Target Specification
| Switch | Example | Description |
|-----------|-------------------------------|-----------------------------|
| | nmap 192.168.1.1 | Scan a single IP |
| | nmap 192.168.1.1 192.168.2.1 | Scan specific IPs |
| | nmap 192.168.1.1-254 | Scan a range |
| | nmap scanme.nmap.org | Scan a domain |
| | nmap 192.168.1.0/24 | Scan using CIDR notation |
| -iL | nmap -iL targets.txt | Scan targets from a file |
| -iR | nmap -iR 100 | Scan 100 random hosts |
| --exclude | nmap --exclude 192.168.1.1 | Exclude listed hosts |
Scan Techniques
| Switch | Example | Description |
|--------|-----------------------------|---------------------------------------------------|
| -sS | nmap 192.168.1.1 -sS | TCP SYN port scan (Default) |
| -sT | nmap 192.168.1.1 -sT | TCP connect port scan (Default without root) |
| -sU | nmap 192.168.1.1 -sU | UDP port scan |
| -sA | nmap 192.168.1.1 -sA | TCP ACK port scan |
| -sW | nmap 192.168.1.1 -sW | TCP Window port scan |
| -sM | nmap 192.168.1.1 -sM | TCP Maimon port scan |
Host Discovery
| Switch | Example | Description |
|--------|-----------------------------------------|---------------------------------------------------|
| -sL | nmap 192.168.1.1-3 -sL | No Scan. List targets only |
| -sn | nmap 192.168.1.1/24 -sn | Disable port scanning. Host discovery only. |
| -Pn | nmap 192.168.1.1-5 -Pn | Disable host discovery. Port scan only. |
| -PS | nmap 192.168.1.1-5 -PS22-25,80 | TCP SYN discovery on port x. Port 80 by default |
| -PA | nmap 192.168.1.1-5 -PA22-25,80 | TCP ACK discovery on port x. Port 80 by default |
| -PU | nmap 192.168.1.1-5 -PU53 | UDP discovery on port x. Port 40125 by default |
| -PR | nmap 192.168.1.1-1/24 -PR | ARP discovery on local network |
| -n | nmap 192.168.1.1 -n | Never do DNS resolution |
Port Specification
| Switch | Example | Description |
|-------------|-----------------------------------------|---------------------------------------------------|
| -p | nmap 192.168.1.1 -p 21 | Port scan for port x |
| -p | nmap 192.168.1.1 -p 21-100 | Port range |
| -p | nmap 192.168.1.1 -p U:53,T:21-25,80 | Port scan multiple TCP and UDP ports |
| -p- | nmap 192.168.1.1 -p- | Port scan all ports |
| -p | nmap 192.168.1.1 -p http,https | Port scan from service name |
| -F | nmap 192.168.1.1 -F | Fast port scan (100 ports) |
| --top-ports | nmap 192.168.1.1 --top-ports 2000 | Port scan the top x ports |
| -p-65535 | nmap 192.168.1.1 -p-65535 | Leaving off initial port starts scan at port 1 |
| -p0- | nmap 192.168.1.1 -p0- | Leaving off end port scans through to port 65535 |
Service and Version Detection
| Switch | Example | Description |
|-------------------------|-----------------------------------------|---------------------------------------------------|
| -sV | nmap 192.168.1.1 -sV | Attempts to determine the service version |
| -sV --version-intensity | nmap 192.168.1.1 -sV --version-intensity 8 | Intensity 0-9. Higher is more likely correct |
| -sV --version-light | nmap 192.168.1.1 -sV --version-light | Intensity 2. Lower possibility, but faster |
| -sV --version-all | nmap 192.168.1.1 -sV --version-all | Intensity 9. Tries all probes. Slower |
| -A | nmap 192.168.1.1 -A | Enables OS/version detection, script scanning, traceroute |
OS Detection
| Switch | Example | Description |
|-------------------|-----------------------------------------|---------------------------------------------------|
| -O | nmap 192.168.1.1 -O | Remote OS detection via TCP/IP fingerprinting |
| -O --osscan-limit | nmap 192.168.1.1 -O --osscan-limit | Skips OS detection if no open/closed TCP ports |
| -O --osscan-guess | nmap 192.168.1.1 -O --osscan-guess | Makes Nmap guess more aggressively |
| -O --max-os-tries | nmap 192.168.1.1 -O --max-os-tries 1 | Sets the max number of tries against a target |
| -A | nmap 192.168.1.1 -A | Enables OS/version detection, script scanning, traceroute |
NSE Scripts
| Switch | Example | Description |
|----------------|------------------------------------------|---------------------------------------------------|
| -sC | nmap 192.168.1.1 -sC | Scan with default scripts (safe) |
| --script=default | nmap 192.168.1.1 --script=default | Same as -sC |
| --script | nmap 192.168.1.1 --script=banner | Scan with a single script |
