A list of the key nmap scanning commands.
Single Target Commands
Switch | Example | Description |
---|---|---|
nmap 192.168.1.1 | Scan a single IP | |
nmap 192.168.1.1 192.168.2.1 | Scan specific IPs | |
nmap 192.168.1.1-254 | Scan a range | |
nmap scanme.nmap.org | Scan a domain | |
nmap 192.168.1.0/24 | Scan using CIDR notation | |
-iL | nmap -iL targets.txt | Scan targets from a file |
-iR | nmap -iR 100 | Scan 100 random hosts |
–exclude | nmap –exclude 192.168.1.1 | Exclude listed hosts |
Host Discovery Commands
Switch | Example | Description |
---|---|---|
-sL | nmap 192.168.1.1-3 -sL | No Scan. List targets only |
-sn | nmap 192.168.1.1/24 -sn | Disable port scanning. Host discovery only. |
-Pn | nmap 192.168.1.1-5 -Pn | Disable host discovery. Port scan only. |
-PS | nmap 192.168.1.1-5 -PS22-25,80 | TCP SYN discovery on port x.Port 80 by default |
-PA | nmap 192.168.1.1-5 -PA22-25,80 | TCP ACK discovery on port x.Port 80 by default |
-PU | nmap 192.168.1.1-5 -PU53 | UDP discovery on port x.Port 40125 by default |
-PR | nmap 192.168.1.1-1/24 -PR | ARP discovery on local network |
-n | nmap 192.168.1.1 -n | Never do DNS resolution |
Port Specific Commands
Switch | Example | Description |
---|---|---|
-p | nmap 192.168.1.1 -p 21 | Port scan for port x |
-p | nmap 192.168.1.1 -p 21-100 | Port range |
-p | nmap 192.168.1.1 -p U:53,T:21-25,80 | Port scan multiple TCP and UDP ports |
-p- | nmap 192.168.1.1 -p- | Port scan all ports |
-p | nmap 192.168.1.1 -p http,https | Port scan from service name |
-F | nmap 192.168.1.1 -F | Fast port scan (100 ports) |
–top-ports | nmap 192.168.1.1 –top-ports 2000 | Port scan the top x ports |
-p-65535 | nmap 192.168.1.1 -p-65535 | Leaving off initial port in range makes the scan start at port 1 |
-p0- | nmap 192.168.1.1 -p0- | Leaving off end port in rangemakes the scan go through to port 65535 |
Service/Version Detection Commands
Switch | Example | Description |
---|---|---|
-sV | nmap 192.168.1.1 -sV | Attempts to determine the version of the service running on port |
-sV –version-intensity | nmap 192.168.1.1 -sV –version-intensity 8 | Intensity level 0 to 9. Higher number increases possibility of correctness |
-sV –version-light | nmap 192.168.1.1 -sV –version-light | Enable light mode. Lower possibility of correctness. Faster |
-sV –version-all | nmap 192.168.1.1 -sV –version-all | Enable intensity level 9. Higher possibility of correctness. Slower |
-A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
Operating System Detection Commands
Switch | Example | Description |
---|---|---|
-O | nmap 192.168.1.1 -O | Remote OS detection using TCP/IP stack fingerprinting |
-O –osscan-limit | nmap 192.168.1.1 -O –osscan-limit | If at least one open and one closed TCP port are not found it will not try OS detection against host |
-O –osscan-guess | nmap 192.168.1.1 -O –osscan-guess | Makes Nmap guess more aggressively |
-O –max-os-tries | nmap 192.168.1.1 -O –max-os-tries 1 | Set the maximum number x of OS detection tries against a target |
-A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
Evasion Commands (Firewall)
Switch | Example | Description |
---|---|---|
-f | nmap 192.168.1.1 -f | Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters |
–mtu | nmap 192.168.1.1 –mtu 32 | Set your own offset size |
-D | nmap -D 192.168.1.101,192.168.1.102, 192.168.1.103,192.168.1.23 192.168.1.1 | Send scans from spoofed IPs |
-D | nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip | Above example explained |
-S | nmap -S www.microsoft.com www.facebook.com | Scan Facebook from Microsoft (-e eth0 -Pn may be required) |
-g | nmap -g 53 192.168.1.1 | Use given source port number |
–proxies | nmap –proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1 | Relay connections through HTTP/SOCKS4 proxies |
–data-length | nmap –data-length 200 192.168.1.1 | Appends random data to sent packets |
Command Outputs
Switch | Example | Description |
---|---|---|
-oN | nmap 192.168.1.1 -oN normal.file | Normal output to the file normal.file |
-oX | nmap 192.168.1.1 -oX xml.file | XML output to the file xml.file |
-oG | nmap 192.168.1.1 -oG grep.file | Grepable output to the file grep.file |
-oA | nmap 192.168.1.1 -oA results | Output in the three major formats at once |
-oG – | nmap 192.168.1.1 -oG – | Grepable output to screen. -oN -, -oX – also usable |
–append-output | nmap 192.168.1.1 -oN file.file –append-output | Append a scan to a previous scan file |
-v | nmap 192.168.1.1 -v | Increase the verbosity level (use -vv or more for greater effect) |
-d | nmap 192.168.1.1 -d | Increase debugging level (use -dd or more for greater effect) |
–reason | nmap 192.168.1.1 –reason | Display the reason a port is in a particular state, same output as -vv |
–open | nmap 192.168.1.1 –open | Only show open (or possibly open) ports |
–packet-trace | nmap 192.168.1.1 -T4 –packet-trace | Show all packets sent and received |
–iflist | nmap –iflist | Shows the host interfaces and routes |
–resume | nmap –resume results.file | Resume a scan |