it is incredibly powerful and surprisingly beginner-friendly once you understand a handful of core commands.
What makes this tutorial different is that we're running Nmap entirely inside Termux — the incredible Linux terminal emulator that runs natively on Android without requiring root access. This means that with nothing more than your Android smartphone and a Wi-Fi connection, you can start learning professional-grade network scanning right now, for free, from the palm of your hand.
In this complete beginner's guide, you'll learn everything from installing Nmap in Termux, understanding how network scanning actually works, running your first scans, and progressing to intermediate techniques like service version detection and OS fingerprinting. By the time you finish this guide, you'll have a working knowledge of Nmap that you can use for studying for certifications like CompTIA Security+, CEH, or OSCP, or simply for understanding your own home network better.
Whether you're a complete beginner or someone who has dabbled with Termux before, this guide is structured to take you from zero to confident. Let's get into it.
// 01 — What Is Nmap and How Does It Work?
Before we dive into commands, it's worth spending a few minutes understanding what Nmap is doing behind the scenes. This conceptual foundation will make every command you run make much more sense — and it will help you interpret scan results intelligently rather than just copying and pasting commands blindly.
The Basics of Network Scanning
Every device connected to a network — your phone, laptop, router, smart TV, or server — has an IP address. This address is how devices identify and communicate with each other. Each device also has up to 65,535 ports, which are logical endpoints for specific types of network communication. For example, web servers typically listen on port 80 (HTTP) or port 443 (HTTPS), SSH servers listen on port 22, and FTP servers on port 21.
When Nmap scans a target, it sends carefully crafted network packets to the target's IP address and ports, then analyzes the responses it gets back. Based on those responses — or the lack of them — Nmap can determine:
- Whether a host is online (host discovery)
- Which ports are open, closed, or filtered by a firewall
- What services are running on those open ports
- The version numbers of those services
- The likely operating system of the target machine
Port States in Nmap
One of the most important concepts to understand when learning Nmap is port states. Nmap classifies ports into six states:
| Port State | What It Means |
|---|---|
| Open | An application is actively accepting connections on this port |
| Closed | The port is accessible but no application is listening |
| Filtered | A firewall or filter is blocking Nmap's probes — state is unknown |
| Unfiltered | Port is accessible but Nmap can't determine if it's open or closed |
| Open|Filtered | Nmap can't tell if port is open or filtered |
| Closed|Filtered | Nmap can't tell if port is closed or filtered |
How Nmap Sends Packets
Nmap uses several different techniques to probe a target. The most common is the TCP SYN scan (also called a "half-open" scan), which sends a SYN packet — the first step of the TCP three-way handshake — and waits to see if the target responds with a SYN-ACK (port open) or RST (port closed). This type of scan is fast, stealthy, and doesn't complete the full TCP connection, which is why it's the default scan type when Nmap is run with root/admin privileges.
On Termux without root, Nmap falls back to a TCP Connect scan, which completes the full TCP handshake. It's slightly slower and less stealthy, but completely functional for learning and network auditing purposes — and it requires no root access whatsoever.
Why Nmap in Termux Is Powerful
Running Nmap in Termux gives you a portable, always-available network scanning tool. Your Android device is essentially a pocket-sized Linux computer, and Termux gives you full access to its networking capabilities. This is particularly useful for network administrators who need to quickly audit a network while on-site, students practicing for certifications, or hobbyists who want to understand their home network without needing a full laptop setup.
Nmap is also extensively documented, with an entire book written about it (the Nmap Network Scanning book by Gordon "Fyodor" Lyon, Nmap's creator). The official documentation at nmap.org is comprehensive and beginner-friendly. But this guide will give you everything you need to get started right here, right now.
// 02 — Installing Nmap in Termux (Step-by-Step)
Installing Nmap in Termux is refreshingly simple. Termux uses the pkg package manager (which wraps apt), and Nmap is available directly in the official Termux repository. No third-party sources, no complicated setup — just a couple of commands and you're ready to scan.
