Editing
Nmap
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= Nmap = '''Nmap''' (Network Mapper) is an open‑source utility for network discovery, security auditing, and host fingerprinting. It is one of the most widely used tools in active reconnaissance, offering port scanning, OS detection, service versioning, and a powerful scripting interface (Nmap Scripting Engine – NSE). == <span id="options"></span>Common Options == == Syntax == <syntaxhighlight lang="bash"> nmap [Scan Type(s)] [Options] <target specification> </syntaxhighlight> == <span id="options"></span>Scan Type(s) == These flags define *how* Nmap interacts with the target (e.g., TCP, UDP, stealth, protocol-level scans): {| class="wikitable" ! Option !! Description |- | [[#ex-sS|<code>-sS</code>]] || TCP SYN scan (stealth mode) |- | [[#ex-sT|<code>-sT</code>]] || TCP connect scan (full TCP handshake) |- | [[#ex-sU|<code>-sU</code>]] || UDP scan |- | [[#ex-sN|<code>-sN</code>]] || TCP NULL scan (no flags set) |- | [[#ex-sF|<code>-sF</code>]] || TCP FIN scan (bypasses some firewalls) |- | [[#ex-sX|<code>-sX</code>]] || Xmas scan (sets FIN, PSH, URG flags) |- | [[#ex-sA|<code>-sA</code>]] || ACK scan (used to map firewall rules) |- | [[#ex-sW|<code>-sW</code>]] || Window scan (analyzes TCP window size) |- | [[#ex-sM|<code>-sM</code>]] || TCP Maimon scan (obscure IDS evasion) |- | [[#ex-sL|<code>-sL</code>]] || List scan (lists targets without scanning) |- | [[#ex-sn|<code>-sn</code>]] || Ping scan (host discovery only; replaces <code>-sP</code>) |- | [[#ex-sY|<code>-sY</code>]] || SCTP INIT scan (SCTP equivalent of TCP SYN) |- | [[#ex-sZ|<code>-sZ</code>]] || SCTP COOKIE-ECHO scan |- | [[#ex-sO|<code>-sO</code>]] || IP protocol scan (scans for supported protocols) |- | [[#ex-sI|<code>-sI</code>]] || Idle scan (ultra-stealth scan using zombie host) |} == Options == These parameters modify the behavior of the scan (timing, output, verbosity, detection methods, etc.). === Detection & Enumeration === {| class="wikitable" ! Option !! Description |- | [[#ex-sV|<code>-sV</code>]] || Detect service versions |- | [[#ex-O|<code>-O</code>]] || Enable OS detection |- | [[#ex-A|<code>-A</code>]] || Aggressive scan: OS detection, version, script scan, traceroute |- | [[#ex-script|<code>--script [NAME]</code>]] || Run specific NSE script(s) |- | <code>--version-all</code> || Try every version detection method (used with -sV) |- | <code>--osscan-guess</code> || Guess OS more aggressively when uncertain |} === Performance & Output === {| class="wikitable" ! Option !! Description |- | [[#ex-T|<code>-T[0‒5]</code>]] || Timing template (T0 = slow, T5 = fast) |- | [[#ex-d|<code>-d</code>]] || Enable debugging output |- | [[#ex-oN|<code>-oN [FILE]</code>]] || Save output in normal format |- | [[#ex-oX|<code>-oX [FILE]</code>]] || Save output in XML format |- | <code>-v</code> || Increase verbosity (can be stacked: -vv, -vvv) |- | <code>--reason</code> || Show the reason each port is in its state (e.g. response flags) |- | <code>--open</code> || Show only open (or relevant) ports |} == Target Specification == These options control '''who''' you're scanning and '''how''' they're discovered or selected. === Host Discovery & Targeting === {| class="wikitable" ! Option !! Description |- | [[#ex-Pn|<code>-Pn</code>]] || Treat all hosts as online (skip ping) |- | [[#ex-p|<code>-p [PORT]</code>]] || Specify port(s) to scan |- | [[#ex-iL|<code>-iL [FILE]</code>]] || Input list of hosts from file |- | <code>-6</code> || Use IPv6 addresses |- | <code>-n</code> || Do not resolve hostnames (skip DNS resolution) |- | <code>--exclude [HOST]</code> || Exclude specific host(s) from the scan |- | <code>--excludefile [FILE]</code> || Exclude hosts listed in a file |} == Examples == === <span id="ex-sS"></span>SYN Scan === <syntaxhighlight lang="bash"> nmap -sS 192.168.1.1 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-fullscan"></span>Full Insight Scan === <syntaxhighlight lang="bash"> nmap -A -T4 -p- -sC -sV -O -Pn 192.168.1.10 </syntaxhighlight> <code># -A: enable all scans, -T4: faster timing, -p-: all ports, -sC: default scripts, -sV: service versions, -O: OS detect, -Pn: no ping</code> ''[[#options|↑ Options]]'' === <span id="ex-sT"></span>TCP Connect Scan === <syntaxhighlight lang="bash"> nmap -sT 192.168.1.1 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-sU"></span>UDP Scan === <syntaxhighlight lang="bash"> nmap -sU 192.168.1.1 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-sP"></span>Ping Scan === <syntaxhighlight lang="bash"> nmap -sP 192.168.1.0/24 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-Pn"></span>Skip Host Discovery === <syntaxhighlight lang="bash"> nmap -Pn 192.168.1.100 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-p"></span>Scan Specific Ports === <syntaxhighlight lang="bash"> nmap -p 22,80 192.168.1.1 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-A"></span>Aggressive Scan === <syntaxhighlight lang="bash"> nmap -A 10.0.0.1 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-O"></span>OS Detection Only === <syntaxhighlight lang="bash"> nmap -O 10.0.0.1 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-T"></span>Fast Timing Template === <syntaxhighlight lang="bash"> nmap -T5 example.com </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-script"></span>Run NSE Script === <syntaxhighlight lang="bash"> nmap --script default example.com </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-iL"></span>Scan From File === <syntaxhighlight lang="bash"> nmap -iL targets.txt </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-oN"></span>Save Output (Normal) === <syntaxhighlight lang="bash"> nmap -oN output.txt 192.168.1.1 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-oX"></span>Save Output (XML) === <syntaxhighlight lang="bash"> nmap -oX output.xml 192.168.1.1 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-sL"></span>List Targets Only === <syntaxhighlight lang="bash"> nmap -sL 192.168.1.0/30 </syntaxhighlight> ''[[#options|↑ Options]]'' === <span id="ex-d"></span>Debug Mode === <syntaxhighlight lang="bash"> nmap -d 192.168.1.1 </syntaxhighlight> ''[[#options|↑ Options]]'' == See Also == * [[Masscan]] * [[Netcat]] * [[dnsenum]] * [[Amass]] * [[NSE Scripts]]
Summary:
Please note that all contributions to HackOps may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
HackOps:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
Edit source
View history
More
Search
Navigation
Tools
What links here
Related changes
Special pages
Page information