The following are the fundamental nmap commands and their purpose as follows:
Basic scan techniques:
Scan name and their purpose | NMAP commands |
Scan a single target/host | nmap [target] |
Scan multiple targets/hosts | nmap [target1, target2, etc] |
Scan a list of targets | nmap -iL [list.txt] |
Scan a range of hosts | nmap [range of IP addresses] |
Scan an entire subnet | nmap [IP address/cdir] |
Scan random hosts | nmap -iR [number] |
Excluding targets from a scan | nmap [targets] --exclude [targets] |
Excluding targets using a list | nmap [targets] --excludefile [list.txt] |
Perform an aggressive scan | nmap -A [target] |
Scan an IPv6 target | nmap -6 [target] |
Discovery options:
Scan name and their purpose | NMAP commands |
Ping scan | nmap -sP [target] |
No ping scan | nmap -PN [target] |
TCP SYN ping | nmap -PS [target] |
TCP ACK ping | nmap -PA [target] |
UDP ping | nmap -PU [target] |
SCTP Init Ping | nmap -PY [target] |
ICMP echo ping | nmap -PE [target], nmap -PI [target] |
ICMP timestamp ping | nmap -PP [target] |
ICMP address mask ping | nmap -PM [target] |
IP protocol ping | nmap -PO [target] |
ARP ping | nmap -PR [target] |
Traceroute | nmap --traceroute[target] |
Force reverse DNS resolution | nmap -R [target] |
Force reverse DNS resolution | nmap -n [target] |
Alternative DNS lookup | nmap --system-dns [target] |
Manually specify DNS servers | nmap --dns-servers [servers] [target] |
Create a host list or List scan | nmap -sL [target] |
TCP SYN scan | nmap -sS [target] |
TCP connect scan | nmap -sT [target] |
FIN stealth scan | nmap -sF [target] |
Xmas tree stealth scan | nmap -sX [target] |
Version detection | nmap -sV [target] |
UDP scan | nmap -sU [target] |
IP protocol scan | nmap -sO [target] |
ACK scan | nmap -sA [target] |
Window scan | nmap -sW [target] |
RPC scan | nmap -sR [target] |
Idle scan | nmap -sI [target] |
FTP bounce attack | nmap -b [target] |
Real-time information options:
Scan name and their purpose | NMAP commands |
Verbose mode | nmap --verbose [target], nmap -v [target], |
Version trace | nmap --version-trace [target] |
Packet trace | nmap --packet-trace [target] |
Debug mode | nmap --debug [target], nmap -d [target] |
Interactive mode | nmap --interactive [target] |
Non-interactive mode | nmap --noninteractive [target] |
Operating system fingerprinting:
Scan name and their purpose | NMAP commands |
OS fingerprinting | nmap -O [target] |
Limit system scanning | nmap --osscan-limit [target] |
More guessing flexibility | nmap --osscan-guess [target] |
Additional, advanced and aggressive | nmap -A [target] |
Output options:
Scan name and their purpose | NMAP commands |
Save output to a text file | nmap -oN [scan.txt] [target] |
Save output to a xml file | nmap -oX [scan.txt] [target] |
Grepable output | nmap -oG [scan.txt] [target] |
Output all supported file types | nmap -oA [path/filename] [target] |
Periodically display statistics | nmap --stats-every [time] [target] |
Script kiddie format | nmap -oS [scan.txt] [target] |
Append output | nmap --append-output [target] |
Firewall evasion techniques:
Scan name and their purpose | NMAP commands |
Fragment packets | nmap -f [target] |
Specify a specific MTU | nmap --mtu [MTU] [target] |
Use of a decoy | nmap -D RND: [number] [target] |
Idle zombie scan | nmap -sI [zombie] [target] |
Manually specify a source port | nmap --source-port [port] [target] |
Append random data | nmap --data-length [size] [target] |
Randomize target scan order | nmap --randomize-hosts [target] |
Spoof MAC address | nmap --spoof-mac [MAC|0|vendor] [target] |
Send bad checksums | nmap --badsum [target] |
Timing policies | nmap --timing [target], nmap -T<0|1|2|3|4|5> [target] |
Helpful resources: