Nmap
Jump to navigation
Jump to search
Nmap[edit | edit source]
Nmap (Network Mapper) is an open‑source utility for network discovery, security auditing, and host fingerprinting. It is one of the most widely used tools in active reconnaissance, offering port scanning, OS detection, service versioning, and a powerful scripting interface (Nmap Scripting Engine – NSE).
Common Options[edit | edit source]
Syntax[edit | edit source]
nmap [Scan Type(s)] [Options] <target specification>Scan Type(s)[edit | edit source]
These flags define *how* Nmap interacts with the target (e.g., TCP, UDP, stealth, protocol-level scans):
| Option | Description |
|---|---|
-sS |
TCP SYN scan (stealth mode) |
-sT |
TCP connect scan (full TCP handshake) |
-sU |
UDP scan |
-sN |
TCP NULL scan (no flags set) |
-sF |
TCP FIN scan (bypasses some firewalls) |
-sX |
Xmas scan (sets FIN, PSH, URG flags) |
-sA |
ACK scan (used to map firewall rules) |
-sW |
Window scan (analyzes TCP window size) |
-sM |
TCP Maimon scan (obscure IDS evasion) |
-sL |
List scan (lists targets without scanning) |
-sn |
Ping scan (host discovery only; replaces -sP)
|
-sY |
SCTP INIT scan (SCTP equivalent of TCP SYN) |
-sZ |
SCTP COOKIE-ECHO scan |
-sO |
IP protocol scan (scans for supported protocols) |
-sI |
Idle scan (ultra-stealth scan using zombie host) |
Options[edit | edit source]
These parameters modify the behavior of the scan (timing, output, verbosity, detection methods, etc.).
Detection & Enumeration[edit | edit source]
| Option | Description |
|---|---|
-sV |
Detect service versions |
-O |
Enable OS detection |
-A |
Aggressive scan: OS detection, version, script scan, traceroute |
--script [NAME] |
Run specific NSE script(s) |
--version-all |
Try every version detection method (used with -sV) |
--osscan-guess |
Guess OS more aggressively when uncertain |
Performance & Output[edit | edit source]
| Option | Description |
|---|---|
-T[0‒5] |
Timing template (T0 = slow, T5 = fast) |
-d |
Enable debugging output |
-oN [FILE] |
Save output in normal format |
-oX [FILE] |
Save output in XML format |
-v |
Increase verbosity (can be stacked: -vv, -vvv) |
--reason |
Show the reason each port is in its state (e.g. response flags) |
--open |
Show only open (or relevant) ports |
Target Specification[edit | edit source]
These options control who you're scanning and how they're discovered or selected.
Host Discovery & Targeting[edit | edit source]
| Option | Description |
|---|---|
-Pn |
Treat all hosts as online (skip ping) |
-p [PORT] |
Specify port(s) to scan |
-iL [FILE] |
Input list of hosts from file |
-6 |
Use IPv6 addresses |
-n |
Do not resolve hostnames (skip DNS resolution) |
--exclude [HOST] |
Exclude specific host(s) from the scan |
--excludefile [FILE] |
Exclude hosts listed in a file |
Examples[edit | edit source]
SYN Scan[edit | edit source]
nmap -sS 192.168.1.1Full Insight Scan[edit | edit source]
nmap -A -T4 -p- -sC -sV -O -Pn 192.168.1.10# -A: enable all scans, -T4: faster timing, -p-: all ports, -sC: default scripts, -sV: service versions, -O: OS detect, -Pn: no ping
↑ Options
TCP Connect Scan[edit | edit source]
nmap -sT 192.168.1.1UDP Scan[edit | edit source]
nmap -sU 192.168.1.1Ping Scan[edit | edit source]
nmap -sP 192.168.1.0/24Skip Host Discovery[edit | edit source]
nmap -Pn 192.168.1.100Scan Specific Ports[edit | edit source]
nmap -p 22,80 192.168.1.1Aggressive Scan[edit | edit source]
nmap -A 10.0.0.1OS Detection Only[edit | edit source]
nmap -O 10.0.0.1Fast Timing Template[edit | edit source]
nmap -T5 example.comRun NSE Script[edit | edit source]
nmap --script default example.comScan From File[edit | edit source]
nmap -iL targets.txtSave Output (Normal)[edit | edit source]
nmap -oN output.txt 192.168.1.1Save Output (XML)[edit | edit source]
nmap -oX output.xml 192.168.1.1List Targets Only[edit | edit source]
nmap -sL 192.168.1.0/30Debug Mode[edit | edit source]
nmap -d 192.168.1.1