Nmap Advanced Reference
Network exploration tool and security / port scanner.
Quick Reference: Most Useful Flags
| Flag | Category | Description |
|---|---|---|
-sS | Scan Type | TCP SYN Scan (Stealthy, default if privileged) |
-p- | Port Spec | Scan all 65,535 ports |
-A | Detection | Enable OS detection, versioning, script scanning, and traceroute |
-Pn | Discovery | Treat all hosts as online (skip ping/host discovery) |
-T4 | Timing | Aggressive timing (faster scan on reliable networks) |
-v | Misc | Increase verbosity level (use -vv for more) |
-oA | Output | Output in all three major formats (Normal, XML, Grepable) |
Target Specification
Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. You can pass hostnames, IP addresses, or networks.
Scan a single host or CIDR network CIDR-style addressing is supported. You can append /numbits to an IP address or hostname.
nmap [target]
Scan an IP range Nmap supports octet range addressing.
nmap 192.168.1.1-50
Input from a list of hosts Reads target specifications from an input file.
nmap -iL targets.txt
Choose random targets For Internet-wide surveys and other research, you may want to choose targets at random. The argument 0 can be specified for a never-ending scan.
nmap -iR 0
Host Discovery
Host discovery is sometimes called ping scan.
Skip host discovery (Treat all hosts as online) This option skips the host discovery stage altogether. Nmap continues to perform requested functions as if each target IP is active.
nmap -Pn [target]
Ping Scan (Disable port scan) This option tells Nmap not to do a port scan after host discovery. It allows light reconnaissance of a target network without attracting much attention.
nmap -sn [target]
TCP SYN Ping This option sends an empty TCP packet with the SYN flag set to specific ports.
nmap -PS80,443 [target]
Port Specification
By default, Nmap scans the most common 1,000 ports for each protocol.
Scan specific ports Individual port numbers are OK, as are ranges separated by a hyphen.
nmap -p[port] [target]
Scan all 65,535 ports
You can specify -p- to scan ports from 1 through 65535.
nmap -p- [target]
Scan specific protocols (TCP/UDP) You can specify a particular protocol by preceding the port numbers by T: for TCP, U: for UDP, S: for SCTP, or P: for IP Protocol.
nmap -sS -sU -p U:53,161,T:21-25,80 [target]
Fast Mode (Scan fewer ports)
Specifies that you wish to scan fewer ports than the default. With -F, this is reduced to 100.
nmap -F [target]
Scan Top Ports Scans the highest-ratio ports found in nmap-services file.
nmap --top-ports 1000 [target]
Scan Techniques
TCP SYN Scan (Stealth) SYN scan is the default and most popular scan option for good reasons. It is relatively unobtrusive and stealthy since it never completes TCP connections.
sudo nmap -sS [target]
TCP Connect Scan TCP connect scan is the default TCP scan type when SYN scan is not an option (e.g., unprivileged users).
nmap -sT [target]
UDP Scan
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.
sudo nmap -sU [target]
TCP ACK Scan (Firewall Mapping) It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
sudo nmap -sA [target]
Service and OS Detection
Service Version Detection Version detection interrogates ports to determine more about what is actually running.
nmap -sV [target]
OS Detection Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses.
sudo nmap -O [target]
Aggressive Scan
This option enables additional advanced and aggressive options. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute).
sudo nmap -A [target]
Timing and Performance
Timing Templates
Nmap offers a simpler approach, with six timing templates (0-5). Normal mode is the default (-T3). Aggressive mode (-T4) speeds scans up by making the assumption that you are on a reasonably fast and reliable network.
nmap -T4 [target]
Control Scan Rates directly
When the --min-rate option is given Nmap will do its best to send packets as fast as or faster than the given rate.
nmap --min-rate 300 [target]
Limit Retries and Timeouts
Caps number of port scan probe retransmissions. You can even specify --max-retries 0 to prevent any retransmissions.
nmap --max-retries 0 --host-timeout 1m [target]
Firewall / IDS Evasion
Cloak with Decoys Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.
nmap -D RND:10,ME [target]
Fragment Packets
The -f option causes the requested scan to use tiny fragmented IP packets to make it harder for packet filters or IDSs to detect what you are doing.
sudo nmap -f [target]
Spoof Source Port
Nmap offers the -g and --source-port options to exploit misconfigured firewalls trusting specific ports (like 53 or 20).
nmap --source-port 53 [target]
Append Random Data This option tells Nmap to append the given number of random bytes to most of the packets it sends.
nmap --data-length 25 [target]
Output Options
Nmap makes output available in five different formats.
Normal Output Requests that normal output be directed to the given filename.
nmap -oN output.nmap [target]
XML Output XML offers a stable format that is easily parsed by software.
nmap -oX output.xml [target]
Grepable Output It is a simple format that lists each host on one line and can be trivially searched and parsed with standard Unix tools.
nmap -oG output.gnmap [target]
Output to All Formats
As a convenience, you may specify -oA to store scan results in normal, XML, and grepable formats at once.
nmap -oA logs/scan_results [target]
Professional & Advanced Examples
Fast SIP TCP/UDP Scan (No Retries, Strict Timeout) Optimized for speed when checking specific VoIP ports across a wide network.
nmap -sS -sU -p 5060,5061 --max-retries 0 --host-timeout 1m [target]
Locate Random Web Servers for Browsing Use this option at your own risk! Scans random Internet IPs indefinitely for port 80.
nmap -Pn -sS -p 80 -iR 0 --open
Scan Top 100 Ports via Proxy Asks Nmap to establish TCP connections with a final target through supplied chain of one or more HTTP or SOCKS4 proxies.
nmap -sT --top-ports 100 --proxies socks4://127.0.0.1:9050 [target]
Evade IDS with Fragmented Decoy Scan Combines fragmentation and 5 random decoy IPs to obfuscate the origin and signature of the scan.
sudo nmap -sS -f -D RND:5,ME -Pn [target]