Sunday, July 14, 2024

What is nmap

  • Nmap (Network Mapper) is a security scanning, monitoring and evaluation tool for a network system developed by Gordon Lyon (also known as Fyodor Vaskovich). 
  • Nmap was first published in September 1997. 
  • Nmap is free and open source software, initially developed only on Linux platform, then developed on many different platforms such as Windows, Solari, Mac OS… and developed more user interface versions ( Zenmap).

Functions of Nmap:  

  • Detect hosts (which are computers or devices) operating on the network environment. 
  • Lists open ports (network service ports) on a host. 
  • Identify services that run on open ports along with the software and version in use. 
  • Identify the device’s operating system. 
  • Run special scripts. 

Install Nmap

On Windows go to  and download the latest version, install it like normal software.

On Linux (Debian) can be installed from the Repository (repository) with the command:

sudo apt-get install nmap
On Linux (Red Hat) can be installed from the Repository
sudo yum install nmap

On macOS it can be installed via homebrew (need to install homebrew first) and with the command:

sudo brew install nmap

Nmap runs under the command line interface, on Windows open “cmd” on Linux and macOS open “Terminal” and type the command “nmap”

Nmap provides many command parameters to perform the scan, so it is necessary to define the necessary information in advance and apply the appropriate command parameters to perform the scan. Some examples of nmap cheatsheet:

Target Specification

  nmap Scan a single IP
  nmap Scan specific IPs
  nmap Scan a range
  nmap Scan a domain
  nmap Scan using CIDR notation
-iL nmap -iL targets.txt Scan targets from a file
-iR nmap -iR 100 Scan 100 random hosts
–exclude nmap –exclude Exclude listed hosts

Nmap Scan Techniques

-sS nmap -sS TCP SYN port scan (Default)
-sT nmap -sT TCP connect port scan (Default without root privilege)
-sU nmap -sU UDP port scan
-sA nmap -sA TCP ACK port scan
-sW nmap -sW TCP Window port scan
-sM nmap -sM TCP Maimon port scan

Host Discovery

-sL nmap -sL No Scan. List targets only
-sn nmap -sn Disable port scanning. Host discovery only.
-Pn nmap -Pn Disable host discovery. Port scan only.
-PS nmap -PS22-25,80 TCP SYN discovery on port x.
Port 80 by default
-PA nmap -PA22-25,80 TCP ACK discovery on port x.
Port 80 by default
-PU nmap -PU53 UDP discovery on port x.
Port 40125 by default
-PR nmap -PR ARP discovery on local network
-n nmap -n Never do DNS resolution

Nmap Command Generator

Say goodbye to the hassle of trying to remember the exact syntax for your Nmap commands! With our Nmap Command Generator, you can simply say what you need Nmap to do and we will generate the command for you.


Port Specification

-p nmap -p 21 Port scan for port x
-p nmap -p 21-100 Port range
-p nmap -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports
-p nmap -p- Port scan all ports
-p nmap -p http,https Port scan from service name
-F nmap -F Fast port scan (100 ports)
–top-ports nmap –top-ports 2000 Port scan the top x ports
-p-65535 nmap -p-65535 Leaving off initial port in range makes the scan start at port 1
-p0- nmap -p0- Leaving off end port in range
makes the scan go through to port 65535

Service and Version Detection

-sV nmap -sV Attempts to determine the version of the service running on port
-sV –version-intensity nmap -sV –version-intensity 8 Intensity level 0 to 9. Higher number increases possibility of correctness
-sV –version-light nmap -sV –version-light Enable light mode. Lower possibility of correctness. Faster
-sV –version-all nmap -sV –version-all Enable intensity level 9. Higher possibility of correctness. Slower
-A nmap -A Enables OS detection, version detection, script scanning, and traceroute

OS Detection

-O nmap -O Remote OS detection using TCP/IP stack fingerprinting
-O –osscan-limit nmap -O –osscan-limit If at least one open and one closed TCP port are not found it will not try OS detection against host
-O –osscan-guess nmap -O –osscan-guess Makes Nmap guess more aggressively
-O –max-os-tries nmap -O –max-os-tries 1 Set the maximum number x of OS detection tries against a target
-A nmap -A Enables OS detection, version detection, script scanning, and traceroute

Timing and Performance

-T0 nmap -T0 Paranoid (0) Intrusion Detection System evasion
-T1 nmap -T1 Sneaky (1) Intrusion Detection System evasion
-T2 nmap -T2 Polite (2) slows down the scan to use less bandwidth and use less target machine resources
-T3 nmap -T3 Normal (3) which is default speed
-T4 nmap -T4 Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
-T5 nmap -T5 Insane (5) speeds scan; assumes you are on an extraordinarily fast network

Want to Download All Our Premium Cheat Sheets?

