Menu Close

Nmap Commands

nmap a single IP
nmap specific IPs
nmap a range
nmap scanme.nmap.orgScan a domain
nmap using CIDR notation
-iLnmap -iL targets.txtScan targets from a file
-iRnmap -iR 100Scan 100 random hosts
–excludenmap –exclude listed hosts
-sLnmap -sLNo Scan. List targets only
-snnmap -snDisable port scanning. Host discovery only.
-Pnnmap -PnDisable host discovery. Port scan only.
-PSnmap -PS22-25,80TCP SYN discovery on port x.Port 80 by default
-PAnmap -PA22-25,80TCP ACK discovery on port x.Port 80 by default
-PUnmap -PU53UDP discovery on port x.Port 40125 by default
-PRnmap -PRARP discovery on local network
-nnmap -nNever do DNS resolution
-pnmap -p 21Port scan for port x
-pnmap -p 21-100Port range
-pnmap -p U:53,T:21-25,80Port scan multiple TCP and UDP ports
-p-nmap -p-Port scan all ports
-pnmap -p http,httpsPort scan from service name
-Fnmap -FFast port scan (100 ports)
–top-portsnmap –top-ports 2000Port scan the top x ports
-p-65535nmap -p-65535Leaving off initial port in range
makes the scan start at port 1
-p0-nmap -p0-Leaving off end port in rangemakes the scan go through to port 65535
-sVnmap -sVAttempts to determine the version of the service running on port
-sV –version-intensitynmap -sV –version-intensity 8Intensity level 0 to 9. Higher number increases possibility of correctness
-sV –version-lightnmap -sV –version-lightEnable light mode. Lower possibility of correctness. Faster
-sV –version-allnmap -sV –version-allEnable intensity level 9. Higher possibility of correctness. Slower
-Anmap -AEnables OS detection, version detection, script scanning, and traceroute
-Onmap -ORemote OS detection using TCP/IP
stack fingerprinting
-O –osscan-limitnmap -O –osscan-limitIf at least one open and one closed
TCP port are not found it will not try
OS detection against host
-O –osscan-guessnmap -O –osscan-guessMakes Nmap guess more aggressively
-O –max-os-triesnmap -O –max-os-tries 1Set the maximum number x of OS
detection tries against a target
-Anmap -AEnables OS detection, version detection, script scanning, and traceroute
-fnmap -fRequested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
–mtunmap –mtu 32Set your own offset size
-Dnmap -D,,,
Send scans from spoofed IPs
-Dnmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ipAbove example explained
-Snmap -S www.facebook.comScan Facebook from Microsoft (-e eth0 -Pn may be required)
-gnmap -g 53 given source port number
–proxiesnmap –proxies, connections through HTTP/SOCKS4 proxies
–data-lengthnmap –data-length 200 random data to sent packets
-oNnmap -oN normal.fileNormal output to the file normal.file
-oXnmap -oX xml.fileXML output to the file xml.file
-oGnmap -oG grep.fileGrepable output to the file grep.file
-oAnmap -oA resultsOutput in the three major formats at once
-oG –nmap -oG –Grepable output to screen. -oN -, -oX – also usable
–append-outputnmap -oN file.file –append-outputAppend a scan to a previous scan file
-vnmap -vIncrease the verbosity level (use -vv or more for greater effect)
-dnmap -dIncrease debugging level (use -dd or more for greater effect)
–reasonnmap –reasonDisplay the reason a port is in a particular state, same output as -vv
–opennmap –openOnly show open (or possibly open) ports
–packet-tracenmap -T4 –packet-traceShow all packets sent and received
–iflistnmap –iflistShows the host interfaces and routes
–resumenmap –resume results.fileResume a scan