title: Nmap| Example | Description |
|---|---|
nmap 192.168.1.1 |
Scan a single IP |
nmap 192.168.1.1 192.168.2.1 |
Scan specific IPs |
nmap 192.168.1.1-254 |
Scan a range |
nmap scanme.nmap.org |
Scan a domain |
nmap 192.168.1.0/24 |
Scan using CIDR notation |
nmap -iL targets.txt |
Scan targets from a file |
nmap -iR 100 |
Scan 100 random hosts |
nmap -exclude 192.168.1.1 |
Exclude listed hosts |
| Example | Description |
|---|---|
nmap 192.168.1.1 -sS |
TCP SYN port scan (default) |
nmap 192.168.1.1 -sT |
TCP connect port scan |
nmap 192.168.1.1 -sU |
UDP port scan |
nmap 192.168.1.1 -sA |
TCP ACK port scan |
nmap 192.168.1.1 -sW |
TCP Window port scan |
nmap 192.168.1.1 -sM |
TCP Maimon port scan |
| Example | Description |
|---|---|
nmap 192.168.1.1-3 -sL |
No scan. List targets only. |
nmap 192.168.1.1/24 -sn |
Disable port scanning. Host discovery only. |
nmap 192.168.1.1-5 -Pn |
Disable host discovery. Port scan only. |
nmap 192.168.1.1-5 -PS22-25,80 |
TCP SYN discovery on ports 22-25, 80. (Port 80 by default) |
nmap 192.168.1.1-5 -PA22-25,80 |
TCP ACK discovery on ports 22-25, 80. (Port 80 by default) |
nmap 192.168.1.1-5 -PU53 |
UDP discovery on port 53. (Port 40125 by default) |
nmap 192.168.1.1-1/24 -PR |
ARP discovery on local network |
nmap 192.168.1.1 -n |
Never do DNS resolution |
| Example | Description |
|---|---|
nmap 192.168.1.1 -p 21 |
Port scan for port 21 |
nmap 192.168.1.1 -p 21-100 |
Port scan for range 21-100 |
nmap 192.168.1.1 -p U:53,T:21-25,80 |
Port scan multiple TCP and UDP ports |
nmap 192.168.1.1 -p- |
Port scan all ports |
nmap 192.168.1.1 -p http,https |
Port scan from service name |
nmap 192.168.1.1 -F |
Fast port scan (100 ports) |
nmap 192.168.1.1 -top-ports 2000 |
Port scan the top 2000 ports |
nmap 192.168.1.1 -p-65535 |
Leaving off initial port in range makes the scan start at port 1. |
nmap 192.168.1.1 -p0- |
Leaving off the end port in range makes the scan go through to port 65535. |
| Example | Description |
|---|---|
nmap 192.168.1.1 -sV |
Attempts to determine version of the service running on port. |
nmap 192.168.1.1 -sV -version-intensity 8 |
Intensity level 0-9. Higher number increases possibility of correctness. |
nmap 192.168.1.1 -sV -version-light |
Enable light mode. Lower possibility of correctness. Faster. |
nmap 192.168.1.1 -sV -version-all |
Enable intensity level 9. Higher possibility of correctness. Slower. |
nmap 192.168.1.1 -A |
Enables OS detection, version detection, script scanning, and traceroute. |
| Example | Description |
|---|---|
nmap 192.168.1.1 -O |
Remote OS detection using TCP/IP stack fingerprinting |
nmap 192.168.1.1 -O -osscan-limit |
If at least one open and one closed TCP port are not found it will not try OS detection against host. |
nmap 192.168.1.1 -O -osscan-guess |
Makes Nmap guess more aggressively. |
nmap 192.168.1.1 -O -max-os-tries 1 |
Set the maximum number of OS detection tries |
nmap 192.168.1.1 -A |
Enables OS detection, version detection, script scanning, and traceroute. |
| Example | Description |
|---|---|
nmap 192.168.1.1 -T0 |
Paranoid (0) IDS evasion |
nmap 192.168.1.1 -T1 |
Sneaky (1) IDS evasion |
nmap 192.168.1.1 -T2 |
Polite (2) slows down the scan to use less bandwidth and use less target machine resources. |
nmap 192.168.1.1 -T3 |
Normal (3) which is default speed |
nmap 192.168.1.1 -T4 |
Aggressive (4) speeds scans. Assumes you are on a reasonably fast and reliable network. |
nmap 192.168.1.1 -T5 |
Insane (5) speeds scan. Assumes you are on an extraordinarily fast network. |
| Example | Description |
|---|---|
-host-timeout 1s;-host-timeout 4m;-host-timeout 2h; |
Give up on target after this long. |
-min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout 4m; |
Specifies probe round trip time. |
-min-hostgroup/max-hostgroup 50 |
Parallel host scan group sizes |
-min-parallelism/max-parallelism 10 |
Probe parallelization |
-max-retries 3 |
Specify the max number of port scan probe retransmissions. |
-min-rate 100 |
Send packets no slower than 100 per second |
-max-rate 100 |
Send packets no faster than 100 per second |
