Nmap
Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. It's one of the most essential tools in a penetration tester's arsenal.
Basic Usage
Simple Scan
nmap target.example.comScan Specific Ports
nmap -p 22,80,443 target.example.comScan Port Range
nmap -p 1-1000 target.example.comScan All Ports
nmap -p- target.example.comAdvanced Scanning Techniques
SYN Scan (Stealth Scan)
sudo nmap -sS target.example.comUDP Scan
sudo nmap -sU target.example.comOS Detection
sudo nmap -O target.example.comVersion Detection
nmap -sV target.example.comComprehensive Scan
sudo nmap -sS -sV -sC -A -O -p- target.example.comNetwork Scanning
Scan a Subnet
nmap 192.168.1.0/24Scan Multiple Targets
nmap 192.168.1.1 192.168.1.2 192.168.1.3Scan from a File
nmap -iL targets.txtOutput Options
Save Output to a File
nmap -oN scan_results.txt target.example.comSave in XML Format
nmap -oX scan_results.xml target.example.comSave in All Formats
nmap -oA scan_results target.example.comPerformance Options
Timing Templates
# Paranoid (0) - Very slow, used for IDS evasion
nmap -T0 target.example.com
# Sneaky (1) - Quite slow, used for IDS evasion
nmap -T1 target.example.com
# Polite (2) - Slows down to consume less bandwidth
nmap -T2 target.example.com
# Normal (3) - Default timing template
nmap -T3 target.example.com
# Aggressive (4) - Assumes you're on a reasonably fast and reliable network
nmap -T4 target.example.com
# Insane (5) - Very aggressive; may overwhelm targets or miss open ports
nmap -T5 target.example.comParallel Host Scan
nmap --min-parallelism 100 target.example.comEvasion Techniques
Fragmentation
sudo nmap -f target.example.comDecoy Scan
sudo nmap -D decoy1.example.com,decoy2.example.com,ME target.example.comSpoof MAC Address
sudo nmap --spoof-mac 00:11:22:33:44:55 target.example.comNSE Scripts
Nmap Scripting Engine (NSE) provides additional functionality:
Vulnerability Scanning
nmap --script vuln target.example.comDefault Scripts
nmap -sC target.example.comSpecific Script
nmap --script http-title target.example.comMultiple Scripts
nmap --script "http-*" target.example.comPractical Examples
Basic Network Enumeration
nmap -sV -sC -oA network_enum 192.168.1.0/24Web Server Scan
nmap -p 80,443 --script "http-*" target.example.comFind All Open SMB Shares
nmap -p 445 --script smb-enum-shares 192.168.1.0/24Check for EternalBlue Vulnerability
nmap -p 445 --script smb-vuln-ms17-010 target.example.comStealthy Scan for Firewall Evasion
sudo nmap -sS -T2 -f -D 192.168.1.101,192.168.1.102,ME target.example.comCheat Sheet
nmap -sS target
TCP SYN scan
nmap -sT target
TCP connect scan
nmap -sU target
UDP scan
nmap -sV target
Service/version detection
nmap -sC target
Default script scan
nmap -O target
OS detection
nmap -A target
Aggressive scan (OS + version + scripts + traceroute)
nmap -p 1-65535 target
Scan all ports
nmap -p- target
Scan all ports (shorthand)
nmap -p http,https target
Scan named ports
nmap -F target
Fast scan (top 100 ports)
nmap -T0-5 target
Timing templates (higher is faster)
nmap -oN results.txt target
Save output to text file
nmap -oX results.xml target
Save output to XML
nmap -oG results.gnmap target
Save output in grepable format
nmap -oA results target
Save in all formats
Resources
Last updated