How to Install nmap Security Scanner on Windows XP

Installing nmap security scanner on Windows XP is fairly easy. The easiest way is to download and run the nmap stable release executable file currently located here. You can verify the latest release by visiting nmap’s download page here.

Once the nmap.exe file is downloaded just double click it and choose a location to unpack the files. The easiest place would be something like c:\nmap or if you have cygwin installed you might want to do c:\cygwin\nmap. Make sure to note the location as you will need to add this to your path so you can execute it without having to be in the nmap directory.

To add the new directory to your PATH just follow the couple steps below.

Install Nmap, Network Mapper, On Windows XP:

  1. Open My Computer Properties: Right click on “My Computer” and select properties.
  2. Edit Environment Variables: Click the Advanced tab after the “My Computer” properties has been opened in step 1. At the bottom of the Advanced tab click the “Environment Variables” button which will open a new window.
  3. Edit Path:In the second window titled “System variables” highlight the 6th option from the top titled “Path”. Once Path is highlighted click the Edit button which will open the Path configuration where you will see numerous entries separated by semi colons. You need to add the new path for nmap such as “c:\nmap”. Below is what the second line of the Path configurations will look like.

    Windows XP User PATH Environment Variable With Nmap Path Added:

    C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\USB Display Adapter\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\TortoiseSVN\bin;C:\bin;C:\ruby\bin;C:\Program Files\PostgreSQL\8.3\bin;C:\Program Files\Vim\vim72;C:\cygwin\bin;C:\narfonix\aws\ec2-api-tools-1.3-24159\bin;C:\Program Files\GNU\GnuPG\pub;C:\Program Files\QuickTime\QTSystem\;C:\nmap

    You can see where “C:\nmap” has been added to the end.

  4. Save Environment Variable Options: Click the OK button at the bottom of the “Edit System Variable” window followed by OK at the bottom of Environment Variables. Last click OK at the bottom of “System Properties”.
  5. Test nmap On Windows XP: If you have any command prompt windows open go ahead and close them. Once you reopen them your new “Path” should be operational. You can start by running a command like the below against your router which we will assume has an IP of “”.

    Example Running Nmap On Windows XP:

    Starting Nmap 4.76 ( ) at 2009-01-05 20:23 Eastern Standard Time
    Interesting ports on
    Not shown: 996 closed ports
    22/tcp open ssh
    53/tcp open domain
    80/tcp open http
    443/tcp open https
    MAC Address: 00:18:39:AA:22:51 (Cisco-Linksys)
    Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds

    Above you will see there are four open ports which include SSH, DOMAIN, HTTP, and HTTPS on this Linksys wrt600n wireless router.

  6. Now nmap is installed and can be a very useful security and network troubleshooting tool. If you want to learn more about the available switches from the CLI just type nmap without anything else from the command prompt which will spit out the below.

    List Of Nmap Switches/Options Available On Windows XP:

    Nmap 4.76 ( )
    Usage: nmap [Scan Type(s)] [Options] {target specification}
    Can pass hostnames, IP addresses, networks, etc.
    Ex:,,; 10.0.0-255.1-254
    -iL : Input from list of hosts/networks
    -iR : Choose random targets
    --exclude : Exclude hosts/networks
    --excludefile : Exclude list from file
    -sL: List Scan - simply list targets to scan
    -sP: Ping Scan - go no further than determining if host is online
    -PN: Treat all hosts as online -- skip host discovery
    -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
    -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
    -PO [protocol list]: IP Protocol Ping
    -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
    --dns-servers : Specify custom DNS servers
    --system-dns: Use OS's DNS resolver
    -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
    -sU: UDP Scan
    -sN/sF/sX: TCP Null, FIN, and Xmas scans
    --scanflags : Customize TCP scan flags
    -sI : Idle scan
    -sO: IP protocol scan
    -b : FTP bounce scan
    --traceroute: Trace hop path to each host
    --reason: Display the reason a port is in a particular state
    : Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
    -F: Fast mode - Scan fewer ports than the default scan
    -r: Scan ports consecutively - don't randomize
    --top-ports : Scan most common ports
    --port-ratio : Scan ports more common than
    -sV: Probe open ports to determine service/version info
    --version-intensity : Set from 0 (light) to 9 (try all probes)
    --version-light: Limit to most likely probes (intensity 2)
    --version-all: Try every single probe (intensity 9)
    --version-trace: Show detailed version scan activity (for debugging)
    -sC: equivalent to --script=default
    --script=: is a comma separated list of directories, script-files or script-categories
    --script-args=: provide arguments to scripts
    --script-trace: Show all data sent and received
    --script-updatedb: Update the script database.
    -O: Enable OS detection
    --osscan-limit: Limit OS detection to promising targets
    --osscan-guess: Guess OS more aggressively
    Options which take are in milliseconds, unless you append 's'
    (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
    -T[0-5]: Set timing template (higher is faster)
    --min-hostgroup/max-hostgroup : Parallel host scan group sizes
    --min-parallelism/max-parallelism : Probe parallelization
    --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
    probe round trip time.
    : Caps number of port scan probe retransmissions.
    --host-timeout : Give up on target after this long
    --scan-delay/--max-scan-delay : Adjust delay between probes
    --min-rate : Send packets no slower than per second
    --max-rate : Send packets no faster than per second
    -f; --mtu : fragment packets (optionally w/given MTU)
    -D : Cloak a scan with decoys
    -S : Spoof source address
    -e : Use specified interface
    : Use given port number
    --data-length : Append random data to sent packets
    --ip-options : Send packets with specified ip options
    --ttl : Set IP time-to-live field
    --spoof-mac : Spoof your MAC address
    --badsum: Send packets with a bogus TCP/UDP checksum
    -oN/-oX/-oS/-oG : Output scan in normal, XML, s| and Grepable format, respectively, to the given filename.
    -oA : Output in the three major formats at once
    -v: Increase verbosity level (use twice or more for greater effect)
    -d[level]: Set or increase debugging level (Up to 9 is meaningful)
    --open: Only show open (or possibly open) ports
    --packet-trace: Show all packets sent and received
    --iflist: Print host interfaces and routes (for debugging)
    --log-errors: Log errors/warnings to the normal-format output file
    --append-output: Append to rather than clobber specified output files
    --resume : Resume an aborted scan
    : XSL stylesheet to transform XML output to HTML
    --webxml: Reference stylesheet from Nmap.Org for more portable XML
    --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
    -6: Enable IPv6 scanning
    -A: Enables OS detection and Version detection, Script scanning and Traceroute
    --datadir : Specify custom Nmap data file location
    --send-eth/--send-ip: Send using raw ethernet frames or IP packets
    --privileged: Assume that the user is fully privileged
    --unprivileged: Assume the user lacks raw socket privileges
    -V: Print version number
    -h: Print this help summary page.
    nmap -v -A
    nmap -v -sP
    nmap -v -iR 10000 -PN -p 80

Once you are familiar with nmap you will find yourself using it all the time. Nmap is a very useful security tool that can be used to troubleshoot all sorts of technical issues no matter the operating system you are using.

Nmap Cookbook: The Fat-free Guide to Network Scanning (Paperback)

List Price: $19.95
New From: $49.99 USD In Stock
Used from: $4.88 USD In Stock

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (Paperback)

List Price: $49.95 USD
New From: $29.99 USD In Stock
Used from: $21.38 USD In Stock