| --script | nmap 192.168.1.1 --script=http* | Scan with a wildcard (e.g., all http scripts) |
| --script | nmap 192.168.1.1 --script=http,banner | Scan with multiple scripts |
| --script | nmap 192.168.1.1 --script "not intrusive"| Scan default scripts, excluding intrusive ones |
| --script-args | nmap --script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1 | Provide arguments to scripts |
Useful NSE Script Examples
# HTTP sitemap generator
nmap -Pn --script=http-sitemap-generator scanme.nmap.org
# Fast search for random web servers
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000
# Brute forces DNS hostnames guessing subdomains
nmap -Pn --script=dns-brute domain.com
# Safe SMB scripts to run
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1
# Whois query
nmap --script whois* domain.com
# Detect cross site scripting vulnerabilities
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org
# Check for SQL injections
nmap -p80 --script http-sql-injection scanme.nmap.org
Firewall / IDS Evasion and Spoofing
| Switch | Example | Description |
|---------------|----------------------------------------------------------------|---------------------------------------------------|
| -f | nmap 192.168.1.1 -f | Use tiny fragmented IP packets |
| --mtu | nmap 192.168.1.1 --mtu 32 | Set your own offset size |
| -D | nmap -D 192.168.1.101,192.168.1.102,ME 192.168.1.1 | Send scans from spoofed decoy IPs |
| -S | nmap -S www.microsoft.com www.facebook.com | Scan Facebook from Microsoft's IP |
| -g | nmap -g 53 192.168.1.1 | Use given source port number |
| --proxies | nmap --proxies http://1.1.1.1:8080 192.168.1.1 | Relay connections through HTTP/SOCKS4 proxies |
| --data-length | nmap --data-length 200 192.168.1.1 | Appends random data to sent packets |
Example IDS Evasion command
nmap -f -t 0 -n -Pn –data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1
Output
| Switch | Example | Description |
|-----------------|----------------------------------|---------------------------------------------------|
| -oN | nmap 192.168.1.1 -oN normal.file | Normal output to file |
| -oX | nmap 192.168.1.1 -oX xml.file | XML output to file |
| -oG | nmap 192.168.1.1 -oG grep.file | Grepable output to file |
| -oA | nmap 192.168.1.1 -oA results | Output in the three major formats at once |
| -oG - | nmap 192.168.1.1 -oG - | Grepable output to screen |
| --append-output | nmap ... -oN file --append-output| Append a scan to a previous scan file |
| -v / -vv | nmap 192.168.1.1 -v | Increase the verbosity level |
| -d / -dd | nmap 192.168.1.1 -d | Increase debugging level |
| --reason | nmap 192.168.1.1 --reason | Display the reason a port is in a certain state |
| --open | nmap 192.168.1.1 --open | Only show open (or possibly open) ports |
| --packet-trace | nmap ... --packet-trace | Show all packets sent and received |
| --iflist | nmap --iflist | Shows the host interfaces and routes |
| --resume | nmap --resume results.file | Resume a scan |
Helpful Nmap Output examples
# Scan for web servers and grep to show IPs running them
nmap -p80 -sV -oG - --open 192.168.1.1/24 | grep open
# Generate a list of the IPs of live hosts
nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt
# Compare output from nmap using ndiff
ndiff scan1.xml scan2.xml
# Convert nmap xml files to html files
xsltproc nmap.xml -o nmap.html
# Reverse sorted list of how often ports turn up
grep " open " results.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | less
Miscellaneous Options
| Switch | Example | Description |
|--------|-----------------------------|----------------------|
| -6 | nmap -6 2607:f0d0:1002:51::4 | Enable IPv6 scanning |
| -h | nmap -h | nmap help screen |
Other Useful Nmap Commands
| Command | Description |
|-------------------------------------------------|---------------------------------------------------|
| nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn | Discovery only on ports x, no port scan |
| nmap 192.168.1.1-1/24 -PR -sn -vv | Arp discovery only on local network, no port scan |
| nmap -iR 10 -sn -traceroute | Traceroute to random targets, no port scan |
| nmap 192.168.1.1-50 -sL --dns-server 192.168.1.1 | Query the Internal DNS for hosts, list targets only |