Prerequisites
Before installing anything, make sure your Termux setup is ready. Here's what you need:
- Android device running Android 7.0 or higher
- Termux installed (preferably from F-Droid, not the outdated Play Store version)
- Active internet connection (mobile data or Wi-Fi)
- At least 50MB of free storage
Step 1 — Update Termux Packages
Always start by updating your package lists and upgrading existing packages. This ensures you get the latest version of Nmap and prevents dependency conflicts.
Update and Upgrade Termux
Open Termux and run the following commands one at a time:
pkg update && pkg upgrade -yThis command first updates the package index (fetching the latest list of available packages) and then upgrades all currently installed packages. The -y flag automatically confirms all prompts. This process may take a few minutes depending on your internet speed.
Step 2 — Install Nmap
Install Nmap via pkg
Once the update is complete, install Nmap with a single command:
pkg install nmap -yTermux will download and install Nmap along with any required dependencies. You'll see a progress bar and status messages. When it's done, you'll be returned to the command prompt.
Step 3 — Verify the Installation
Confirm Nmap is Installed
Run this command to check the installed Nmap version:
nmap --versionYou should see output similar to this:
Nmap version 7.95 ( https://nmap.org )
Platform: aarch64-unknown-linux-android
Compiled with: liblua-5.4.6 openssl-3.x libssh2-1.x libz-1.x libpcre2-10.x nmap-libdnet-1.12 ipv6
Compiled without: liblinear
Available nsock providers: epoll poll select
Available output types: interactive grepable xml json
Available script categories: auth broadcast brute default discovery dos exploit external fuzzer intrusive malware safe version vulnStep 4 — Find Your Own IP Address
Before scanning anything, it's useful to know your own device's IP address so you can identify yourself in scan results and understand your network's range.
ifconfigIf ifconfig isn't available, install it with:
pkg install net-tools -y
ifconfigLook for the wlan0 interface and note your IP address — it will typically look like 192.168.1.x on a home Wi-Fi network. This tells you your network subnet, which you'll use for scanning.
// 03 — Basic Nmap Commands Every Beginner Must Know
Now that Nmap is installed, let's walk through the fundamental commands that form the foundation of all network scanning. Every command is explained in plain English so you understand not just what to type, but why you're typing it. This is the core of learning how to use Nmap in Termux effectively.
Scanning a Single Host
The most basic Nmap scan targets a single IP address or hostname. This performs a default scan of the 1,000 most common ports:
nmap 192.168.1.1Replace 192.168.1.1 with your router's IP address (usually the gateway). The output will look something like this:
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-24 10:30 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0032s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 4.23 secondsThis output tells you the router is online, and that ports 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), and 8080 (HTTP proxy) are open. This is typical for a home router with an admin web interface.
Scanning a Domain Name
You can also scan a hostname or domain instead of an IP address. A great target for practice is your own localhost:
nmap localhostOr scanme.nmap.org — a server specifically set up by the Nmap developers for people to practice scanning legally:
nmap scanme.nmap.orgScanning a Range of IP Addresses
To scan multiple hosts at once, you can provide a range of IP addresses. This is called a subnet scan and is one of the most common ways to use Nmap in Termux for home network auditing:
# Scan a range using a dash
nmap 192.168.1.1-50
# Scan an entire subnet using CIDR notation
nmap 192.168.1.0/24The /24 notation means Nmap will scan all 256 addresses from 192.168.1.0 to 192.168.1.255. This will discover every device currently connected to your home network.
Ping Scan — Just Check Who's Online
Sometimes you just want to know which hosts are alive on the network without scanning any ports. The ping scan (-sn) does exactly that:
nmap -sn 192.168.1.0/24This is much faster than a full port scan and is perfect for quickly mapping out every device on your local network. You might be surprised how many devices are connected — smart TVs, game consoles, IoT devices, and more.
Scanning Specific Ports
By default, Nmap scans only the 1,000 most common ports. You can specify exactly which ports to scan using the -p flag:
# Scan a single port
nmap -p 80 192.168.1.1
# Scan multiple specific ports
nmap -p 22,80,443,8080 192.168.1.1
# Scan a range of ports
nmap -p 1-1000 192.168.1.1
# Scan ALL 65535 ports
nmap -p- 192.168.1.1The -p- flag (p dash) tells Nmap to scan all 65,535 ports. This is thorough but can take several minutes depending on the target and network conditions.
