Reduce costly production bugs

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Nmap Commands - Network Scanning & Security Auditing Tool

Master Nmap commands for network scanning, port discovery, OS detection, and security auditing. Learn essential Nmap syntax for effective network analysis.

Nmap Commands Reference

Nmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. This page provides a comprehensive reference for common Nmap commands, helping you effectively scan networks, identify open ports, detect operating systems, and uncover security vulnerabilities.

Basic Network Scanning

# Single target scan:
nmap [target]

# Scan from a list of targets:
nmap -iL [list.txt]

# IPv6 scan:
nmap -6 [target]

# Aggressive scan (includes OS detection, version detection, script scanning, and traceroute):
nmap -A [target]

OS and Version Detection

# OS detection:
nmap -O --osscan_guess [target]

# Version detection (determines service/version info on open ports):
nmap -sV [target]

Output and Saving Results

# Save output to a normal text file:
nmap -oN [output.txt] [target]

# Save output to an XML file:
nmap -oX [output.xml] [target]

Advanced Scanning Techniques

# Scan a specific port:
nmap -p [port] [target]

# Scan a range of ports:
nmap -p 1-1000 [target]

# Scan common ports:
nmap --top-ports 100 [target]

# Speed up your scan (T4 is faster, T5 is fastest but can be noisy):
# -n => disable ReverseDNS
# --min-rate=X => min X packets / sec
nmap -T5 --min-parallelism=50 -n --min-rate=300 [target]

# Traceroute:
nmap -traceroute [target]

# Ping scan only (host discovery, no port scan):
nmap -sn [target]

# Don't ping (use if a host doesn't reply to a ping):
nmap -PN [target]

# TCP SYN ping:
nmap -PS [target]

# TCP ACK ping:
nmap -PA [target]

# UDP ping:
nmap -PU [target]

# ARP ping (local network):
nmap -PR [target]

# Example: Ping scan all machines on a class C network
nmap -sP 192.168.0.0/24

# Force TCP scan:
nmap -sT [target]

# Force UDP scan:
nmap -sU [target]

Nmap Scripting Engine (NSE)

# Use default scripts:
nmap --script default [target]

# Use default and safe scripts:
nmap --script default,safe [target]

# Use specific scripts:
nmap --script ssl-heartbleed -pT:443 127.0.0.1

# Loads the script in the default category, the banner script, and all .nse files in the directory /home/user/customscripts.
nmap --script default,banner,/home/user/customscripts

# Loads all scripts whose name starts with http-, such as http-auth and http-open-proxy.
nmap --script 'http-*'

# Loads every script except for those in the intrusive category.
nmap --script "not intrusive"

# Loads those scripts that are in both the default and safe categories.
nmap --script "default and safe"

# Loads scripts in the default, safe, or intrusive categories, except for those whose names start with http-.
nmap --script "(default or safe or intrusive) and not http-*"

Debugging and Verbosity

# Show all information (debug mode):
nmap -d ...

Common Port Status Information

  • Open: An application is listening for connections on this port.
  • Closed: Probes were received, but there is no application listening.
  • Filtered: Probes were not received, and the state could not be established. Filtering is likely dropping probes.
  • Unfiltered: Probes were received, but a state could not be established.
  • Open/Filtered: The port was filtered or open, but Nmap couldn’t establish the state.
  • Closed/Filtered: The port was filtered or closed, but Nmap couldn’t establish the state.

Additional Scan Types Summary

  • -sn: Probe only (host discovery, not port scan).
  • -sS: SYN Scan (Stealth Scan).
  • -sT: TCP Connect Scan.
  • -sU: UDP Scan.
  • -sV: Version Scan (determines service/version info).
  • -O: Used for OS Detection/fingerprinting.
  • --scanflags: Sets custom list of TCP flags using `URG ACK PSH RST SYN FIN` in any order.

Nmap Scripting Engine (NSE) Categories

The most common Nmap scripting engine categories include:

  • auth: Utilize credentials or bypass authentication on target hosts.
  • broadcast: Discover hosts not included on the command line by broadcasting on the local network.
  • brute: Attempt to guess passwords on target systems for various protocols.
  • default: Scripts run automatically when -sC or -A are used.
  • discovery: Learn more information about target hosts through public sources.
  • dos: May cause denial of service conditions in target hosts.
  • exploit: Attempt to exploit target systems.
  • external: Interact with third-party systems not included in the target list.
  • fuzzer: Send unexpected input in network protocol fields.
  • intrusive: May crash targets, consume excessive resources, or otherwise impact target machines maliciously.
  • malware: Look for signs of malware infection on target hosts.
  • safe: Designed not to impact targets negatively.
  • version: Measure the version of software or protocols on target hosts.
  • vuln: Measure whether target systems have a known vulnerability.

For more detailed information and advanced usage, refer to the official Nmap documentation:

← Back to cmd cheatsheets All cheatsheets 🙏  Credits & Acknowledgments