How to Install nmap Security Scanner on Windows XP

Installing nmap security scanner on Windows XP is fairly easy. The easiest way is to download and run the nmap stable release executable file currently located here. You can verify the latest release by visiting nmap’s download page here.

Once the nmap.exe file is downloaded just double click it and choose a location to unpack the files. The easiest place would be something like c:\nmap or if you have cygwin installed you might want to do c:\cygwin\nmap. Make sure to note the location as you will need to add this to your path so you can execute it without having to be in the nmap directory.

To add the new directory to your PATH just follow the couple steps below.

Install Nmap, Network Mapper, On Windows XP:

  1. Open My Computer Properties: Right click on “My Computer” and select properties.
  2. Edit Environment Variables: Click the Advanced tab after the “My Computer” properties has been opened in step 1. At the bottom of the Advanced tab click the “Environment Variables” button which will open a new window.
  3. Edit Path:In the second window titled “System variables” highlight the 6th option from the top titled “Path”. Once Path is highlighted click the Edit button which will open the Path configuration where you will see numerous entries separated by semi colons. You need to add the new path for nmap such as “c:\nmap”. Below is what the second line of the Path configurations will look like.

    Windows XP User PATH Environment Variable With Nmap Path Added:


    1. C:\\Perl\\site\\bin;C:\\Perl\\bin;%SystemRoot%\\system32;%SystemRoot%;%SystemRoot%\\System32\\Wbem;C:\\Program Files\\Wave Systems Corp\\Dell Preboot Manager\\Access Client\\v5\\;C:\\Program Files\\Microsoft SQL Server\\80\\Tools\\Binn\\;C:\\Program Files\\Common Files\\Adobe\\AGL;C:\\Program Files\\USB Display Adapter\\;C:\\Program Files\\Common Files\\Roxio Shared\\DLLShared\\;C:\\Program Files\\Common Files\\Roxio Shared\\DLLShared\\;C:\\Program Files\\Common Files\\Roxio Shared\\9.0\\DLLShared\\;C:\\Program Files\\TortoiseSVN\\bin;C:\\bin;C:\\ruby\\bin;C:\\Program Files\\PostgreSQL\\8.3\\bin;C:\\Program Files\\Vim\\vim72;C:\\cygwin\\bin;C:\\narfonix\\aws\\ec2-api-tools-1.3-24159\\bin;C:\\Program Files\\GNU\\GnuPG\\pub;C:\\Program Files\\QuickTime\\QTSystem\\;C:\\nmap

    You can see where “C:\nmap” has been added to the end.

  4. Save Environment Variable Options: Click the OK button at the bottom of the “Edit System Variable” window followed by OK at the bottom of Environment Variables. Last click OK at the bottom of “System Properties”.
  5. Test nmap On Windows XP: If you have any command prompt windows open go ahead and close them. Once you reopen them your new “Path” should be operational. You can start by running a command like the below against your router which we will assume has an IP of “”.

    Example Running Nmap On Windows XP:


    1. C:\\>nmap
    2. Starting Nmap 4.76 ( ) at 2009-01-05 20:23 Eastern Standard Time
    4. Interesting ports on
    5. Not shown: 996 closed ports
    7. 22/tcp open ssh
    8. 53/tcp open domain
    9. 80/tcp open http
    10. 443/tcp open https
    11. MAC Address: 00:18:39:AA:22:51 (Cisco-Linksys)
    13. Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
    15. C:\\>

    Above you will see there are four open ports which include SSH, DOMAIN, HTTP, and HTTPS on this Linksys wrt600n wireless router.

  6. Now nmap is installed and can be a very useful security and network troubleshooting tool. If you want to learn more about the available switches from the CLI just type nmap without anything else from the command prompt which will spit out the below.

    List Of Nmap Switches/Options Available On Windows XP:


