How to Install Nmap on Debian 13, 12 and 11

Finding which hosts answer, which ports are open, and which services are exposed is much easier once Nmap is available from the terminal. Debian’s default APT package is the lowest-maintenance install path, while the manual source-build method gives you the latest upstream release when you accept separate update and cleanup ownership.

Debian 13 (Trixie), Debian 12 (Bookworm), and Debian 11 (Bullseye) all provide Nmap from the default main repository. The source workflow currently resolves Nmap 7.99 from upstream. On Debian 11, that upstream release needs the documented OpenSSL-disabled configure branch; use the Debian package instead when you need Debian 11’s packaged SSL and SSH2-enabled build.

Install Nmap on Debian

Choose an Nmap Install Method

Pick one install path and keep its update and removal commands with it. Mixing APT and source builds can leave /usr/local/bin/nmap ahead of Debian’s packaged /usr/bin/nmap in your shell path.

Method	Version Source	Update Owner	Best For
APT package	Debian repository	apt upgrade	Most systems, stable maintenance, Debian security updates
Manual source build	Latest upstream Nmap tarball	update-nmap helper or repeated source build	Users who need the newest upstream Nmap release and can maintain /usr/local installs

Install Nmap with APT

Refresh APT before installing Nmap so Debian uses current package metadata from the enabled repositories:

sudo apt update

Install the packaged Nmap build from Debian’s default repository:

sudo apt install nmap

The nmap package installs the scanner, the nping packet-generation tool, and the shared nmap-common data package. On packaged installs, the NSE scripts live under /usr/share/nmap/scripts/ and are owned by nmap-common. Debian keeps ncat and ndiff as separate suggested packages, so install them only when you need those companion tools.

sudo apt install ncat ndiff

Installing ncat can also provide the nc alternative on Debian systems, while ndiff pulls in Python XML/HTML parsing dependencies used by the comparison tool. The zenmap graphical frontend has a default repository candidate on Debian 13, but not on default Debian 12 or Debian 11 sources, so verify apt-cache policy zenmap before treating it as an available GUI package.

Confirm that the shell can find Nmap and that the installed binary runs:

command -v nmap
nmap --version

The Debian package records for Nmap differ by release because each release freezes and maintains its own package set:

Debian Release	Repository Package	Runtime Version
Debian 13 (Trixie)	7.95+dfsg-3	Nmap version 7.95
Debian 12 (Bookworm)	7.93+dfsg1-1	Nmap version 7.93
Debian 11 (Bullseye)	7.91+dfsg1+really7.80+dfsg1-2	Nmap version 7.80

If you need to inspect the package candidate on your own system, use APT’s policy view:

apt-cache policy nmap nmap-common ncat ndiff

Build Latest Nmap from Source

Use the official Nmap source archive when you deliberately need an upstream release newer than Debian provides. This method installs under /usr/local, checks the upstream SHA256 digest, and stores the configured source tree under /usr/local/src/nmap-current so removal can use Nmap’s own uninstall target.

Install the compiler and development headers needed for the source build:

sudo apt update
sudo apt install build-essential bzip2 ca-certificates curl libpcap-dev libpcre2-dev libssl-dev libssh2-1-dev pkg-config zlib1g-dev

The source commands use curl for HTTPS downloads and sha256sum for the upstream digest check.

Create a source workspace, resolve the latest stable archive from the upstream download page, and download both the tarball and its published digest file:

mkdir -p ~/nmap-source
cd ~/nmap-source

NMAP_ARCHIVE=$(curl -fsSL https://nmap.org/download.html | grep -Eo 'nmap-[0-9]+\.[0-9]+\.tar\.bz2' | sort -V | tail -n 1)
NMAP_VER=${NMAP_ARCHIVE#nmap-}
NMAP_VER=${NMAP_VER%.tar.bz2}
printf 'Latest Nmap source: %s\n' "$NMAP_VER"

curl -fLO "https://nmap.org/dist/$NMAP_ARCHIVE"
curl -fLo "$NMAP_ARCHIVE.digest.txt" "https://nmap.org/dist/sigs/$NMAP_ARCHIVE.digest.txt"

