Target Specification

Switch Example Description

nmap 192.168.1.1 Scan a single IP
nmap 192.168.1.1 192.168.2.1 Scan specific IPs
nmap 192.168.1.1-254 Scan a range
nmap scanme.nmap.org Scan a domain
nmap 192.168.1.0/24 Scan using CIDR notation
-iL nmap -iL targets.txt Scan targets from a file
-iR nmap -iR 100 Scan 100 random hosts
--exclude nmap --exclude 192.168.1.1 Exclude listed hosts

Scan Techniques
Switch Example Description
-sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)
-sT nmap 192.168.1.1 -sT TCP connect port scan
(Default without root privilege)
-sU nmap 192.168.1.1 -sU UDP port scan
-sA nmap 192.168.1.1 -sA TCP ACK port scan
-sW nmap 192.168.1.1 -sW TCP Window port scan
-sM nmap 192.168.1.1 -sM TCP Maimon port scan

Host Discovery
Switc
Example Description
h
-sL nmap 192.168.1.1-3 -sL No Scan. List targets only
Disable port scanning. Host discovery
-sn nmap 192.168.1.1/24 -sn
only.
-Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only.
Switc
Example Description
h
-PS nmap 192.168.1.1-5 -PS22-25,80 TCP SYN discovery on port x.
Port 80 by default
-PA nmap 192.168.1.1-5 -PA22- TCP ACK discovery on port x.
25,80 Port 80 by default
-PU nmap 192.168.1.1-5 -PU53 UDP discovery on port x.
Port 40125 by default
-PR nmap 192.168.1.1-1/24 -PR ARP discovery on local network
-n nmap 192.168.1.1 -n Never do DNS resolution

Port Specification
Switch Example Description
-p nmap 192.168.1.1 -p 21 Port scan for port x
-p nmap 192.168.1.1 -p 21-100 Port range
-p nmap 192.168.1.1 -p U:53,T:21- Port scan multiple TCP and UDP
25,80 ports
-p- nmap 192.168.1.1 -p- Port scan all ports
-p nmap 192.168.1.1 -p http,https Port scan from service name
-F nmap 192.168.1.1 -F Fast port scan (100 ports)
--top- Port scan the top x ports
nmap 192.168.1.1 --top-ports 2000
ports
nmap 192.168.1.1 -p-65535 Leaving off initial port in range
-p-65535
makes the scan start at port 1
-p0- nmap 192.168.1.1 -p0- Leaving off end port in range
makes the scan go through to port
65535

Service and Version Detection

Switch Example Description
Attempts to determine the version of the
-sV nmap 192.168.1.1 -sV
service running on port
Switch Example Description
-sV --version- nmap 192.168.1.1 -sV Intensity level 0 to 9. Higher number
intensity --version-intensity 8 increases possibility of correctness
-sV --version- nmap 192.168.1.1 -sV Enable light mode. Lower possibility of
light --version-light correctness. Faster
-sV --version- nmap 192.168.1.1 -sV Enable intensity level 9. Higher
all --version-all possibility of correctness. Slower
-A nmap 192.168.1.1 -A Enables OS detection, version detection,
script scanning, and traceroute

OS Detection
Switch Example Description
Remote OS detection using TCP/IP
-O nmap 192.168.1.1 -O
stack fingerprinting
If at least one open and one closed
-O --osscan- nmap 192.168.1.1 -O
TCP port are not found it will not try
limit --osscan-limit
OS detection against host
-O --osscan- nmap 192.168.1.1 -O Makes Nmap guess more aggressively
guess --osscan-guess
-O --max-os- nmap 192.168.1.1 -O Set the maximum number x of OS
tries --max-os-tries 1 detection tries against a target
-A nmap 192.168.1.1 -A Enables OS detection, version detection,
script scanning, and traceroute

Timing and Performance

Switch Example Description
-T0 nmap
Paranoid (0) Intrusion Detection
192.168.1.1
System evasion
-T0
-T1 nmap
Sneaky (1) Intrusion Detection System
192.168.1.1
evasion
-T1
-T2 nmap Polite (2) slows down the scan to use
192.168.1.1 less bandwidth and use less target
-T2 machine resources
Switch Example Description
-T3 nmap
192.168.1.1 Normal (3) which is default speed
-T3
-T4 nmap Aggressive (4) speeds scans; assumes
192.168.1.1 you are on a reasonably fast and
-T4 reliable network
-T5 nmap Insane (5) speeds scan; assumes you
192.168.1.1 are on an extraordinarily fast network
-T5

Switch Example Description

input
--host-timeout <time> 1s; 4m; 2h Give up on target after this long
--min-rtt-timeout/max-rtt- 1s; 4m; 2h Specifies probe round trip time
timeout/initial-rtt-timeout <tim
e>
--min-hostgroup/max- 50; 1024 Parallel host scan group
hostgroup <size<size> sizes
--min-parallelism/max- 10; 1 Probe parallelization
parallelism <numprobes>
--scan-delay/--max-scan-delay  20ms; 2s; Adjust delay between probes
<time> 4m; 5h
--max-retries <tries> 3 Specify the maximum number
of port scan probe retransmissions
--min-rate <number> 100 Send packets no slower than <numberr>
per second
--max-rate <number> 100 Send packets no faster than <number>
per second

