Document Title : nmap reference

Author : Lawrence Amer views : 27 Date : 2019-03-17

Description :

Nmap Examples 


nmap -sP

Ping scans the network, listing machines that respond to ping.

nmap -p 1-65535 -sV -sS -T4 target

Full TCP port scan using with service version detection - usually my first scan, I find T4 more accurate than T5 and still "pretty quick".

nmap -v -sS -A -T4 target

Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.

nmap -v -sS -A -T5 target

Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.

nmap -v -sV -O -sS -T5 target

Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.

nmap -v -p 1-65535 -sV -O -sS -T4 target

Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.

nmap -v -p 1-65535 -sV -O -sS -T5 target

Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan.

Agressive scan timings are faster, but could yeild inaccurate results!

T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.

Nmap scan from file 


nmap -iL ip-addresses.txt

Scans a list of IP addresses, you can add options before / after.

Nmap output formats


nmap -sV -p 139,445 -oG grep-output.txt

Outputs "grepable" output to a file, in this example Netbios servers.

E.g, The output file could be grepped for "Open".

nmap -sS -sV -T5 --webxml -oX -
| xsltproc --output file.html -

Export nmap output to HTML report.

Nmap Netbios Examples


nmap -sV -v -p 139,445

Find all Netbios servers on subnet

nmap -sU --script nbstat.nse -p 137 target

Nmap display Netbios name

nmap --script-args=unsafe=1 --script
smb-check-vulns.nse -p 445 target

Nmap check if Netbios servers are vulnerable to MS08-067

--script-args=unsafe=1 has the potential to crash servers / services

Becareful when running this command.

Nmap Nikto Scan


nmap -p80 -oG - | -h -

Scans for http servers on port 80 and pipes into Nikto for scanning.

nmap -p80,443 -oG - | -h -

Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning.

Nmap Cheatsheet

Target Specification



inputfilename: Input from list of hosts/networks


num hosts: Choose random targets


host1[,host2][,host3],... : Exclude hosts/networks


exclude_file: Exclude list from file

Host Discovery



List Scan - simply list targets to scan


Ping Scan - disable port scan


Treat all hosts as online -- skip host discovery


TCP SYN/ACK, UDP or SCTP discovery to given ports


ICMP echo, timestamp, and netmask request discovery probes

-PO[protocol list]

IP Protocol Ping


Never do DNS resolution/Always resolve [default: sometimes]

Scan Techniques



TCP SYN scan
Connect scan
ACK scan
Window scan
Maimon scan


UDP Scan


TCP Null scan
FIN scan
Xmas scan


Customize TCP scan flags

-sI zombie host[:probeport]

Idle scan




IP protocol scan

-b "FTP relay host"

FTP bounce scan

Port Specification and Scan Order



Specify ports, e.g. -p80,443 or -p1-65535


Scan UDP ports with Nmap, e.g. -p U:53


Fast mode, scans fewer ports than the default scan


Scan ports consecutively - don't randomize

--top-ports "number"

Scan "number" most common ports

--port-ratio "ratio"

Scan ports more common than "ratio"

Service Version Detection



Probe open ports to determine service/version info

--version-intensity "level"

Set from 0 (light) to 9 (try all probes)


Limit to most likely probes (intensity 2)


Try every single probe (intensity 9)


Show detailed version scan activity (for debugging)

Script Scan



equivalent to --script=default

--script="Lua scripts"

"Lua scripts" is a comma separated list of directories, script-files or script-categories


provide arguments to scripts


provide NSE script args in a file


Show all data sent and received


Update script database

--script-help="Lua scripts"

Show help about scripts

OS Detection



Enable OS Detection


Limit OS detection to promising targets


Guess OS more aggressively

Timing and Performance

Options which take TIME are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).


-T 0-5

Set timing template - higher is faster (less accurate)

--min-hostgroup SIZE
--max-hostgroup SIZE

Parallel host scan group sizes

--min-parallelism NUMPROBES
--max-parallelism NUMPROBES

Probe parallelization

--min-rtt-timeout TIME
--max-rtt-timeout TIME
--initial-rtt-timeout TIME

Specifies probe round trip time

--max-retries TRIES

Caps number of port scan probe retransmissions

--host-timeout TIME

Give up on target after this long

--scan-delay TIME
--max-scan-delay TIME

Adjust delay between probes

--min-rate NUMBER

Send packets no slower than NUMBER per second

--max-rate NUMBER

Send packets no faster than NUMBER per second

Firewalls IDS Evasion and Spoofing 


-f; --mtu VALUE

Fragment packets (optionally w/given MTU)

-D decoy1,decoy2,ME

Cloak a scan with decoys


Spoof source address


Use specified interface

--source-port PORTNUM

Use given port number

--proxies url1,[url2],...

Relay connections through HTTP / SOCKS4 proxies

--data-length NUM

Append random data to sent packets

--ip-options OPTIONS

Send packets with specified ip options

--ttl VALUE

Set IP time to live field


Spoof NMAP MAC address


Send packets with a bogus TCP/UDP/SCTP checksum

Nmap Output Options



Output Normal


Output to XML


Script Kiddie / 1337 speak... sigh


Output greppable - easy to grep nmap output


Output in the three major formats at once


Increase verbosity level use -vv or more for greater effect


Increase debugging level use -dd or more for greater effect


Display the reason a port is in a particular state


Only show open or possibly open ports


Show all packets sent / received


Print host interfaces and routes for debugging


Log errors/warnings to the normal-format output file


Append to rather than clobber specified output files

--resume FILENAME

Resume an aborted scan

--stylesheet PATH/URL

XSL stylesheet to transform XML output to HTML


Reference stylesheet from Nmap.Org for more portable XML


Prevent associating of XSL stylesheet w/XML output

Misc Nmap Options



Enable IPv6 scanning


Enable OS detection, version detection, script scanning, and traceroute

--datedir DIRNAME

Specify custom Nmap data file location


Send using raw ethernet frames or IP packets


Assume that the user is fully privileged


Assume the user lacks raw socket privileges


Show nmap version number


Show nmap help screen

Responsive image