Extract the SHA256 value from the upstream digest file and verify the downloaded archive before compiling it:

NMAP_SHA256=$(awk '
/SHA256 =/ {
  sub(/^.*SHA256 = /, "")
  gsub(/[[:space:]]/, "")
  hash = $0
  getline
  gsub(/[[:space:]]/, "")
  hash = hash $0
  print tolower(hash)
  exit
}
' "$NMAP_ARCHIVE.digest.txt")

printf '%s  %s\n' "$NMAP_SHA256" "$NMAP_ARCHIVE" | sha256sum -c -

A successful check prints the archive name followed by OK:

nmap-7.99.tar.bz2: OK

Extract, configure, compile, and install the verified source. The Debian 11 branch disables OpenSSL for this upstream release because the Nmap 7.99 source does not compile cleanly against Debian 11’s OpenSSL headers; Debian 12 and Debian 13 keep OpenSSL enabled.

tar -xjf "$NMAP_ARCHIVE"
cd "nmap-$NMAP_VER"

CONFIGURE_FLAGS=(--with-localdirs)
. /etc/os-release
if [ "${ID:-}" = "debian" ] && [ "${VERSION_ID%%.*}" = "11" ]; then
  CONFIGURE_FLAGS+=(--without-openssl)
fi

./configure "${CONFIGURE_FLAGS[@]}"
make -j"$(nproc)"
sudo make install

Register the configured source tree as the source-build owner for future removal. These paths belong to this manual method, not to Debian packages.

sudo install -d -m 0755 /usr/local/src
sudo rm -rf "/usr/local/src/nmap-$NMAP_VER"
sudo cp -a "$PWD" "/usr/local/src/nmap-$NMAP_VER"
sudo ln -sfn "/usr/local/src/nmap-$NMAP_VER" /usr/local/src/nmap-current

Verify the source-built commands from /usr/local/bin:

/usr/local/bin/nmap --version
/usr/local/bin/ncat --version
/usr/local/bin/nping --version

The upstream source build installs Nmap, Ncat, and Nping in this workflow. It does not install ndiff or Zenmap with the documented configure path, so use Debian’s ndiff package when you need the comparison tool.

Create an update helper for source-built Nmap. It repeats the release lookup, digest verification, build, install, and managed source-tree registration steps.

cat <<'EOF' | sudo tee /usr/local/bin/update-nmap > /dev/null
#!/usr/bin/env bash
set -euo pipefail

if [ "${EUID:-$(id -u)}" -ne 0 ]; then
  printf '%s\n' 'Run this script with sudo: sudo update-nmap'
  exit 1
fi

for cmd in awk curl grep install ln make mktemp mv nproc rm sha256sum sort tar; do
  if ! command -v "$cmd" >/dev/null 2>&1; then
    printf 'Missing required command: %s\n' "$cmd" >&2
    exit 1
  fi
done

CONFIGURE_FLAGS=(--with-localdirs)
if [ -r /etc/os-release ]; then
  . /etc/os-release
  if [ "${ID:-}" = debian ] && [ "${VERSION_ID%%.*}" = 11 ]; then
    CONFIGURE_FLAGS+=(--without-openssl)
  fi
fi

NMAP_ARCHIVE=$(curl -fsSL https://nmap.org/download.html | grep -Eo 'nmap-[0-9]+\.[0-9]+\.tar\.bz2' | sort -V | tail -n 1)
if [ -z "$NMAP_ARCHIVE" ]; then
  printf '%s\n' 'Could not determine the latest Nmap source archive.' >&2
  exit 1
fi