No Problem! Just enter your email address, and we’ll send you the PDF versions of all our top cheat sheets.


Timing and Performance Switches

–host-timeout <time> 1s; 4m; 2h Give up on target after this long
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> 1s; 4m; 2h Specifies probe round trip time
–min-hostgroup/max-hostgroup <size<size> 50; 1024 Parallel host scan group sizes
–min-parallelism/max-parallelism <numprobes> 10; 1 Probe parallelization
–max-retries <tries> 3 Specify the maximum number of port scan probe retransmissions
–min-rate <number> 100 Send packets no slower than <number> per second
–max-rate <number> 100 Send packets no faster than <number> per second

NSE Scripts

-sC nmap -sC Scan with default NSE scripts. Considered useful for discovery and safe
–script default nmap –script default Scan with default NSE scripts. Considered useful for discovery and safe
–script nmap –script=banner Scan with a single script. Example banner
–script nmap –script=http* Scan with a wildcard. Example http
–script nmap –script=http,banner Scan with two scripts. Example http and banner
–script nmap –script “not intrusive” Scan default, but remove intrusive scripts
–script-args nmap –script snmp-sysdescr –script-args snmpcommunity=admin NSE script with arguments

Useful NSE Script Examples

nmap -Pn –script=http-sitemap-generator http site map generator
nmap -n -Pn -p 80 –open -sV -vvv –script banner,http-title -iR 1000 Fast search for random web servers
nmap -Pn –script=dns-brute Brute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV –script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv Safe SMB scripts to run
nmap –script whois* Whois query
nmap -p80 –script http-unsafe-output-escaping Detect cross site scripting vulnerabilities
nmap -p80 –script http-sql-injection Check for SQL injections

Firewall / IDS Evasion and Spoofing

-f nmap -f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
–mtu nmap –mtu 32 Set your own offset size
-D nmap -D,,, Send scans from spoofed IPs
-D nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip Above example explained
-S nmap -S Scan Facebook from Microsoft (-e eth0 -Pn may be required)
-g nmap -g 53 Use given source port number
–proxies nmap –proxies, Relay connections through HTTP/SOCKS4 proxies
–data-length nmap –data-length 200 Appends random data to sent packets

Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D,,,


-oN nmap -oN normal.file Normal output to the file normal.file
-oX nmap -oX xml.file XML output to the file xml.file
-oG nmap -oG grep.file Grepable output to the file grep.file
-oA nmap -oA results Output in the three major formats at once
-oG – nmap -oG – Grepable output to screen. -oN -, -oX – also usable
–append-output nmap -oN file.file –append-output Append a scan to a previous scan file
-v nmap -v Increase the verbosity level (use -vv or more for greater effect)
-d nmap -d Increase debugging level (use -dd or more for greater effect)
–reason nmap –reason Display the reason a port is in a particular state, same output as -vv
–open nmap –open Only show open (or possibly open) ports
–packet-trace nmap -T4 –packet-trace Show all packets sent and received
–iflist nmap –iflist Shows the host interfaces and routes
–resume nmap –resume results.file Resume a scan

Helpful Nmap Output examples

nmap -p80 -sV -oG – –open | grep open Scan for web servers and grep to show which IPs are running web servers
nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d ” ” -f5 > live-hosts.txt Generate a list of the IPs of live hosts
nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txt Append IP to the list of live hosts
ndiff scanl.xml scan2.xml Compare output from nmap using the ndif
xsltproc nmap.xml -o nmap.html Convert nmap xml files to html files
grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less Reverse sorted list of how often ports turn up

Miscellaneous Nmap Flags

-6 nmap -6 2607:f0d0:1002:51::4 Enable IPv6 scanning
-h nmap -h nmap help screen

Other Useful Nmap Commands

nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn Discovery only on ports x, no port scan
nmap -PR -sn -vv Arp discovery only on local network, no port scan
nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan
nmap -sL -dns-server Query the Internal DNS for hosts, list targets only
nmap –packet-trace Show the details of the packets that are sent and received during a scan and capture the traffic.
Thien Tek95
Thien Tek95
I am Thien Tek, i like Technology security. i has successfully completed all requirenments and criteria for Cerfied Ethical Hacker, view here. Certification Ethical Hacker Contact US: 0902 03 1995
Latest news
Related news


Please enter your comment!
Please enter your name here