Nmap

Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. It's one of the most essential tools in a penetration tester's arsenal.

Basic Usage

Simple Scan

nmap target.example.com

Scan Specific Ports

nmap -p 22,80,443 target.example.com

Scan Port Range

nmap -p 1-1000 target.example.com

Scan All Ports

nmap -p- target.example.com

Advanced Scanning Techniques

SYN Scan (Stealth Scan)

sudo nmap -sS target.example.com

UDP Scan

OS Detection

Version Detection

Comprehensive Scan

Network Scanning

Scan a Subnet

Scan Multiple Targets

Scan from a File

Output Options

Save Output to a File

Save in XML Format

Save in All Formats

Performance Options

Timing Templates

Parallel Host Scan

Evasion Techniques

Fragmentation

Decoy Scan

Spoof MAC Address

NSE Scripts

Nmap Scripting Engine (NSE) provides additional functionality:

Vulnerability Scanning

Default Scripts

Specific Script

Multiple Scripts

Practical Examples

Basic Network Enumeration

Web Server Scan

Find All Open SMB Shares

Check for EternalBlue Vulnerability

Stealthy Scan for Firewall Evasion

Cheat Sheet

Command
Description

nmap -sS target

TCP SYN scan

nmap -sT target

TCP connect scan

nmap -sU target

UDP scan

nmap -sV target

Service/version detection

nmap -sC target

Default script scan

nmap -O target

OS detection

nmap -A target

Aggressive scan (OS + version + scripts + traceroute)

nmap -p 1-65535 target

Scan all ports

nmap -p- target

Scan all ports (shorthand)

nmap -p http,https target

Scan named ports

nmap -F target

Fast scan (top 100 ports)

nmap -T0-5 target

Timing templates (higher is faster)

nmap -oN results.txt target

Save output to text file

nmap -oX results.xml target

Save output to XML

nmap -oG results.gnmap target

Save output in grepable format

nmap -oA results target

Save in all formats

Resources

PreviousTools & UtilitiesNextGobuster

Last updated