nmap Scanning

Basic Scanning Techniques

Goal	command	example
Scan a Single Target	nmap [target]	nmap 192.168.1.1
Scan Multiple Targets	nmap [target1, target2, etc]	nmap 192.168.1.1, 192.168.1.2
Scan a List of Targets	nmap -iL [list.txt]	nmap -iL targets.txt
Scan a Range of Hosts	nmap [range of ip addresses]	nmap 192.168.1.1-10
Scan an Entire Subnet	nmap [ip address/cdir]	nmap 192.168.1.1/24
Scan Random Hosts	nmap -iR [number]	nmap -iR 0
Excluding Targets from a Scan	nmap [targets] --exclude [targets]	nmap 192.168.1.1/24 --exclude 192.168.1.0, 192.168.1.255
Excluding Targets Using a List	nmap [targets] --excludefile [list.txt]	nmap 192.168.1.1/24 --excludefile notargets.txt
Perform an Aggressive Scan	nmap -A [target]	nmap -A 192.168.1.1
Scan an IPv6 Target	nmap -6 [target]	nmap -6 3ffe:6a88:85a3:08d3:1319:8a2e:0370:7344

Discovery Options

Goal	command	example
Perform a Ping Only Scan	nmap -sP [target]	nmap -sP 192.168.1.1
Don’t Ping	nmap -PN [target]	nmap -PN 192.168.1.1
TCP SYN Ping	nmap -PS [target]	nmap -PS 192.168.1.1
TCP ACK Ping	nmap -PA [target]	nmap -PA 192.168.1.1
UDP Ping	nmap -PU [target]	nmap -PU 192.168.1.1
SCTP INIT Ping	nmap -PY [target]	nmap -PY 192.168.1.1
ICMP Echo Ping	nmap -PE [target]	nmap -PE 192.168.1.1
ICMP Timestamp Ping	nmap -PP [target]	nmap -PP 192.168.1.1
ICMP Address Mask Ping	nmap -PM [target]	nmap -PM 192.168.1.1
IP Protocol Ping	nmap -PO [target]	nmap -PO 192.168.1.1
ARP Ping	nmap -PR [target]	nmap -PR 192.168.1.1
Traceroute	nmap --traceroute [target]	nmap --traceroute 192.168.1.1
Force Reverse DNS Resolution	nmap -R [target]	nmap -R 192.168.1.1
Disable Reverse DNS Resolution	nmap -n [target]	nmap -n 192.168.1.1
Alternative DNS Lookup	nmap --system-dns [target]	nmap --system-dns 192.168.1.1
Manually Specify DNS Server(s)	nmap --dns-servers [servers] [target]	nmap --dns-servers 194.109.9.99 192.168.1.1
Create a Host List	nmap -sL [targets]	nmap -sL 192.168.1.1/24

Advanced Scanning Options

Goal	command	example
TCP SYN Scan	nmap -sS [target]	nmap -sS 192.168.1.1
TCP Connect Scan	nmap -sT [target]	nmap -sT 192.168.1.1
UDP Scan	nmap -sU [target]	nmap -sU 192.168.1.1
TCP NULL Scan	nmap -sN [target]	nmap -sN 192.168.1.1
TCP FIN Scan	nmap -sF [target]	nmap -sF 192.168.1.1
Xmas Scan	nmap -sX [target]	nmap -sX 192.168.1.1
TCP ACK Scan	nmap -sA [target]	nmap -sA 192.168.1.1
Custom TCP Scan	nmap --scanflags [flags] [target]	nmap --scanflags SYNFIN 192.168.1.1
IP Protocol Scan	nmap -sO [target]	nmap -sO 192.168.1.1
Send Raw Ethernet Packets	nmap --send-eth [target]	nmap --send-eth 192.168.1.1
Send IP Packets	nmap --send-ip [target]	nmap --send-ip 192.168.1.1

Port Scanning Options

Goal	command	example
Perform a Fast Scan	nmap -F [target]	nmap -F 192.168.1.1
Scan Specific Ports	nmap -p [port(s)] [target]	nmap -p 21-25,80,139,8080 192.168.1.1
Scan Ports by Name	nmap -p [port name(s)] [target]	nmap -p ftp,http* 192.168.1.1
Scan Ports by Protocol	nmap -sU -sT -p U:[ports],T:[ports] [target]	nmap -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
Scan All Ports	nmap -p '*' [target]	nmap -p '*' 192.168.1.1
Scan Top Ports	nmap --top-ports [number] [target]	nmap --top-ports 10 192.168.1.1
Perform a Sequential Port Scan	nmap -r [target]	nmap -r 192.168.1.1

Version Detection

Goal	command	example
Operating System Detection	nmap -O [target]	nmap -O 192.168.1.1
Submit TCP/IP Fingerprints	www.nmap.org/submit/
Attempt to Guess an Unknown OS	nmap -O --osscan-guess [target]	nmap -O --osscan-guess 192.168.1.1
Service Version Detection	nmap -sV [target]	nmap -sV 192.168.1.1
Troubleshooting Version Scans	nmap -sV --version-trace [target]	nmap -sV --version-trace 192.168.1.1
Perform a RPC Scan	nmap -sR [target]	nmap -sR 192.168.1.1