NMAP_VER=${NMAP_ARCHIVE#nmap-}
NMAP_VER=${NMAP_VER%.tar.bz2}
CURRENT_VER=$({ /usr/local/bin/nmap --version 2>/dev/null || true; } | awk '/^Nmap version / {print $3; exit}')
CURRENT_VER=${CURRENT_VER:-0}

printf 'Current source-built Nmap: %s\n' "$CURRENT_VER"
printf 'Latest upstream Nmap:     %s\n' "$NMAP_VER"

if [ "$CURRENT_VER" = "$NMAP_VER" ]; then
  printf '%s\n' 'Nmap is already up to date.'
  exit 0
fi

BUILD_DIR=$(mktemp -d)
trap 'rm -rf "$BUILD_DIR"' EXIT
cd "$BUILD_DIR"

curl -fLO "https://nmap.org/dist/$NMAP_ARCHIVE"
curl -fLo "$NMAP_ARCHIVE.digest.txt" "https://nmap.org/dist/sigs/$NMAP_ARCHIVE.digest.txt"

NMAP_SHA256=$(awk '
/SHA256 =/ {
  sub(/^.*SHA256 = /, "")
  gsub(/[[:space:]]/, "")
  hash = $0
  getline
  gsub(/[[:space:]]/, "")
  hash = hash $0
  print tolower(hash)
  exit
}
' "$NMAP_ARCHIVE.digest.txt")
if [ -z "$NMAP_SHA256" ]; then
  printf '%s\n' 'Could not parse the SHA256 digest.' >&2
  exit 1
fi
printf '%s  %s\n' "$NMAP_SHA256" "$NMAP_ARCHIVE" | sha256sum -c -

tar -xjf "$NMAP_ARCHIVE"
cd "nmap-$NMAP_VER"
./configure "${CONFIGURE_FLAGS[@]}"
make -j"$(nproc)"
make install

cd "$BUILD_DIR"
install -d -m 0755 /usr/local/src
rm -rf "/usr/local/src/nmap-$NMAP_VER"
mv "nmap-$NMAP_VER" "/usr/local/src/nmap-$NMAP_VER"
ln -sfn "/usr/local/src/nmap-$NMAP_VER" /usr/local/src/nmap-current
/usr/local/bin/nmap --version
EOF

sudo chmod 0755 /usr/local/bin/update-nmap
command -v update-nmap

Run the helper after creating it or whenever you want to check for a newer upstream source release:

sudo update-nmap

If the current source-built release is already installed, the helper exits without rebuilding:

Current source-built Nmap: 7.99
Latest upstream Nmap:     7.99
Nmap is already up to date.

Use Nmap on Debian

Scan only systems and networks you own or have explicit permission to test. Nmap can generate traffic that security tools treat as reconnaissance, especially when you run OS detection, SYN scans, UDP scans, or broad port sweeps.

Run a Local Port Check

Start with a local scan that checks a few common TCP ports on the Debian system itself:

nmap -p 22,80,443 127.0.0.1

Output varies with the services running on your system. On Debian 13, a typical result looks like this; Debian 12 and Debian 11 show their packaged Nmap versions instead when installed through APT:

Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up.

PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Scan a Host or Name You Control

Replace the example address or hostname with a system you are allowed to scan:

nmap 192.168.1.10
nmap server.example.com

For a faster first pass over the most common ports, use -F:

nmap -F 192.168.1.10

Scan Specific Ports

Use -p when you want to check only selected ports or a defined range:

nmap -p 22,80,443 192.168.1.10
nmap -p 1-1000 192.168.1.10
nmap -p- 192.168.1.10

The -p- form scans all 65,535 TCP ports, so expect it to take longer than a focused port list.

Use Privileged Scan Types

SYN scans and OS detection need raw socket access, so run those scan types with sudo:

sudo nmap -sS -p 22 192.168.1.10
sudo nmap -O 192.168.1.10

The first command performs a TCP SYN scan against port 22. The second asks Nmap to fingerprint the target operating system, which can be less reliable when the target has few open and closed ports for comparison.

Read Common Port States

State	Meaning
open	A service is accepting connections or packets on the port.
closed	The host responded, but no service is listening on that port.
filtered	Nmap cannot determine the port state because a firewall or packet filter blocked the probe or reply.