    1. C:\\>nmap
    2. Nmap 4.76 ( )
    3. Usage: nmap [Scan Type(s)] [Options] {target specification}
    5. Can pass hostnames, IP addresses, networks, etc.
    6. Ex:,,; 10.0.0-255.1-254
    7. -iL : Input from list of hosts/networks
    8. -iR : Choose random targets
    9. --exclude : Exclude hosts/networks
    10. --excludefile : Exclude list from file
    12. -sL: List Scan - simply list targets to scan
    13. -sP: Ping Scan - go no further than determining if host is online
    14. -PN: Treat all hosts as online -- skip host discovery
    15. -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
    16. -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
    17. -PO [protocol list]: IP Protocol Ping
    18. -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
    19. --dns-servers : Specify custom DNS servers
    20. --system-dns: Use OS's DNS resolver
    22. -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
    23. -sU: UDP Scan
    24. -sN/sF/sX: TCP Null, FIN, and Xmas scans
    25. --scanflags : Customize TCP scan flags
    26. -sI : Idle scan
    27. -sO: IP protocol scan
    28. -b : FTP bounce scan
    29. --traceroute: Trace hop path to each host
    30. --reason: Display the reason a port is in a particular state
    32. -p
    33. : Only scan specified ports
    34. Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
    35. -F: Fast mode - Scan fewer ports than the default scan
    36. -r: Scan ports consecutively - don't randomize
    37. --top-ports : Scan most common ports
    38. --port-ratio : Scan ports more common than
    40. -sV: Probe open ports to determine service/version info
    41. --version-intensity : Set from 0 (light) to 9 (try all probes)
    42. --version-light: Limit to most likely probes (intensity 2)
    43. --version-all: Try every single probe (intensity 9)
    44. --version-trace: Show detailed version scan activity (for debugging)
    45. SCRIPT SCAN:
    46. -sC: equivalent to --script=default
    47. --script=: is a comma separated list of directories, script-files or script-categories
    48. --script-args=: provide arguments to scripts
    49. --script-trace: Show all data sent and received
    50. --script-updatedb: Update the script database.
    52. -O: Enable OS detection
    53. --osscan-limit: Limit OS detection to promising targets
    54. --osscan-guess: Guess OS more aggressively
    56. Options which take are in milliseconds, unless you append 's'
    57. (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
    58. -T[0-5]: Set timing template (higher is faster)
    59. --min-hostgroup/max-hostgroup : Parallel host scan group sizes
    60. --min-parallelism/max-parallelism : Probe parallelization
    61. --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
    62. probe round trip time.
    63. --max-retries
    64. : Caps number of port scan probe retransmissions.
    65. --host-timeout : Give up on target after this long
    66. --scan-delay/--max-scan-delay : Adjust delay between probes
    67. --min-rate : Send packets no slower than per second
    68. --max-rate : Send packets no faster than per second
    70. -f; --mtu : fragment packets (optionally w/given MTU)
    71. -D : Cloak a scan with decoys
    72. -S : Spoof source address
    73. -e : Use specified interface
    74. -g/--source-port
    75. : Use given port number
    76. --data-length : Append random data to sent packets
    77. --ip-options : Send packets with specified ip options
    78. --ttl : Set IP time-to-live field
    79. --spoof-mac : Spoof your MAC address
    80. --badsum: Send packets with a bogus TCP/UDP checksum
    81. OUTPUT:
    82. -oN/-oX/-oS/-oG : Output scan in normal, XML, s| and Grepable format, respectively, to the given filename.
    83. -oA : Output in the three major formats at once
    84. -v: Increase verbosity level (use twice or more for greater effect)
    85. -d[level]: Set or increase debugging level (Up to 9 is meaningful)
    86. --open: Only show open (or possibly open) ports
    87. --packet-trace: Show all packets sent and received
    88. --iflist: Print host interfaces and routes (for debugging)
    89. --log-errors: Log errors/warnings to the normal-format output file
    90. --append-output: Append to rather than clobber specified output files
    91. --resume : Resume an aborted scan
    92. --stylesheet
    93. : XSL stylesheet to transform XML output to HTML
    94. --webxml: Reference stylesheet from Nmap.Org for more portable XML
    95. --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
    96. MISC:
    97. -6: Enable IPv6 scanning
    98. -A: Enables OS detection and Version detection, Script scanning and Traceroute
    100. --datadir : Specify custom Nmap data file location
    101. --send-eth/--send-ip: Send using raw ethernet frames or IP packets
    102. --privileged: Assume that the user is fully privileged
    103. --unprivileged: Assume the user lacks raw socket privileges
    104. -V: Print version number
    105. -h: Print this help summary page.
    106. EXAMPLES:
    107. nmap -v -A
    108. nmap -v -sP
    109. nmap -v -iR 10000 -PN -p 80
    112. C:\\>

Once you are familiar with nmap you will find yourself using it all the time. Nmap is a very useful security tool that can be used to troubleshoot all sorts of technical issues no matter the operating system you are using.

Nmap Cookbook: The Fat-free Guide to Network Scanning (Paperback)

List Price: $19.95
New From: $49.99 USD In Stock
Used from: $25.00 USD In Stock

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (Paperback)

List Price: $49.95 USD
New From: $29.75 USD In Stock
Used from: $27.05 USD In Stock