NSE Scripts
Switch Example Description
-sC nmap 192.168.1.1 -sC Scan with
default NSE
scripts.
Switch Example Description
Considered
useful for
discovery
and safe
--script nmap 192.168.1.1 --script default Scan with
default default NSE
scripts.
Considered
useful for
discovery
and safe
--script nmap 192.168.1.1 --script=banner Scan with a
single
script.
Example
banner
--script nmap 192.168.1.1 --script=http* Scan with a
wildcard.
Example
http
--script nmap 192.168.1.1 --script=http,banner Scan with
two scripts.
Example
http and
banner
--script nmap 192.168.1.1 --script "not intrusive" Scan
default, but
remove
intrusive
scripts
--script- nmap --script snmp-sysdescr --script-args NSE script
args snmpcommunity=admin 192.168.1.1 with
arguments
Useful NSE Script Examples

Command Description
nmap -Pn --script=http-sitemap-generator http site map generator
scanme.nmap.org
Command Description
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http- Fast search for random
title -iR 1000 web servers
nmap -Pn --script=dns-brute domain.com Brute forces DNS
hostnames guessing
subdomains
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb- Safe SMB scripts to run
mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2*
-vv 192.168.1.1
nmap --script whois* domain.com Whois query
nmap -p80 --script http-unsafe-output-escaping Detect cross site scripting
scanme.nmap.org vulnerabilities
nmap -p80 --script http-sql-injection scanme.nmap.org Check for SQL injections

Firewall / IDS Evasion and Spoofing

Switch Example Description
-f nmap 192.168.1.1 -f Requested scan (including ping
scans) use tiny fragmented IP
packets. Harder for packet filters
--mtu nmap 192.168.1.1 --mtu 32 Set your own offset size
-D nmap -D 192.168.1.101,192.168.1.102, Send scans from spoofed IPs
192.168.1.103,192.168.1.23 192.168.1.1
-D nmap -D decoy-ip1,decoy-ip2,your-own- Above example explained
ip,decoy-ip3,decoy-ip4 remote-host-ip
-S nmap -S www.microsoft.com Scan Facebook from Microsoft (-
www.facebook.com e eth0 -Pn may be required)
-g nmap -g 53 192.168.1.1 Use given source port number
-- nmap --proxies http://192.168.1.1:8080, Relay connections through
proxies http://192.168.1.2:8080 192.168.1.1 HTTP/SOCKS4 proxies
--data- nmap --data-length 200 192.168.1.1 Appends random data to sent
length packets
Example IDS Evasion command
nmap -f -t 0 -n -Pn –data-length 200 -D
192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1

Output
Switch Example Description
-oN nmap 192.168.1.1 -oN normal.file Normal output to the
file normal.file
-oX nmap 192.168.1.1 -oX xml.file XML output to the
file xml.file
-oG nmap 192.168.1.1 -oG grep.file Grepable output to
the file grep.file
-oA nmap 192.168.1.1 -oA results Output in the three
major formats at
once
-oG - nmap 192.168.1.1 -oG - Grepable output to
screen. -oN -, -oX -
also usable
--append- nmap 192.168.1.1 -oN file.file --append-output Append a scan to a
output previous scan file
-v nmap 192.168.1.1 -v Increase the
verbosity level (use
-vv or more for
greater effect)
-d nmap 192.168.1.1 -d Increase debugging
level (use -dd or
more for greater
effect)
--reason nmap 192.168.1.1 --reason Display the reason a
port is in a particular
state, same output as
-vv
--open nmap 192.168.1.1 --open Only show open (or
possibly open) ports
--packet-trace nmap 192.168.1.1 -T4 --packet-trace Show all packets
sent and received
Switch Example Description
--iflist nmap --iflist Shows the host
interfaces and routes
--resume nmap --resume results.file Resume a scan
Helpful Nmap Output examples

Command Description
nmap -p80 -sV -oG - --open 192.168.1.1/24 Scan for web servers and grep to show
| grep open which IPs are running web servers
nmap -iR 10 -n -oX out.xml | grep "Nmap" Generate a list of the IPs of live hosts
| cut -d " " -f5 > live-hosts.txt
nmap -iR 10 -n -oX out2.xml | grep Append IP to the list of live hosts
"Nmap" | cut -d " " -f5 >> live-hosts.txt
ndiff scanl.xml scan2.xml Compare output from nmap using the
ndif
xsltproc nmap.xml -o nmap.html Convert nmap xml files to html files
grep " open " results.nmap | sed -r 's/ +/ /g' | Reverse sorted list of how often ports
sort | uniq -c | sort -rn | less turn up

Miscellaneous Options
Switch Example Description
-6 nmap -6 2607:f0d0:1002:51::4 Enable IPv6 scanning
-h nmap -h nmap help screen

Other Useful Nmap Commands

Command Description
nmap -iR 10 -PS22-25,80,113,1050,35000 Discovery only on ports x, no port scan
-v -sn
nmap 192.168.1.1-1/24 -PR -sn -vv Arp discovery only on local network, no
port scan
nmap -iR 10 -sn -traceroute Traceroute to random targets, no port
scan
Command Description
nmap 192.168.1.1-50 -sL --dns-server Query the Internal DNS for hosts, list
192.168.1.1 targets only