Timing Options

Goal	command	example
Timing Templates	nmap -T[0-5] [target]	nmap -T3 192.168.1.1
Set the Packet TTL	nmap --ttl [time] [target]	nmap --ttl 64 192.168.1.1
Minimum # of Parallel Operations	nmap --min-parallelism [number] [target]	nmap --min-parallelism 10 192.168.1.1
Maximum # of Parallel Operations	nmap --max-parallelism [number] [target]	nmap --max-parallelism 1 192.168.1.1
Minimum Host Group Size	nmap --min-hostgroup [number] [targets]	nmap --min-hostgroup 50 192.168.1.1
Maximum Host Group Size	nmap --max-hostgroup [number] [targets]	nmap --max-hostgroup 1 192.168.1.1
Maximum RTT Timeout	nmap --initial-rtt-timeout [time] [target]	nmap --initial-rtt-timeout 100ms 192.168.1.1
Initial RTT Timeout	nmap --max-rtt-timeout [TTL] [target]	nmap --max-rtt-timeout 100ms 192.168.1.1
Maximum Retries	nmap --max-retries [number] [target]	nmap --max-retries 10 192.168.1.1
Host Timeout	nmap --host-timeout [time] [target]	nmap --host-timeout 30m 192.168.1.1
Minimum Scan Delay	nmap --scan-delay [time] [target]	nmap --scan-delay 1s 192.168.1.1
Maximum Scan Delay	nmap --max-scan-delay [time] [target]	nmap --max-scan-delay 10s 192.168.1.1
Minimum Packet Rate	nmap --min-rate [number] [target]	nmap --min-rate 50 192.168.1.1
Maximum Packet Rate	nmap --max-rate [number] [target]	nmap --max-rate 100 192.168.1.1
Defeat Reset Rate Limits	nmap --defeat-rst-ratelimit [target]	nmap --defeat-rst-ratelimit 192.168.1.1

Firewall Evasion Techniques

Goal	command	example
Fragment Packets	nmap -f [target]	nmap -f 192.168.1.1
Specify a Specific MTU	nmap --mtu [MTU] [target]	nmap --mtu 32 192.168.1.1
Use a Decoy	nmap -D RND:[number] [target]	nmap -D RND:10 192.168.1.1
Idle Zombie Scan	nmap -sI [zombie] [target]	nmap -sI 192.168.1.23 192.168.1.1
Manually Specify a Source Port	nmap --source-port [port] [target]	nmap --source-port 1025 192.168.1.1
Append Random Data	nmap --data-length [size] [target]	nmap --data-length 20 192.168.1.1
Randomize Target Scan Order	nmap --randomize-hosts [target]	nmap --randomize-hosts 192.168.1.1-20
Spoof MAC Address	nmap --spoof-mac [MAC|0|vendor] [target]	nmap --spoof-mac Cisco 192.168.1.1
Send Bad Checksums	nmap --badsum [target]	nmap --badsum 192.168.1.1

Output Options

Goal	command	example
Save Output to a Text File	nmap -oN [scan.txt] [target]	nmap -oN output.txt 192.168.1.1
Save Output to a XML File	nmap -oX [scan.xml] [target]	nmap -oX output.xml 192.168.1.1
Grepable Output	nmap -oG [scan.txt] [targets]	nmap -oG output.txt 192.168.1.1
Output All Supported File Types	nmap -oA [path/filename] [target]	nmap -oA ./output 192.168.1.1
Periodically Display Statistics	nmap --stats-every [time] [target]	nmap --stats-every 10s 192.168.1.1
133t Output	nmap -oS [scan.txt] [target]	nmap -oS output.txt 192.168.1.1

Troubleshooting and Debugging

Goal	command	example
Getting Help	nmap -h	nmap -h
Display Nmap Version	nmap -V	nmap -V
Verbose Output	nmap -v [target]	nmap -v 192.168.1.1
Debugging	nmap -d [target]	nmap -d 192.168.1.1
Display Port State Reason	nmap --reason [target]	nmap --reason 192.168.1.1
Only Display Open Ports	nmap --open [target]	nmap --open 192.168.1.1
Trace Packets	nmap --packet-trace [target]	nmap --packet-trace 192.168.1.1
Display Host Networking	nmap --iflist	nmap --iflist
Specify a Network Interface	nmap -e [interface] [target]	nmap -e eth0 192.168.1.1

Nmap Scripting Engine

Goal	command	example
Execute Individual Scripts	nmap --script [script.nse] [target]	nmap --script banner.nse 192.168.1.1
Execute Multiple Scripts	nmap --script [expression] [target]	nmap --script 'http-*' 192.168.1.1
Script Categories	all, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Category	nmap --script [category] [target]	nmap --script 'not intrusive' 192.168.1.1
Execute Multiple Script Categories	nmap --script [category1,category2,etc]	nmap --script 'default or safe' 192.168.1.1
Troubleshoot Scripts	nmap --script [script] --script-trace [target]	nmap --script banner.nse --script-trace 192.168.1.1
Update the Script Database	nmap --script-updatedb	nmap --script-updatedb

Ndiff

Goal	command	example
Comparison Using Ndiff	ndiff [scan1.xml] [scan2.xml]	ndiff scan_output1.xml scan_output2.xml
Ndiff Verbose Mode	ndiff -v [scan1.xml] [scan2.xml]	ndiff -v scan_output1.xml scan_output2.xml
XML Output Mode	ndiff --xml [scan1.xml] [scan2.xml]	ndiff --xml scan_output1.xml scan_output2.xml