| Example | Description |
|---|---|
nmap 192.168.1.1 -sC |
Scan with default NSE scripts. Useful and safe. |
nmap 192.168.1.1 -script default |
Scan with default NSE scripts. |
nmap 192.168.1.1 -script=banner |
Scan with single script. Example banner. |
nmap 192.168.1.1 -script=http* |
Scan with a wildcard. Example http. |
nmap 192.168.1.1 -script=http,banner |
Scan with two scripts. http and banner. |
nmap 192.168.1.1 -script "not intrusive" |
Scan default, but remove intrusive scripts |
nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1 |
NSE script with arguments |
| Example | Description |
|---|---|
nmap -Pn -script=http-sitemap-generator scanme.nmap.org |
http site map generator |
nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 |
Fast search for random web servers |
nmap -Pn -script=dns-brute domain.com |
Brute forces DNS hostnames guessing subdomains |
nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 |
Safe SMB scripts to run |
nmap -script whois* domain.com |
Whois query |
nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org |
Detect cross site scripting vulnerabilites |
nmap -p80 -script http-sql-injection scanme.nmap.org |
Check for SQL injections |
| Example | Description |
|---|---|
nmap 192.168.1.1 -f |
Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters. |
nmap 192.168.1.1 -mtu 32 |
Set your own offset size |
nmap -D 192.168.1.101,192.168.1.102,192.168.1.103 |
Send scans from spoofed IPs |
nmap -D decoy-ip1,decoy-ip2,your-own-ip |
Same as above |
nmap -S www.microsoft.com www.facebook.com |
Scan Facebook from Microsoft (-e eth0 -Pn may be required) |
nmap -g 53 192.168.1.1 |
Use given source port number |
nmap -proxies http://192.168.1.1:8080,http://192.168.1.2:8080 192.168.1.1 |
Relay connections through HTTP/SOCKS4 proxies |
nmap -data-length 200 192.168.1.1 |
Appends random data to sent packets |
| Example | Description |
|---|---|
nmap 192.168.1.1 -oN normal.file |
Normal output to the file normal.file |
nmap 192.168.1.1 -oX xml.file |
XML output to the file xml.file |
nmap 192.168.1.1 -oG grep.file |
Grepable output to the file grep.file |
nmap 192.168.1.1 -oA results |
Output in the three major formats at once |
nmap 192.168.1.1 -oG - |
Grepable output to screen. -oN, -oX also usable |
nmap 192.168.1.1 -oN file.txt -append-output |
Append a scan to a previous scan file |
nmap 192.168.1.1 -v |
Increase the verbosity level (use -vv or more) |
nmap 192.168.1.1 -d |
Increase debugging level (use -dd or more) |
nmap 192.168.1.1 -reason |
Display the reason a port is in a particular state, same output as -vv |
nmap 192.168.1.1 -open |
Only show open (or possibly open) ports |
nmap 192.168.1.1 -T4 -packet-trace |
Show all packets sent and received |
nmap -iflist |
Shows the host interfaces and routes |
nmap -resume results.file |
Resume a scan from results.file |
| Example | Description |
|---|---|
nmap -p80 -sV -oG - -open 192.168.1.1/24 \| grep open |
Scan for web servers and grep to show which IPs are running web servers |
nmap -iR 10 -n -oX out.xml \| grep "Nmap" \| cut -d " " -f5 > live-hosts.txt |
Generate a list of the IPs of live hosts |
nmap -iR 10 -n -oX out2.xml \| grep "Nmap" \| cut -d " " -f5 >> live-hosts.txt |
Append IP to the list of live hosts |
ndiff scan.xml scan2.xml |
Compare the output of two scan results |
xsltproc nmap.xml -o nmap.html |
Convert nmap xml files to html files |
grep "open" results.nmap \| sed -r 's/ +/ /g' \| sort \| uniq -c \| sort -rn \| less |
Reverse sorted list of how often ports turn up |
| Example | Description |
|---|---|
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn |
Discovery only on ports X, no port scan |
nmap 192.168.1.1-1/24 -PR -sn -vv |
ARP discovery only on local network, no port scan |
nmap -iR 10 -sn -traceroute |
Traceroute to random targets, no port scan |
nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1 |
Query the internal DNS for hosts, list targets only |
nmap 192.168.1.1 --packet-trace |
Show the details of the packets that are sent and received during a scan and capture the traffic. |