Menu Close

Nmap commands

A list of the key nmap scanning commands.

Single Target Commands

Switch

Example

Description

nmap 192.168.1.1

Scan a single IP

nmap 192.168.1.1 192.168.2.1

Scan specific IPs

nmap 192.168.1.1-254

Scan a range

nmap scanme.nmap.org

Scan a domain

nmap 192.168.1.0/24

Scan using CIDR notation

-iL

nmap -iL targets.txt

Scan targets from a file

-iR

nmap -iR 100

Scan 100 random hosts

–exclude

nmap –exclude 192.168.1.1

Exclude listed hosts

 

 

Host Discovery Commands

Switch

Example

Description

-sL

nmap 192.168.1.1-3 -sL

No Scan. List targets only

-sn

nmap 192.168.1.1/24 -sn

Disable port scanning. Host discovery only.

-Pn

nmap 192.168.1.1-5 -Pn

Disable host discovery. Port scan only.

-PS

nmap 192.168.1.1-5 -PS22-25,80

TCP SYN discovery on port x.

Port 80 by default

-PA

nmap 192.168.1.1-5 -PA22-25,80

TCP ACK discovery on port x.

Port 80 by default

-PU

nmap 192.168.1.1-5 -PU53

UDP discovery on port x.

Port 40125 by default

-PR

nmap 192.168.1.1-1/24 -PR

ARP discovery on local network

-n

nmap 192.168.1.1 -n

Never do DNS resolution

 

Port Specific Commands

Switch

Example

Description

-p

nmap 192.168.1.1 -p 21

Port scan for port x

-p

nmap 192.168.1.1 -p 21-100

Port range

-p

nmap 192.168.1.1 -p U:53,T:21-25,80

Port scan multiple TCP and UDP ports

-p-

nmap 192.168.1.1 -p-

Port scan all ports

-p

nmap 192.168.1.1 -p http,https

Port scan from service name

-F

nmap 192.168.1.1 -F

Fast port scan (100 ports)

–top-ports

nmap 192.168.1.1 –top-ports 2000

Port scan the top x ports

-p-65535

nmap 192.168.1.1 -p-65535

Leaving off initial port in range
makes the scan start at port 1

-p0-

nmap 192.168.1.1 -p0-

Leaving off end port in range

makes the scan go through to port 65535

 

Service/Version Detection Commands

Switch

Example

Description

-sV

nmap 192.168.1.1 -sV

Attempts to determine the version of the service running on port

-sV –version-intensity

nmap 192.168.1.1 -sV –version-intensity 8

Intensity level 0 to 9. Higher number increases possibility of correctness

-sV –version-light

nmap 192.168.1.1 -sV –version-light

Enable light mode. Lower possibility of correctness. Faster

-sV –version-all

nmap 192.168.1.1 -sV –version-all

Enable intensity level 9. Higher possibility of correctness. Slower

-A

nmap 192.168.1.1 -A

Enables OS detection, version detection, script scanning, and traceroute

 

Operating System Detection Commands

Switch

Example

Description

-O

nmap 192.168.1.1 -O

Remote OS detection using TCP/IP
stack fingerprinting

-O –osscan-limit

nmap 192.168.1.1 -O –osscan-limit

If at least one open and one closed
TCP port are not found it will not try
OS detection against host

-O –osscan-guess

nmap 192.168.1.1 -O –osscan-guess

Makes Nmap guess more aggressively

-O –max-os-tries

nmap 192.168.1.1 -O –max-os-tries 1

Set the maximum number x of OS
detection tries against a target

-A

nmap 192.168.1.1 -A

Enables OS detection, version detection, script scanning, and traceroute

 

Evasion Commands (Firewall)

Switch

Example

Description

-f

nmap 192.168.1.1 -f

Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters

–mtu

nmap 192.168.1.1 –mtu 32

Set your own offset size

-D

nmap -D 192.168.1.101,192.168.1.102,
192.168.1.103,192.168.1.23 192.168.1.1

Send scans from spoofed IPs

-D

nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip

Above example explained

-S

nmap -S www.microsoft.com www.facebook.com

Scan Facebook from Microsoft (-e eth0 -Pn may be required)

-g

nmap -g 53 192.168.1.1

Use given source port number

–proxies

nmap –proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1

Relay connections through HTTP/SOCKS4 proxies

–data-length

nmap –data-length 200 192.168.1.1

Appends random data to sent packets

 

Command Outputs

Switch

Example

Description

-oN

nmap 192.168.1.1 -oN normal.file

Normal output to the file normal.file

-oX

nmap 192.168.1.1 -oX xml.file

XML output to the file xml.file

-oG

nmap 192.168.1.1 -oG grep.file

Grepable output to the file grep.file

-oA

nmap 192.168.1.1 -oA results

Output in the three major formats at once

-oG –

nmap 192.168.1.1 -oG –

Grepable output to screen. -oN -, -oX – also usable

–append-output

nmap 192.168.1.1 -oN file.file –append-output

Append a scan to a previous scan file

-v

nmap 192.168.1.1 -v

Increase the verbosity level (use -vv or more for greater effect)

-d

nmap 192.168.1.1 -d

Increase debugging level (use -dd or more for greater effect)

–reason

nmap 192.168.1.1 –reason

Display the reason a port is in a particular state, same output as -vv

–open

nmap 192.168.1.1 –open

Only show open (or possibly open) ports

–packet-trace

nmap 192.168.1.1 -T4 –packet-trace

Show all packets sent and received

–iflist

nmap –iflist

Shows the host interfaces and routes

–resume

nmap –resume results.file

Resume a scan