Code Review In Seconds

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Nmap Commands - Network Scanning & Security Auditing

Master Nmap commands for network scanning, port discovery, OS detection, and security auditing. Explore essential Nmap syntax for effective network analysis.

Nmap Commands

Nmap (Network Mapper) is a powerful open-source tool for network exploration and security auditing. It is widely used by security professionals to discover hosts and services on a computer network, thus creating a "map" of the network. This page provides a collection of essential Nmap commands to help you perform various network scanning tasks efficiently.

Basic Network Scanning

These commands cover fundamental Nmap operations for scanning single targets or lists of hosts.

# Single target scan:
nmap [target]

# Scan from a list of targets:
nmap -iL [list.txt]

# iPv6 scan:
nmap -6 [target]

# Save output to a text file:
nmap -oN [output.txt] [target]

# Save output to an XML file:
nmap -oX [output.xml] [target]

# Scan a specific port:
nmap -p [port] [target]

Advanced Scanning Techniques

Explore more sophisticated Nmap options for detailed network analysis and detection.

# OS detection:
nmap -O --osscan_guess [target]

# Aggressive scan (includes OS detection, version detection, script scanning, and traceroute):
nmap -A [target]

# Speed up your scan:
# -n => disable ReverseDNS
# --min-rate=X => min X packets / sec
nmap -T5 --min-parallelism=50 -n --min-rate=300 [target]

# Traceroute:
nmap -traceroute [target]

# Ping scan only (ARP ping for local network, ICMP echo for remote):
nmap -sP [target]

# Don't ping (useful if a host doesn't reply to a ping):
nmap -PN [target]

# Force TCP SYN scan:
nmap -sS [target]

# Force UDP scan:
nmap -sU [target]

Nmap Scripting Engine (NSE)

Leverage Nmap's powerful scripting capabilities for various tasks, from vulnerability detection to advanced discovery.

# Use default and safe scripts:
nmap --script default,safe

# Load scripts from a specific directory:
# Loads the script in the default category, the banner script,
# and all .nse files in the directory /home/user/customscripts.
nmap --script default,banner,/home/user/customscripts

# Load all scripts whose name starts with http-:
# such as http-auth and http-open-proxy.
nmap --script 'http-*'

# Load every script except for those in the intrusive category:
nmap --script "not intrusive"

# Load scripts that are in both the default and safe categories:
nmap --script "default and safe"

# Load scripts in the default, safe, or intrusive categories,
# except for those whose names start with http-:
nmap --script "(default or safe or intrusive) and not http-*"

# Scan for the heartbleed vulnerability on port 443:
# -pT:443 => Scan only port 443 with TCP (T:)
nmap -T5 --min-parallelism=50 -n --script "ssl-heartbleed" -pT:443 127.0.0.1

# Discover DHCP information on an interface:
nmap --script broadcast-dhcp-discover -e eth0

Debugging and Information Gathering

Use these commands to get more detailed information during scans or for debugging purposes.

# Show all information (debug mode):
nmap -d ...

External Resources

← Back to cmd cheatsheets All cheatsheets 🙏  Credits & Acknowledgments