Verbose Output
Adding the -v flag enables verbose mode, which shows you results in real time as Nmap discovers them rather than waiting until the scan is complete:
nmap -v 192.168.1.1Use -vv for even more detail. This is particularly helpful when running long scans so you can see progress.
// 04 — Advanced Nmap Scanning Techniques
Once you're comfortable with the basics, it's time to level up. These intermediate-to-advanced techniques are what make Nmap so powerful for network reconnaissance and security assessment. Learning these techniques is essential for anyone studying ethical hacking or preparing for certifications like CEH or OSCP.
Service Version Detection (-sV)
Knowing a port is open is useful, but knowing what version of a service is running is even more valuable. The -sV flag enables service version detection:
nmap -sV 192.168.1.1Example output with version detection:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.52 ((Ubuntu))Now you can see not just that SSH is running, but that it's specifically OpenSSH 8.9p1 on Ubuntu. This information is critical in a real penetration test — knowing exact version numbers lets you check whether those services have known vulnerabilities.
OS Detection (-O)
Nmap can attempt to fingerprint the operating system of a target based on subtle differences in how different OS implementations respond to network packets:
nmap -O 192.168.1.1Aggressive Scan (-A)
The -A flag enables "aggressive" mode, which combines OS detection, version detection, script scanning, and traceroute all in one command. It's the most information-rich single scan you can run:
nmap -A 192.168.1.1This scan takes longer but gives you the most complete picture of a target. It's ideal for learning because it shows you everything Nmap can discover in one go.
Nmap Scripting Engine (NSE)
One of Nmap's most powerful features is its Scripting Engine (NSE). NSE scripts are small programs written in Lua that extend Nmap's capabilities. There are hundreds of pre-built scripts for tasks like detecting vulnerabilities, enumerating services, brute-forcing credentials, and more.
# Run default scripts
nmap -sC 192.168.1.1
# Run a specific script
nmap --script http-title 192.168.1.1
# Run scripts in a category
nmap --script vuln 192.168.1.1
# Combine -sV and -sC (very common combination)
nmap -sV -sC 192.168.1.1The -sC flag runs the default set of safe NSE scripts. The combination of -sV -sC is probably the most commonly used Nmap invocation in professional penetration testing.
Controlling Scan Speed (-T)
Nmap has timing templates from T0 to T5 that control how fast the scan runs. Slower scans are stealthier; faster scans are more likely to be detected by intrusion detection systems:
# T0 = Paranoid (very slow, very stealthy)
nmap -T0 192.168.1.1
# T3 = Default (normal speed)
nmap -T3 192.168.1.1
# T4 = Aggressive (fast, recommended for practice)
nmap -T4 192.168.1.1
# T5 = Insane (very fast, may miss results)
nmap -T5 192.168.1.1For learning and practicing on your own home network, -T4 is the sweet spot — fast enough to not bore you, reliable enough to give accurate results.
Saving Scan Results to a File
When you're auditing a network, you'll want to save your results for later analysis. Nmap supports several output formats:
# Save as normal text output
nmap -oN scan_results.txt 192.168.1.0/24
# Save as XML (useful for importing into other tools)
nmap -oX scan_results.xml 192.168.1.0/24
# Save as grepable format (great for parsing with grep/awk)
nmap -oG scan_results.gnmap 192.168.1.0/24
# Save in all formats at once
nmap -oA scan_results 192.168.1.0/24The -oA flag saves results in all three major formats simultaneously (normal, XML, and grepable) using the base filename you provide. This is a professional habit worth building early.
// 05 — Practical Use Cases: Real-World Network Scanning with Nmap
Understanding commands is one thing — knowing when and why to use them in real scenarios is what separates beginners from practitioners. In this section, we walk through several practical, legal use cases for using Nmap in Termux that you can try right now on your own network.
Use Case 1: Auditing Your Home Network
One of the most valuable things you can do with Nmap is audit your own home network. You might be surprised by what you find — devices you forgot were connected, routers with unexpected ports open, or even unauthorized devices.
