• by

Nmap tutorial: A complete guide to Nmap commands

In this article, we provide a complete guide from basic Nmap commands to advance Nmap commands. This will be useful for all Cyber security learners to remember commands in fingertips. 

What is Nmap

Nmap is a Network mapper, which is a free open source software used for discovering network and security auditing. It is pre-installed in Kali Linux, if you want to download for Windows and other Linux distributions, you can download it from official Nmap page.

Purpose of Nmap

Nmap has different purposes, that includes:

  • Scanning open ports and its specification
  • Finding the target’s OS and its details
  • Version of application and service target is using
  • Find the host and remote IP of the host
  • Scanning for known vulnerabilities
  • Spoofing IPS/ Firewall

Nmap Commands Basic to Advance

nmap [scan type] [option] {specification}

To scan specific target 

Example Description  
nmap                                    To scan single IP address  
nmap,                  To scan multiple IP address
nmap                                To scan a range of IP address  
nmap scanme.nmap.org                          To scan a domain address  
nmap -iL test.txt                                    To scan IP address from the file  
nmap -iR 10                                            To scan 10 Random host  
nmap –exclude                    To exclude specific IP from scanning  

Port specification techniques

Example Description  
nmap -p 22                        Scan specific port of that IP  
nmap -p 22-50                  Scan range of ports  
nmap -pU:110, T:443          Scan UDP and TCP ports of that IP  
nmap -F                            Fast scan port in that specific IP  
nmap -ftp, http                                      Scan specified protocols  

Different scanning types

nmap -sS                            This is default scan with root privilege (TCP SYN port scan)    
nmap -sT                            This is default scan without root privilege (TCP connect scan)  
nmap -sA                            This is TCP acknowledge scan  
nmap -sU                            This is to scan UDP ports
nmap -sW                            This is to scan Window ports  

Host Discovery options

nmap -n                                DNS resolution is not done  
nmap -sL                        List targets without scanning them  
nmap -sn                            Helps to disable port scanning in specified IP  
nmap -Pn                            Scan ports only  
nmap -PS 22-30                  TCP SYN discovery on the specific ports  
nmap -PA 22-30                  TCP ACK discovery on the specific ports  
nmap -PU 53                        UDP discovery on the specific ports

Determine service and version

Example Description
nmap -sV                                          Finds the service running on the port  
nmap -sV –version-intensity 7 High possibility of correctness
nmap -sV –version-all Set highest value which is 9
nmap -sV –version-light This enables light mode
nmap -A Enables OS detection, version detection, script scanning and traceroute
nmap -O This enables remote OS detection

Nmap scripts NSE

Example Description
nmap -sC                                          Scans using default NSE scripts  
nmap –script-update=db This add news scripts
nmap-sV-sC Uses safe script for scanning
nmap –script-help=” Test script” This provides help for script

IDS and Firewall Evasion

nmap -f packets are scanned
nmap –source-port[port][]Used to scan source port manually
nmap -sI [zombie] []This is used to scan idle zombie
nmap –data-length[size][]Used to append random data
nmap –badsum[]bad checksum

Output Format

Example                                                     Description  
nmap -oN test.txt                            Normal or default output   
nmap -oX test.xml                          XML output to test.xml file  
nmap -oG test. txt                          This greps output of test file  
nmap -oA                                        It uses all above three formats

Timing scan options

Example  Description
nmap -T0                                      This is the slowest scan  
nmap -T1                                      This helps to evade IDS detection  
nmap -T2                                      This helps to lesser the bandwidth   
nmap -T3                                      This is default scan
nmap -T4                                      This aggressive scan  
nmap -T5   Very aggressive scan, identifiable by IDS  

Scanning Options

Example   Description  
nmap -sP                                      Executes only ping scan   
nmap -PU                                      Executes UDP scan   
nmap -PE                                      Executes ICMP scan
nmap -PO                                      Executes IP protocol ping  
nmap -PR                                      Executes ARP Ping       
nmap –traceroute                          Executes trace route   
nmap – Pn                                    Executes scan without pinging  


Example Description
nmap -6 2501:f0b0:1b02:21::1                        This enables IPV6 scan  

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *