Target Specification

nmap a single IP
nmap specific IPs
nmap a range
nmap scanme.nmap.orgScan a domain
nmap using CIDR notation
-iLnmap -iL targets.txtScan targets from a file
-iRnmap -iR 100Scan 100 random hosts
–excludenmap –exclude listed hosts

Scan Techniques

-sSnmap -sSTCP SYN port scan (Default)
-sTnmap -sTTCP connect port scan
(Default without root privilege)
-sUnmap -sUUDP port scan
-sAnmap -sATCP ACK port scan
-sWnmap -sWTCP Window port scan
-sMnmap -sMTCP Maimon port scan

Host Discovery

-sLnmap -sLNo Scan. List targets only
-snnmap -snDisable port scanning. Host discovery only.
-Pnnmap -PnDisable host discovery. Port scan only.
-PSnmap -PS22-25,80TCP SYN discovery on port x.Port 80 by default
-PAnmap -PA22-25,80TCP ACK discovery on port x.Port 80 by default
-PUnmap -PU53UDP discovery on port x.Port 40125 by default
-PRnmap -PRARP discovery on local network
-nnmap -nNever do DNS resolution

Port Specification

-pnmap -p 21Port scan for port x
-pnmap -p 21-100Port range
-pnmap -p U:53,T:21-25,80Port scan multiple TCP and UDP ports
-p-nmap -p-Port scan all ports
-pnmap -p http,httpsPort scan from service name
-Fnmap -FFast port scan (100 ports)
–top-portsnmap –top-ports 2000Port scan the top x ports
-p-65535nmap -p-65535Leaving off initial port in range
makes the scan start at port 1
-p0-nmap -p0-Leaving off end port in rangemakes the scan go through to port 65535

Service and Version Detection

-sVnmap -sVAttempts to determine the version of the service running on port
-sV –version-intensitynmap -sV –version-intensity 8Intensity level 0 to 9. Higher number increases possibility of correctness
-sV –version-lightnmap -sV –version-lightEnable light mode. Lower possibility of correctness. Faster
-sV –version-allnmap -sV –version-allEnable intensity level 9. Higher possibility of correctness. Slower
-Anmap -AEnables OS detection, version detection, script scanning, and traceroute

OS Detection

-Onmap -ORemote OS detection using TCP/IP
stack fingerprinting
-O –osscan-limitnmap -O –osscan-limitIf at least one open and one closed
TCP port are not found it will not try
OS detection against host
-O –osscan-guessnmap -O –osscan-guessMakes Nmap guess more aggressively
-O –max-os-triesnmap -O –max-os-tries 1Set the maximum number x of OS
detection tries against a target
-Anmap -AEnables OS detection, version detection, script scanning, and traceroute

Timing and Performance

-T0nmap -T0Paranoid (0) Intrusion Detection
System evasion
-T1nmap -T1Sneaky (1) Intrusion Detection System
-T2nmap -T2Polite (2) slows down the scan to use
less bandwidth and use less target
machine resources
-T3nmap -T3Normal (3) which is default speed
-T4nmap -T4Aggressive (4) speeds scans; assumes
you are on a reasonably fast and
reliable network
-T5nmap -T5Insane (5) speeds scan; assumes you
are on an extraordinarily fast network
SwitchExample inputDescription
–host-timeout <time>1s; 4m; 2hGive up on target after this long
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>1s; 4m; 2hSpecifies probe round trip time
–min-hostgroup/max-hostgroup <size<size>50; 1024Parallel host scan group
–min-parallelism/max-parallelism <numprobes>10; 1Probe parallelization
–scan-delay/–max-scan-delay <time>20ms; 2s; 4m; 5hAdjust delay between probes
–max-retries <tries>3Specify the maximum number
of port scan probe retransmissions
–min-rate <number>100Send packets no slower than <numberr> per second
–max-rate <number>100Send packets no faster than <number> per second

NSE Scripts

-sCnmap -sCScan with default NSE scripts. Considered useful for discovery and safe
–script defaultnmap –script defaultScan with default NSE scripts. Considered useful for discovery and safe
–scriptnmap –script=bannerScan with a single script. Example banner
–scriptnmap –script=http*Scan with a wildcard. Example http
–scriptnmap –script=http,bannerScan with two scripts. Example http and banner
–scriptnmap –script “not intrusive”Scan default, but remove intrusive scripts
–script-argsnmap –script snmp-sysdescr –script-args snmpcommunity=admin script with arguments

Useful NSE Script Examples

nmap -Pn –script=http-sitemap-generator scanme.nmap.orghttp site map generator
nmap -n -Pn -p 80 –open -sV -vvv –script banner,http-title -iR 1000Fast search for random web servers
nmap -Pn –script=dns-brute domain.comBrute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV –script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv SMB scripts to run
nmap –script whois* domain.comWhois query
nmap -p80 –script http-unsafe-output-escaping scanme.nmap.orgDetect cross site scripting vulnerabilities
nmap -p80 –script http-sql-injection scanme.nmap.orgCheck for SQL injections

Firewall / IDS Evasion and Spoofing

-fnmap -fRequested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
–mtunmap –mtu 32Set your own offset size
-Dnmap -D,,,
Send scans from spoofed IPs
-Dnmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ipAbove example explained
-Snmap -S www.microsoft.com www.facebook.comScan Facebook from Microsoft (-e eth0 -Pn may be required)
-gnmap -g 53 given source port number
–proxiesnmap –proxies, connections through HTTP/SOCKS4 proxies
–data-lengthnmap –data-length 200 random data to sent packets

Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D,,,


-oNnmap -oN normal.fileNormal output to the file normal.file
-oXnmap -oX xml.fileXML output to the file xml.file
-oGnmap -oG grep.fileGrepable output to the file grep.file
-oAnmap -oA resultsOutput in the three major formats at once
-oG –nmap -oG –Grepable output to screen. -oN -, -oX – also usable
–append-outputnmap -oN file.file –append-outputAppend a scan to a previous scan file
-vnmap -vIncrease the verbosity level (use -vv or more for greater effect)
-dnmap -dIncrease debugging level (use -dd or more for greater effect)
–reasonnmap –reasonDisplay the reason a port is in a particular state, same output as -vv
–opennmap –openOnly show open (or possibly open) ports
–packet-tracenmap -T4 –packet-traceShow all packets sent and received
–iflistnmap –iflistShows the host interfaces and routes
–resumenmap –resume results.fileResume a scan

Helpful Nmap Output examples

nmap -p80 -sV -oG – –open | grep openScan for web servers and grep to show which IPs are running web servers
nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d ” ” -f5 > live-hosts.txtGenerate a list of the IPs of live hosts
nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txtAppend IP to the list of live hosts
ndiff scanl.xml scan2.xmlCompare output from nmap using the ndif
xsltproc nmap.xml -o nmap.htmlConvert nmap xml files to html files
grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | lessReverse sorted list of how often ports turn up

Miscellaneous Options

-6nmap -6 2607:f0d0:1002:51::4Enable IPv6 scanning
-hnmap -hnmap help screen

Other Useful Nmap Commands

nmap -iR 10 -PS22-25,80,113,1050,35000 -v -snDiscovery only on ports x, no port scan
nmap -PR -sn -vvArp discovery only on local network, no port scan
nmap -iR 10 -sn -tracerouteTraceroute to random targets, no port scan
nmap -sL –dns-server the Internal DNS for hosts, list targets only