# Step 1: Discover all devices on your network
nmap -sn 192.168.1.0/24
# Step 2: Full scan of your router
nmap -sV -sC -T4 192.168.1.1
# Step 3: Save results for documentation
nmap -sV -T4 -oA home_audit 192.168.1.0/24This three-step process gives you a complete inventory of your home network. Check the results carefully — any unexpected open ports or unfamiliar devices should be investigated.
Use Case 2: Checking Your Own Android Localhost
If you're running servers in Termux (like a Python HTTP server or SSH server), you can scan your own localhost to verify they're running and accessible:
nmap -sV localhost
# or
nmap -sV 127.0.0.1This will show you exactly which services are currently running on your Android device through Termux — a great way to verify your server setup.
Use Case 3: Practicing on scanme.nmap.org
The Nmap team maintains a legal practice target at scanme.nmap.org. You can run any kind of scan against it without needing permission. This is perfect for practicing advanced techniques:
# Basic scan
nmap scanme.nmap.org
# Version + script scan
nmap -sV -sC scanme.nmap.org
# Aggressive scan with all the bells and whistles
nmap -A -T4 scanme.nmap.org
# Save results for study
nmap -A -T4 -oN scanme_results.txt scanme.nmap.orgUse Case 4: HTTP Service Enumeration
When you find a web server during a scan, NSE scripts can extract even more useful information:
# Get the web page title of a target
nmap --script http-title -p 80 192.168.1.1
# Check for common web server files
nmap --script http-enum -p 80 192.168.1.1
# Get HTTP headers
nmap --script http-headers -p 80 192.168.1.1Use Case 5: Checking for Default SSH Configuration
If you've set up an SSH server in Termux or on another machine, you can use Nmap to verify the configuration and check for default credentials (on your own systems only):
# Get SSH version and host key information
nmap -sV -p 22 --script ssh-hostkey 192.168.1.x
# Check SSH authentication methods
nmap -p 22 --script ssh-auth-methods 192.168.1.x// 06 — Common Nmap Errors in Termux and How to Fix Them
As a beginner, you'll inevitably run into errors. Here are the most common ones you'll encounter when learning how to use Nmap in Termux, along with their solutions.
Error 1: "nmap: command not found"
bash: nmap: command not foundCause: Nmap isn't installed or the installation failed.
Fix: Run pkg install nmap -y again. If that fails, run pkg update && pkg upgrade -y first.
Error 2: "You requested a scan type which requires root privileges"
You requested a scan type which requires root privileges.Cause: You tried to run a SYN scan (-sS) or another scan type that requires raw packet capabilities.
Fix: Use the TCP Connect scan instead: nmap -sT. This works without root and is the default in Termux anyway.
# Instead of:
nmap -sS 192.168.1.1
# Use:
nmap -sT 192.168.1.1Error 3: Scan Takes Too Long or Times Out
Cause: The target is firewalled, offline, or you're scanning too many hosts with too many ports.
Fix: Increase the timing template and reduce the port range:
nmap -T4 --open -p 1-1000 192.168.1.1Error 4: "Failed to resolve" — Host Not Found
Failed to resolve "target.com".
WARNING: No targets were specified, so 0 hosts scanned.Cause: DNS resolution failed, or the hostname is incorrect.
Fix: Check your internet connection, verify the hostname, or use the IP address directly. You can also try setting a custom DNS server:
nmap --dns-servers 8.8.8.8 target.comError 5: All Ports Showing as "filtered"
Cause: A firewall is blocking your scan packets, or the host is configured to drop packets silently.
Fix: Try different scan techniques or add the --reason flag to understand why ports are being reported as filtered:
nmap --reason 192.168.1.1// 07 — Pro Tips for Using Nmap Like a Pro
These tips come from years of hands-on network scanning experience. They'll help you scan smarter, interpret results better, and build good habits from the start.
