Target specification
| Example | Description |
|---|
nmap 192.168.1.1 | Scan a single IP |
nmap 192.168.1.1 192.168.2.1 | Scan specific IPs |
nmap 192.168.1.1-254 | Scan a range |
nmap scanme.nmap.org | Scan a domain |
nmap 192.168.1.0/24 | Scan using CIDR notation |
nmap -iL targets.txt | Scan targets from a file |
nmap -iR 100 | Scan 100 random hosts |
nmap -exclude 192.168.1.1 | Exclude listed hosts |
Nmap scan techniques
| Example | Description |
|---|
nmap 192.168.1.1 -sS | TCP SYN port scan (default) |
nmap 192.168.1.1 -sT | TCP connect port scan |
nmap 192.168.1.1 -sU | UDP port scan |
nmap 192.168.1.1 -sA | TCP ACK port scan |
nmap 192.168.1.1 -sW | TCP Window port scan |
nmap 192.168.1.1 -sM | TCP Maimon port scan |
Host discovery
| Example | Description |
|---|
nmap 192.168.1.1-3 -sL | No scan. List targets only |
nmap 192.168.1.1/24 -sn | Disable port scanning. Host discovery only. |
nmap 192.168.1.1-5 -Pn | Disable host discovery. Port scan only. |
nmap 192.168.1.1-5 -PS22-25,80 | TCP SYN discovery on ports 22-25, 80 (Port 80 by default) |
nmap 192.168.1.1-5 -PA22-25,80 | TCP ACK discovery on ports 22-25, 80 (Port 80 by default) |
nmap 192.168.1.1-5 -PU53 | UDP discovery on port 53. (Port 40125 by default) |
nmap 192.168.1.1-1/24 -PR | ARP discovery on local network |
nmap 192.168.1.1 -n | Never do DNS resolution |
Port specification
| Example | Description |
|---|
nmap 192.168.1.1 -p 21 | Port scan for port 21 |
nmap 192.168.1.1 -p 21-100 | Port scan for range 21-100 |
nmap 192.168.1.1 -p U:53,T:21-25,80 | Port scan multiple TCP and UDP ports |
nmap 192.168.1.1 -p- | Port scan all ports |
nmap 192.168.1.1 -p http,https | Port scan from service name |
nmap 192.168.1.1 -F | Fast port scan (100 ports) |
nmap 192.168.1.1 -top-ports 2000 | Port scan the top 2000 ports |
nmap 192.168.1.1 -p-65535 | Leaving off the initial port in range makes the scan start at port 1 |
nmap 192.168.1.1 -p0- | Leaving off the end port in range makes the scan go through to port 65535 |
Service and version detection
| Example | Description |
|---|
nmap 192.168.1.1 -sV | Attempts to determine version of the service running on port. |
nmap 192.168.1.1 -sV -version-intensity 8 | Intensity level 0-9. Higher number increases possibility of correctness. |
nmap 192.168.1.1 -sV -version-light | Enable light mode. Lower possibility of correctness. Faster. |
nmap 192.168.1.1 -sV -version-all | Enable intensity level 9. Higher possibility of correctness. Slower. |
nmap 192.168.1.1 -A | Enable OS detection, version detection, script scanning, and traceroute. |
OS detection
| Example | Description |
|---|
nmap 192.168.1.1 -O | Remote OS detection using TCP/IP stack fingerprinting |
nmap 192.168.1.1 -O -osscan-limit | If at least one open and one closed TCP port are not found it will not try OS detection against host. |
nmap 192.168.1.1 -P -osscan-guess | Makes nmap guess more aggressively. |
nmap 192.168.1.1 -O -max-os-tries 1 | Set the maximum number of OS detection tries |
nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute. |
| Example | Description |
|---|
nmap 192.168.1.1 -T0 | Paranoid (0) IDS evasion |
nmap 192.168.1.1 -T1 | Sneaky (1) IDS evasion |
nmap 192.168.1.1 -T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine resources. |
nmap 192.168.1.1 -T3 | Normal (3) which is default speed. |
nmap 192.168.1.1 -T4 | Aggressive (4) speed scans. Assumes you are on a reasonably fast and reliable network. |
nmap 192.168.1.1 -T5 | Insane (5) speed scan. Assumes you are on an extraordinarily fast network. |
| Example | Description |
|---|
-host-timeout 1s; -host-timeout 4m; | Give up on target after this long. |
-min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout 4m; | Specifies probe round trip time. |
-min-hostgroup/max-hostgroup 50 | Parallel host scan group sizes |
-min-parallelism/max-parallelism 10 | Probe parallelization |
-max-retries 3 | Specify the max number of port scan probe retransmissions. |
