Skip to content

Nmap

Nmap (Network Mapper) is a free and open-source network scanner.

Installation

# Debian/Ubuntu
sudo apt install nmap

# Windows
# Download from https://nmap.org/download.html

Basic Scans

Host Discovery

# Ping sweep
nmap -sn 192.168.1.0/24

# List scan (no port scan)
nmap -sL 192.168.1.0/24

# No ping (skip host discovery)
nmap -Pn 192.168.1.1

# TCP SYN ping
nmap -PS22,80,443 192.168.1.1

# TCP ACK ping
nmap -PA22,80,443 192.168.1.1

# UDP ping
nmap -PU 192.168.1.1

# ICMP ping
nmap -PE 192.168.1.1

Port Scanning

# Scan specific port
nmap -p 80 192.168.1.1

# Scan port range
nmap -p 1-100 192.168.1.1

# Scan multiple ports
nmap -p 22,80,443 192.168.1.1

# Scan all ports
nmap -p- 192.168.1.1

# Top ports
nmap --top-ports 100 192.168.1.1

# Fast scan (100 most common ports)
nmap -F 192.168.1.1

Scan Types

# TCP SYN scan (default, requires root)
nmap -sS 192.168.1.1

# TCP connect scan
nmap -sT 192.168.1.1

# UDP scan
nmap -sU 192.168.1.1

# TCP ACK scan
nmap -sA 192.168.1.1

# TCP Window scan
nmap -sW 192.168.1.1

# TCP Maimon scan
nmap -sM 192.168.1.1

# TCP FIN scan
nmap -sF 192.168.1.1

# TCP Null scan
nmap -sN 192.168.1.1

# TCP Xmas scan
nmap -sX 192.168.1.1

Service and Version Detection

# Service version detection
nmap -sV 192.168.1.1

# Aggressive version detection
nmap -sV --version-intensity 5 192.168.1.1

# Light version detection
nmap -sV --version-intensity 0 192.168.1.1

# OS detection
nmap -O 192.168.1.1

# Aggressive scan (OS detection, version, script, traceroute)
nmap -A 192.168.1.1

# Traceroute
nmap --traceroute 192.168.1.1

NSE (Nmap Scripting Engine)

Script Categories

# Default scripts
nmap -sC 192.168.1.1

# Specific script
nmap --script http-title 192.168.1.1

# Multiple scripts
nmap --script http-title,http-headers 192.168.1.1

# Script category
nmap --script vuln 192.168.1.1

# All scripts in category
nmap --script "http-*" 192.168.1.1

# Script with arguments
nmap --script http-enum --script-args http-enum.basepath=/admin 192.168.1.1

Useful Scripts

# Vulnerability scanning
nmap --script vuln 192.168.1.1

# Brute force
nmap --script brute 192.168.1.1

# Discovery
nmap --script discovery 192.168.1.1

# Exploit
nmap --script exploit 192.168.1.1

# HTTP enumeration
nmap --script http-enum 192.168.1.1

# SMB enumeration
nmap --script smb-enum-shares,smb-enum-users 192.168.1.1

# SSH enumeration
nmap --script ssh-auth-methods 192.168.1.1

# SSL/TLS
nmap --script ssl-enum-ciphers 192.168.1.1

Timing and Performance

# Timing templates (0-5)
nmap -T0 192.168.1.1  # Paranoid
nmap -T1 192.168.1.1  # Sneaky
nmap -T2 192.168.1.1  # Polite
nmap -T3 192.168.1.1  # Normal (default)
nmap -T4 192.168.1.1  # Aggressive
nmap -T5 192.168.1.1  # Insane

# Parallel scanning
nmap --min-parallelism 100 192.168.1.1

# Host timeout
nmap --host-timeout 5m 192.168.1.1

# Scan delay
nmap --scan-delay 1s 192.168.1.1

Output Formats

# Normal output
nmap -oN output.txt 192.168.1.1

# XML output
nmap -oX output.xml 192.168.1.1

# Grepable output
nmap -oG output.grep 192.168.1.1

# All formats
nmap -oA output 192.168.1.1

# Script kiddie output
nmap -oS output.txt 192.168.1.1

Firewall/IDS Evasion

# Fragment packets
nmap -f 192.168.1.1

# MTU specification
nmap --mtu 24 192.168.1.1

# Decoy scan
nmap -D RND:10 192.168.1.1
nmap -D decoy1,decoy2,ME 192.168.1.1

# Source port
nmap --source-port 53 192.168.1.1

# Spoof MAC address
nmap --spoof-mac Apple 192.168.1.1

# Bad checksum
nmap --badsum 192.168.1.1

# Randomize hosts
nmap --randomize-hosts 192.168.1.0/24

Advanced Options

# IPv6 scan
nmap -6 2001:db8::1

# Scan through proxy
nmap --proxies http://proxy:8080 192.168.1.1

# Interface specification
nmap -e eth0 192.168.1.1

# Data length
nmap --data-length 25 192.168.1.1

# IP options
nmap --ip-options "R" 192.168.1.1

# Scan specific protocols
nmap -sO 192.168.1.1

Scenarios

# Quick host discovery and top ports for a subnet
nmap -sn 192.168.1.0/24 -oA discovery
nmap --top-ports 100 --open 192.168.1.0/24 -oA top-ports

# Full TCP scan with service/version detection
nmap -p- -sV -sC -T4 192.168.1.1 -oA full-tcp

# Web-only sweep with HTTP scripts
nmap -p 80,443,8080,8443 --script http-title,http-headers 192.168.1.0/24 -oA web-sweep

# SMB enumeration on a target host
nmap -p 445 --script smb-enum-shares,smb-enum-users,smb-os-discovery 192.168.1.10 -oA smb-enum

# UDP top ports with rate control
nmap -sU --top-ports 50 --scan-delay 5ms 192.168.1.1 -oA udp-top

Practical Examples

# Quick scan
nmap -T4 -F 192.168.1.1

# Full scan
nmap -T4 -p- -A 192.168.1.1

# Stealth scan
nmap -sS -T2 -f 192.168.1.1

# Vulnerability scan
nmap -sV --script vuln 192.168.1.1

# Network discovery
nmap -sn 192.168.1.0/24

# Service scan
nmap -sV -sC -p- 192.168.1.1