nmap -sV -sC -T4 [target] is the gold standard scan used by professionals. It's thorough, reasonably fast, and gives you version info plus default script results all in one.-oA filename. This saves results in three formats at once and lets you review, compare, and share results later.--open to only show hosts/ports that are confirmed open. This dramatically cleans up output when scanning large networks.nmap --open -T4 192.168.1.0/24nmap --help or man nmap in Termux. The built-in documentation is comprehensive and always accurate for your installed version.// 08 — Nmap Scan Types Comparison Table
Here's a quick reference table comparing the most important Nmap scan types, their use cases, and whether they require root privileges in Termux:
| Scan Type | Flag | Speed | Root Needed? | Best For |
|---|---|---|---|---|
| TCP Connect Scan | -sT |
Medium | ❌ No | Termux default — works without root |
| SYN Scan | -sS |
Fast | ✅ Yes | Stealthy half-open scan (needs root) |
| UDP Scan | -sU |
Slow | ✅ Yes | Detecting UDP services like DNS, SNMP |
| Ping Scan | -sn |
Very Fast | ❌ No | Host discovery only (no port scan) |
| Version Detection | -sV |
Medium-Slow | ❌ No | Identifying service versions |
| Script Scan | -sC |
Medium | ❌ No | Running default NSE scripts |
| OS Detection | -O |
Medium | ✅ Yes | Fingerprinting target OS |
| Aggressive Scan | -A |
Slow | ❌ No (partial) | Maximum information gathering |
// 09 — Frequently Asked Questions
ifconfig or ip addr in Termux. If your IP is something like 192.168.1.50, then your network subnet is 192.168.1.0/24. Run nmap -sn 192.168.1.0/24 for a quick ping scan to see all active devices, or nmap -sV -T4 192.168.1.0/24 for a full scan with service detection.--reason to your Nmap command to see why each port is in its current state. You can also try adjusting the timing with -T4 or using -Pn to skip host discovery and treat the host as online.nmap -sV -sC -T4 scanme.nmap.org. This combines version detection (-sV), default script scanning (-sC), and a fast timing template (-T4) against a legally-sanctioned practice target. It gives you rich output to study and learn from without needing root, without risking legal issues, and without overwhelming you with options.-sC to run default scripts, or --script [script-name] to run specific ones. To see all available scripts, run ls $PREFIX/share/nmap/scripts/ in Termux. There are scripts for vulnerability detection, service enumeration, brute-forcing, and much more.// 10 — Conclusion: Your Journey with Nmap in Termux Starts Now
You've made it to the end of this comprehensive guide on how to use Nmap in Termux. At this point, you have everything you need to start scanning networks legally and ethically from your Android device. Let's recap what you've learned:
- What Nmap is and how network scanning works at a conceptual level
- How to install Nmap in Termux with a single command — no root required
- Core scanning commands including single host, subnet, and port-specific scans
- Advanced techniques like version detection (-sV), script scanning (-sC), and aggressive mode (-A)
- Real-world use cases for auditing your home network and practicing legally
- Common errors and how to fix them
- Pro tips to scan smarter and build professional habits
The key thing to remember is that Nmap is a tool, and like any tool, its value comes from how you use it. Always scan only systems you own or have written permission to test. Use Nmap to learn, to audit your own infrastructure, and to understand how networks work — not to probe systems without authorization.
Network scanning is a foundational skill in cybersecurity. Once you're comfortable with Nmap, you'll find it naturally leads you toward other tools and techniques — Wireshark for packet analysis, Netcat for service interaction, Metasploit for vulnerability assessment (on authorized targets), and more. Each tool builds on the knowledge from the last.
nmap -A -T4 scanme.nmap.org right now and study the output carefully. Every line tells you something important. The more scans you run, the more you'll understand — and the faster you'll progress toward becoming a skilled security practitioner.Enjoyed this guide? Subscribe to HYDRA TERMUX for weekly Termux tutorials, ethical hacking guides, and Android security content — all completely free, no root required. Drop a comment below with the results of your first Nmap scan and any questions you have. Rixon Xavier and the HYDRA TERMUX community are here to help you on your cybersecurity learning journey.
Suggested next reads: How to Install and Use Netcat in Termux | How to Set Up an SSH Server in Termux | Best Termux Tools for Cybersecurity Beginners 2026
Rixon Xavier
Cybersecurity educator and Termux enthusiast. Founder of HYDRA TERMUX — a free educational blog teaching Linux on Android, Termux commands, and ethical cybersecurity concepts. All tutorials are strictly for educational purposes.