-min-rate 100 | Send packets to no slower than 100 per second |
-max-rate 100 | Send packets no faster than 100 per second |
NSE scripts
| Example | Description |
|---|
nmap 192.168.1.1 -sC | Scan with default NSE scripts. Useful and safe. |
nmap 192.168.1.1 -script default | Scan with default NSE scripts. |
nmap 192.168.1.1 -script=banner | Scan with single script. Example banner. |
nmap 192.168.1.1 -script=http* | Scan with a wildcard. Example http. |
nmap 192.168.1.1 -script=http,banner | Scan with two scripts. http and banner. |
nmap 192.168.1.1 -script "not intrusive" | Scan default, but remove intrusive scripts. |
nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1 | NSE script with arguments |
Useful NSE script examples
| Example | Description |
|---|
nmap -Pn -script=http-sitemap-generator scanme.nmap.org | http site map generator |
nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 | Fast search for random web servers |
nmap -Pn -script=dns-brute domain.com | Brute forces DNS hostnames guessing subdomains |
nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 | Safe SMB scripts to run |
nmap -script whois* domain.com | Whois query |
nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org | Detect cross site scripting vulnerabilities |
nmap -p80 -script http-sql-injection scanme.nmap.org | Check for SQL injections |
Firewall/IDS evasion and spoofing
| Example | Description |
|---|
nmap 192.168.1.1 -f | Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters. |
nmap 192.168.1.1 -mtu 32 | Set your own offset size |
nmap -D 192.168.1.101,192.168.1.102,192.168.1.103 | Send scans from spoofed IPs |
nmap -D decoy-ip1,decoy-ip2,your-own-ip | Same as above |
nmap -S www.microsoft.com www.facebook.com | Scan Facebook from Microsoft (-e eth0 -Pn may be required |
nmap -g 53 192.168.1.1 | Use given source port number |
nmap -proxies http://192.168.1.1:8080,http://192.168.1.2:8080 192.168.1.1 | Relay connections through HTTP/SOCKS4 proxies |
nmap -data-length 200 192.168.1.1 | Appends random data to sent packets |
Output
| Example | Description |
|---|
nmap 192.168.1.1 -oN normal.file | Normal output to the file normal.file |
nmap 192.168.1.1 -oX xml.file | XML output to the file xml.file |
nmap 192.168.1.1 -oG grep.file | Grepable output to the file grep.file |
nmap 192.168.1.1 -oA results | Output in the three major formats at once |
nmap 192.168.1.1 -oG - | Grepable output to screen. -oN, -oX also usable. |
nmap 192.168.1.1 -oN file.txt -append-output | Append a scan to a previous scan file |
nmap 192.168.1.1 -v | Increase verbosity level (use -vv or more) |
nmap 192.168.1.1 -d | Increase debugging level (use -dd or more) |
nmap 192.168.1.1 -reason | Display the reason a port is in a particular state, same output as -vv |
nmap 192.168.1.1 -open | Only show open (or possibly open) ports |
nmap 192.168.1.1 -T4 -packet-trace | Show all packets sent and received |
nmap -iflist | Shows the host interfaces and routes |
nmap -resume results.file | Resume a scan from results.file |
Helpful nmap output examples
| Example | Description |
|---|
| `nmap -p80 -sV -oG - -open 192.168.1.1/24 | grep open` |
| `nmap -iR 10 -n -oX out.xml | grep “Nmap” |
| `nmap -iR 10 -n -oX out2.xml | grep “Nmap” |
ndiff scan.xml scan2.xml | Compare the output of two scan results |
xsltproc nmap.xml -o nmap.html | Convert nmap xml files to html files |
Other useful nmap commands
| Example | Description |
|---|
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn | Discovery only on ports X, no port scan |
nmap 192.168.1.1-1/24 -PR -sn -vv | ARP discovery only on local network, no port scan |
nmap -iR 10 -sn -traceroute | Traceroute to random targets, no port scan |
nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1 | Query the internal DNS for hosts, list targets only |
nmap 192.168.1.1 --packet-trace | Show the details of the packets that are sent and received during a scan and capture the traffic |
Reply to this post by email ↪