Nmap is a Security Scanner, Port Scanner, & Network Exploration Tool


Nmap is a popular security tool that can be used as a network exploration and port scanner. It can help you identify hosts and services on a network, as well as other valuable information like operating system details, open ports, services running on those ports, and potential vulnerabilities.



Basic Usage

  • Base Syntax: nmap [ScanType] [Options] {targets}

  • Access Help: nmap -h

  • Nmap Discovery Steps: 1. Enumerate Targets -> 2. Discover Live Hosts -> 3. Reverse DNS Lookup -> 4. Scan Ports -> 5. Detect Versions -> 6. Detect OS -> 7. Tracert -> 8. Run Scripts -> 9. Write Output

  • TCP Flags:

    • URG: urgent incoming data

    • ACK: TCP receipt acknowledgement

    • PSH: promptly push data into application

    • RST: reset connection

    • SYN: synchornize initiates TCP handshake

    • FIN: sender has no more data to send

Scan Types



nmap -sS


nmap -sT


nmap -sU


nmap -sA


nmap -sW


nmap -sM


nmap -sF


nmap -sN


nmap -sX


nmap -PR



Scan a single IP


Scan specific IPs


Scan a range

nmap 192.168.1-255.1-254

Scan a domain

nmap scanme.nmap.org

Scan using CIDR notation


Scan targets from a file


nmap -iL targets.txt

Scan 100 random hosts


nmap -iR 100

Exclude listed hosts


nmap –exclude

Host Discovery


Don't Scan. List targets only


nmap -sL

Disable port scanning. Host discovery only.


nmap -sn

Disable host discovery. Port scan only.


nmap -Pn

TCP SYN discovery on port x (port 80 default)


nmap -PS22-25,80

TCP ACK discovery on port x (port 80 default)


nmap -PA22-25,80

UDP discovery on port x (port 40125 default)


nmap -PU53

ARP discovery on local network


nmap -PR

Don't do DNS resolution


nmap -n

Specify DNS server. Example


nmap –dns-servers

Perform DNS resolution, even for offline hosts.


nmap -R

ICMP timestamp request


nmap -PP

ICMP address mask


nmap -PM

ICMP echo request


nmap -PE

Port Discovery


Port scan for single port


nmap -p 21

Port range


nmap -p 21-100

Port scan multiple TCP and UDP ports


nmap -p U:53,T:21-25 80

Port scan all ports


nmap -p-

Port scan from service name


nmap -p http,https

Fast port scan (100 ports)


nmap -F

Port scan the top x ports


nmap –top-ports 2000

Omitting beginning range starts scan at 1


nmap -p-65535

Omitting ending range runs scan through 65535


nmap -p0-

OS Discovery


Remote OS detection using TCP/IP fingerprinting


nmap -O

OS host detection if open and closed ports >=1

-O –osscan-limit

nmap -O –osscan-limit

Makes Nmap guess more aggressively

-O –osscan-guess

nmap -O –osscan-guess

Maximum OS detection tries against a target

-O –max-os-tries

nmap -O –max-os-tries 1

OS detection, version detection, script scanning, traceroute


nmap -A

Run traceroute


nmap traceroute

Service Discovery


Attempts to determine version of service running on port


nmap -sV

Intensity level 0 to 9. Higher increases correctness

-sV –version-intensity

nmap -sV –version-intensity 8

Light mode. Lower possibility of correctness. Faster

-sV –version-light

nmap -sV –version-light

Intensity level 9. Higher possibility of correctness. Slower

-sV –version-all

nmap -sV –version-all

OS detection, version detection, script scanning, traceroute


nmap -A



Use fragmented IP packets (-ff increases fragmentation)


nmap -f

Set your own offset size


nmap –mtu 32

Send scans from spoofed/decoy IPs


nmap -D,,,

Above example explained


nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip

Spoofed scan of Facebook from Microsoft (-e eth0 -Pn may be required)


nmap -S www.microsoft.com www.facebook.com

Use given source port number


nmap -g 53

Relay connections through HTTP/SOCKS4 proxies


nmap –proxies,

Appends random data to sent packets


nmap –data-length 200

Spoof MAC address


nmap –spoof-mac 00000ABB28FC

Idle/zombie scan. Example using as zombie to scan


nmap -sI

Custom scan flags. Example with SYN and FIN flags set


nmap --scanflags SYNFIN



Normal output to the file normal.file


nmap -oN normal.file

XML output to the file xml.file


nmap -oX xml.file

Grepable output to the file grep.file


nmap -oG grep.file

Output in the three major formats at once


nmap -oA results

Grepable output to screen. -oN -, -oX – also usable

-oG –

nmap -oG –

Append a scan to a previous scan file


nmap -oN file.file –append-output

Increase the verbosity level (-vv or more for greater effect)


nmap -v

Increase debugging level (-dd or more for greater effect)


nmap -d

Display the reason a port is in a state, same output as -vv


nmap –reason

Only show open (or possibly open) ports


nmap –open

Show all packets sent and received


nmap -T4 –packet-trace

Shows the host interfaces and routes


nmap –iflist

Resume a scan


nmap –resume results.file



View all local scripts


ls /urs/share/nmap/scripts

Search local scripts with wildcards. Example http

ls -l

ls -l /usr/share/nmap/scripts/*http*

Default NSE scripts. Useful/safe for discovery


nmap -sC

Default NSE scripts. Useful/safe for discovery

–script default

nmap –script default

Use Single script. Example banner


nmap –script=banner

Use wildcard. Example http


nmap –script=http*

Use two scripts. Example http and banner


nmap –script=http,banner

Use a category. Example auth


nmap –script=auth

Default with intrusive scripts removed


nmap –script not intrusive

NSE script with arguments


nmap –script snmp-sysdescr –script-args snmpcommunity=admin

Display help for script. Example banner


nmap –script-help banner

Get page titles from HTTP services


nmap -script=http-title

Get HTTP headers of web services


nmap -script=http-headers

Find apps from known paths


nmap -script=http-enum

Get IP info


nmap -script=asn-query,whois,ip-geolocation-maxmind

Heartbleed vulnerability detection


nmap -script=ssl-heartbleed -sV -p 443

CVE detection


nmap -script-vuln -Pn

Malware scan


nmap -script=http-malware-host -sV

Malware scan using Google malware check


nmap -script=script http-google-malware -p80 target.com

SMB vulnerability detection


nmap -script=smb-check-vulns -script-args=unsage=1 -v -p

Timing Templates


Paranoid (0) Intrusion Detection System evasion


nmap -T0

Sneaky (1) Intrusion Detection System evasion


nmap -T1

Polite (2) slows down to use less bandwidth and less target machine resources


nmap -T2

Normal (3) which is default speed


nmap -T3

Aggressive (4) speeds scans; assumes you are on a fast network


nmap -T4

Insane (5) speeds scan; assumes you are on an extraordinarily fast network


nmap -T5

Timing and Performance


Give up on target after this long

–host-timeout <time>

1s; 4m; 2h

Specifies probe round trip time

–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>

1s; 4m; 2h

Parallel host scan group sizes

–min-hostgroup/max-hostgroup <size<size>

50; 1024

Probe parallelization

–min-parallelism/max-parallelism <numprobes>

10; 1

Maximum number of port scan probe retransmissions

–max-retries <tries>


Send packets no slower than <number> per second

–min-rate <number>


Send packets no faster than <number> per second

–max-rate <number>



Last updated