Basic Nmap commands
Basic nmap scan
Performs a basic scan of the specified target.
nmap <target>nmap 192.168.1.1Scan of a specific port
Scans a specific port on the specified destination.
nmap -p <port> <target>nmap -p 80 192.168.1.1Scan of port range
Scans all ports in the specified range.
nmap -p <start port>-<end port> <target>nmap -p 80-100 192.168.1.1Scan of all 65535 Ports
Scans all available ports (0-65535) on the target.
nmap -p- <target>nmap -p- 192.168.1.1
Advances scanning techniques
TCP SYN Scan
Performs a quick and inconspicuous scan, also known as a “half-open” scan.
nmap -sS <target>nmap -sS 192.168.1.1TCP Connect Scan
Performs a complete TCP handshake. Useful if the user does not have privileged rights.
nmap -sT <target>nmap -sT 192.168.1.1UDP Scan
Scans the UDP ports of the target.
nmap -sU <target>nmap -sU 192.168.1.1ACK Scan
Detects whether a firewall is active and how it is configured.
nmap -sA <target>nmap -sA 192.168.1.1Window Scan
Recognizes firewall rules and identifies open ports through window size analysis.
nmap -sW <target>nmap -sW 192.168.1.1FIN Scan
Sends FIN packets to the target host. Effective for bypassing simple firewalls.
nmap -sF <target>nmap -sF 192.168.1.1
Identification and Detection
OS Detection
Detects the operating system of the target host.
nmap -O <target>nmap -O 192.168.1.1Version detection
Detects the versions of the services running on the target host.
nmap -sV <target>nmap -sV 192.168.1.1Aggressive Scan
Performs a comprehensive scan including operating system detection, version detection, script scanning and traceroute.
nmap -A <target>nmap -A 192.168.1.1Traceroute
Determines the path from your computer to the target host.
nmap --traceroute <target>nmap --traceroute 192.168.1.1
Network Exploration
Ping Scan
Checks which hosts are active in the network without scanning ports.
nmap -sn <network>nmap -sn 192.168.1.0/24List Scan
Lists all hosts in a network without scanning them.
nmap -sL <network>nmap -sL 192.168.1.0/24Scan multiple targets
Scans multiple targets in a single command.
nmap <target 1> <target 2> ...nmap 192.168.1.1 192.168.1.2 192.168.1.3Scan list of targets
Scans all destinations listed in a file.
nmap -iL <path to file>nmap -iL targets.txt
Stealth techniques and bypassing firewalls
Fragmented packet scan
Sends fragmented packets to bypass firewalls.
nmap -f <target>nmap -f 192.168.1.1IP address transformation
Uses decoys to disguise the actual IP of the scanner.
nmap -D <stealth IP> <target>nmap -D RND:10 192.168.1.1Spoofing of source IP
Specifies a fake source IP to disguise the scan.
nmap -S <fake IP> <target>nmap -S 192.168.1.100 192.168.1.1
Output and Reporting
Normal Output
Saves the scan results in normal format in a file.
nmap -oN <filename> <target>nmap -oN scan_results.txt 192.168.1.1XML Output
Saves the scan results in XML format.
nmap -oX <filename> <target>nmap -oX scan_results.xml 192.168.1.1Grep-able Output
Saves the scan results in a grep-friendly format.
nmap -oG <filename> <target>nmap -oG scan_results.gnmap 192.168.1.1All Output Formats
Saves the scan results in all available formats (normal, XML, grabbable).
nmap -oA <filename> <target>nmap -oA scan_results 192.168.1.1
Scripting and Expandability
Script Scanning
Executes the standard Nmap scripts (NSE).
nmap -sC <target>nmap -sC 192.168.1.1Execute specific scripts
Executes a specific Nmap script.
nmap --script <script name> <target>nmap --script http-title 192.168.1.1Execute script categories
Executes all scripts of a certain category (e.g. –script vuln for vulnerability scripts). Categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln
nmap --script <category> <target>nmap --script vuln 192.168.1.1
Timing and Performance
Timing Template
Sets the speed of the scan, with -T0 being the slowest and -T5 the fastest.
nmap -T<0-5> <target>nmap -T4 192.168.1.1Maximum simultaneous scans
Specifies the maximum number of simultaneous scans to control the network load.
nmap --max-parallelism <amount> <target>nmap --max-parallelism 10Maximum parallel scans
Determines the minimum number of hosts that are scanned simultaneously.
nmap --min-hostgroup <amount> <target>nmap --min-hostgroup 50
Further nmap Options
IPv6 Scan
Performs a scan on an IPv6 destination.
nmap -6 <target>nmap -6 2001:db8::ff00:42:8329Silent Execution
Performs the scan without output on the screen.
nmap -v0 <target>nmap -v0 192.168.1.1Repeat Scans
Adds a delay between scans to bypass IDS/IPS.
nmap --scan-delay <time> <target>nmap --scan-delay 5s 192.168.1.1Nmap is an extremely powerful tool and the commands listed here are only a fraction of the options available. Each command can be further customized and combined to meet specific requirements and scenarios.
#HappyHacking
