Nmap Commands

Essential Nmap network scanning commands and techniques.

Basic Scanning

nmap <target>

Scan a single target

nmap <target1> <target2>

Scan multiple targets

nmap <IP range>

Scan a range of IPs (e.g., 192.168.1.1-254)

nmap <subnet>

Scan a subnet (e.g., 192.168.1.0/24)

nmap -iL <file>

Scan targets from a file

nmap --exclude <IP>

Exclude specific IP(s) from scan

Host Discovery

nmap -sn <target>

Ping scan (no port scan)

nmap -Pn <target>

Skip host discovery (treat all hosts as online)

nmap -PS <ports> <target>

TCP SYN ping on specific ports

nmap -PA <ports> <target>

TCP ACK ping on specific ports

nmap -PU <ports> <target>

UDP ping on specific ports

nmap -PR <target>

ARP ping (local network only)

Port Scanning Techniques

nmap -sS <target>

TCP SYN scan (stealth scan, default)

nmap -sT <target>

TCP connect scan

nmap -sU <target>

UDP scan

nmap -sA <target>

TCP ACK scan (firewall detection)

nmap -sW <target>

TCP Window scan

nmap -sM <target>

TCP Maimon scan

nmap -sN <target>

TCP Null scan

nmap -sF <target>

TCP FIN scan

nmap -sX <target>

TCP Xmas scan

Port Specification

nmap -p 22 <target>

Scan a specific port

nmap -p 22,80,443 <target>

Scan multiple ports

nmap -p 1-1000 <target>

Scan a port range

nmap -p- <target>

Scan all 65535 ports

nmap -p U:53,T:21-25,80 <target>

Scan UDP and TCP ports

nmap --top-ports 100 <target>

Scan top 100 most common ports

nmap -F <target>

Fast scan (top 100 ports)

Service & Version Detection

nmap -sV <target>

Detect service versions

nmap -sV --version-intensity 0-9 <target>

Set version detection intensity

nmap -sV --version-all <target>

Try all probes (intensity 9)

nmap -A <target>

Aggressive scan (OS, version, script, traceroute)

nmap -O <target>

OS detection

nmap -O --osscan-guess <target>

Guess OS more aggressively

NSE Scripts

nmap -sC <target>

Run default NSE scripts

nmap --script=<script> <target>

Run specific NSE script

nmap --script=vuln <target>

Run vulnerability detection scripts

nmap --script=auth <target>

Run authentication scripts

nmap --script=discovery <target>

Run discovery scripts

nmap --script-args=<args> <target>

Pass arguments to scripts

nmap --script-help=<script>

Show script documentation

Timing & Performance

nmap -T0 <target>

Paranoid timing (slowest)

nmap -T1 <target>

Sneaky timing

nmap -T2 <target>

Polite timing

nmap -T3 <target>

Normal timing (default)

nmap -T4 <target>

Aggressive timing

nmap -T5 <target>

Insane timing (fastest)

nmap --min-rate 100 <target>

Send packets no slower than 100/sec

nmap --max-rate 1000 <target>

Send packets no faster than 1000/sec

Firewall/IDS Evasion

nmap -f <target>

Fragment packets

nmap --mtu <size> <target>

Set custom MTU size

nmap -D RND:10 <target>

Use 10 random decoys

nmap -S <IP> <target>

Spoof source IP

nmap -g <port> <target>

Use specific source port

nmap --data-length 25 <target>

Append random data to packets

nmap --randomize-hosts <targets>

Randomize target scan order

nmap --spoof-mac <MAC> <target>

Spoof MAC address

Output Options

nmap -oN <file> <target>

Normal output to file

nmap -oX <file> <target>

XML output to file

nmap -oG <file> <target>

Grepable output to file

nmap -oA <basename> <target>

Output in all formats

nmap -v <target>

Increase verbosity level

nmap -d <target>

Increase debugging level

nmap --reason <target>

Show reason for port state

nmap --open <target>

Only show open ports