For deeper examples, timing templates, scan types, and NSE usage, continue with Nmap command examples.

Update Nmap on Debian

Update APT-Installed Nmap

APT updates the Debian-packaged Nmap build with the rest of the system packages:

sudo apt update
sudo apt upgrade

If you installed ncat or ndiff, the same upgrade process handles those packages too.

Update Source-Built Nmap

Source-built Nmap does not update through APT. Use the helper created earlier to check upstream, verify the digest, rebuild, install, and refresh /usr/local/src/nmap-current:

sudo update-nmap

The helper keeps the Debian 11 OpenSSL-disabled branch in place for Nmap 7.99. Debian 12 and Debian 13 source builds keep OpenSSL enabled when the development headers are installed.

Remove Nmap from Debian

Remove APT-Installed Nmap

Remove the core scanner package with APT:

sudo apt remove nmap

If you also installed the optional companion tools, remove them separately:

sudo apt remove ncat ndiff

Then review and remove dependencies APT no longer needs:

sudo apt autoremove

Remove Source-Built Nmap

Use the managed source tree created by the source method or update helper, then run Nmap’s uninstall target:

NMAP_SOURCE_DIR=$(readlink -f /usr/local/src/nmap-current)
cd "$NMAP_SOURCE_DIR"
sudo make uninstall
sudo rm -f /usr/local/bin/update-nmap /usr/local/src/nmap-current
sudo rm -rf "$NMAP_SOURCE_DIR" ~/nmap-source

Remove source-build dependencies only when you no longer need a compiler or development headers for other software:

sudo apt remove build-essential libpcap-dev libpcre2-dev libssl-dev libssh2-1-dev pkg-config zlib1g-dev
sudo apt autoremove

Confirm which Nmap command remains, if any:

command -v nmap

No output means Nmap is no longer in your shell path. A remaining /usr/bin/nmap path means the Debian package is still installed, while /usr/local/bin/nmap points to another manual install.

Troubleshoot Nmap on Debian

APT Cannot Locate the Nmap Package

Nmap is in Debian’s default main repository. If APT cannot find it, refresh package metadata and confirm the candidate:

sudo apt update
apt-cache policy nmap

If the policy output still shows no candidate, inspect your Debian source configuration before adding third-party repositories. A missing base repository, disabled main component, or broken mirror is more likely than Nmap being unavailable.

Nmap Command Not Found

If the shell reports nmap: command not found, verify the command path and reinstall the Debian package if no path appears:

command -v nmap
sudo apt install nmap

When command -v nmap points to /usr/local/bin/nmap, a source-built copy is taking precedence over Debian’s packaged /usr/bin/nmap.

Source Configure or Build Fails

Reinstall the documented build dependencies first, because missing development headers are the most common source-build failure:

sudo apt install build-essential bzip2 ca-certificates curl libpcap-dev libpcre2-dev libssl-dev libssh2-1-dev pkg-config zlib1g-dev

On Debian 11, Nmap 7.99 can fail in nse_ssl_cert.cc when OpenSSL support is enabled. Use the documented --without-openssl branch for the source build, or use Debian’s packaged Nmap when SSL and SSH2 support matter more than the latest upstream version.

Update Helper Reports a Missing Command

The source update helper depends on the same tools as the manual source build. Install the prerequisite packages again if the helper reports a missing command:

sudo apt install build-essential bzip2 ca-certificates curl pkg-config

Privileged Scan Fails Without Root

Scan types such as -sS, -O, and some UDP probes need raw socket access. Rerun those scans with sudo:

sudo nmap -sS -p 22 127.0.0.1

For unprivileged checks, a TCP connect scan can run without root, although it may be slower and easier for the target service to log:

nmap -sT -p 22 127.0.0.1

Conclusion

Nmap is installed on Debian either through APT for package-managed maintenance or through the manual source-build path for the latest upstream release. Use the UFW on Debian guide when scan results expose firewall gaps, or install Wireshark on Debian when packet capture would help explain the traffic behind a scan result.