
Comprehensive Guide to Nmap Commands Use Cases and FAQs Nmap,is a free utility used for network discovery and security auditing.
Nmap, short for Network Mapper, is a free and open-source utility used for network discovery and security auditing. It is an essential tool for network administrators and security professionals to:
nmap-<version>-setup.exe).nmap --version and press Enter./bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"brew updatebrew install nmapnmap --version and press Enter.sudo apt-get update sudo apt-get install nmapsudo dnf install nmapsudo yum install nmapsudo pacman -S nmapnmap --version and press Enter.Before diving into commands, it’s crucial to understand how Nmap works and its core components.
-sT): Establishes a full TCP connection with the target.-sS): Sends SYN packets and analyzes responses (stealthy scan).-sU): Scans for open UDP ports.-sn): Checks if hosts are up without scanning ports.-A): Enables OS detection, version detection, script scanning, and traceroute.Nmap allows various ways to specify targets:
192.168.1.1192.168.1.1-100192.168.1.0/24example.com-iL targets.txt-p 80-p 80,443,22-p 1-1000-p-These commands are fundamental and useful for beginners.
nmap [Scan Type(s)] [Options] {target specification}
nmap -sn 192.168.1.0/24nmap -sL 192.168.1.0/24nmap -sT 192.168.1.10nmap -sS 192.168.1.10nmap -sV 192.168.1.10nmap -O 192.168.1.10nmap -p 22,80,443 192.168.1.10nmap -p- 192.168.1.10nmap -v 192.168.1.10nmap -A 192.168.1.10For users looking to leverage Nmap’s full potential.
nmap -T4 192.168.1.10-T0 to -T5).nmap -f 192.168.1.10nmap -S 192.168.1.100 192.168.1.10nmap -D RND:10 192.168.1.10nmap -oN output.txt 192.168.1.10nmap -oX output.xml 192.168.1.10nmap -oA output 192.168.1.10nmap -sU 192.168.1.10nmap -sA 192.168.1.10nmap -sF 192.168.1.10nmap -sI zombie_host 192.168.1.10nmap -sV --version-intensity 5 192.168.1.10nmap --script http-enum 192.168.1.10http-enum script to enumerate web server directories.nmap 192.168.1.0/24 --exclude 192.168.1.5The Nmap Scripting Engine allows users to write and use scripts to automate a wide variety of networking tasks.
nmap --script vuln 192.168.1.10vuln category.nmap --script http-title,ssh-hostkey 192.168.1.10nmap --script http-brute --script-args userdb=users.txt,passdb=passes.txt 192.168.1.10nmap -sn 10.0.0.0/24nmap -sV --script vuln 10.0.0.5nmap -Pn -f -D decoy1,decoy2,decoy3 10.0.0.5nmap -p- --script vuln,compliance 10.0.0.5nmap -T4 -A -v 10.0.0.0/16Below is a chart listing the top 40 Nmap commands, compatible across Windows, Mac, and Linux platforms. Nmap commands are generally consistent across these operating systems.
| # | Command | Description | Windows | Mac | Linux |
|---|---|---|---|---|---|
| 1 | nmap -sS target | TCP SYN scan (stealth scan) | ✔ | ✔ | ✔ |
| 2 | nmap -sT target | TCP connect scan | ✔ | ✔ | ✔ |
| 3 | nmap -sU target | UDP scan | ✔ | ✔ | ✔ |
| 4 | nmap -sA target | TCP ACK scan | ✔ | ✔ | ✔ |
| 5 | nmap -sW target | TCP Window scan | ✔ | ✔ | ✔ |
| 6 | nmap -sM target | TCP Maimon scan | ✔ | ✔ | ✔ |
| 7 | nmap -sV target | Service version detection | ✔ | ✔ | ✔ |
| 8 | nmap -O target | OS detection | ✔ | ✔ | ✔ |
| 9 | nmap -A target | Aggressive scan options | ✔ | ✔ | ✔ |
| 10 | nmap -v target | Verbose output | ✔ | ✔ | ✔ |
| 11 | nmap -Pn target | Disable host discovery (skip ping) | ✔ | ✔ | ✔ |
| 12 | nmap -p 80 target | Scan specific port | ✔ | ✔ | ✔ |
| 13 | nmap -p 1-100 target | Scan range of ports | ✔ | ✔ | ✔ |
| 14 | nmap -p- target | Scan all ports | ✔ | ✔ | ✔ |
| 15 | nmap -sC target | Scan with default scripts | ✔ | ✔ | ✔ |
| 16 | nmap --script=default,target | Run specific scripts | ✔ | ✔ | ✔ |
| 17 | nmap -D decoy1,decoy2 target | Decoy scan to mask the source IP | ✔ | ✔ | ✔ |
| 18 | nmap -f target | Fragment packets | ✔ | ✔ | ✔ |
| 19 | nmap -T0 target | Slowest scan (Paranoid) | ✔ | ✔ | ✔ |
| 20 | nmap -T5 target | Fastest scan (Insane) | ✔ | ✔ | ✔ |
| 21 | nmap -oN output.txt target | Save output to a file (normal format) | ✔ | ✔ | ✔ |
| 22 | nmap -oX output.xml target | Save output in XML format | ✔ | ✔ | ✔ |
| 23 | nmap -oG output.grep target | Save output in grepable format | ✔ | ✔ | ✔ |
| 24 | nmap --open target | Show only open ports | ✔ | ✔ | ✔ |
| 25 | nmap --max-retries 2 target | Set maximum number of port scan probe retries | ✔ | ✔ | ✔ |
| 26 | nmap --host-timeout 60m target | Set maximum time for host scan | ✔ | ✔ | ✔ |
| 27 | nmap --script-updatedb | Update script database | ✔ | ✔ | ✔ |
| 28 | nmap -6 target | Scan IPv6 addresses | ✔ | ✔ | ✔ |
| 29 | nmap -sI zombie_host target | Idle scan using zombie host | ✔ | ✔ | ✔ |
| 30 | nmap -sY target | SCTP INIT scan | ✔ | ✔ | ✔ |
| 31 | nmap -sZ target | SCTP COOKIE-ECHO scan | ✔ | ✔ | ✔ |
| 32 | nmap --script http-enum target | Enumerate directories on web server | ✔ | ✔ | ✔ |
| 33 | nmap --script smb-os-discovery target | Discover OS over SMB | ✔ | ✔ | ✔ |
| 34 | nmap --script ftp-anon target | Check for anonymous FTP login | ✔ | ✔ | ✔ |
| 35 | nmap --script ssl-heartbleed target | Check for Heartbleed vulnerability | ✔ | ✔ | ✔ |
| 36 | nmap --traceroute target | Perform traceroute to target | ✔ | ✔ | ✔ |
| 37 | nmap -iL list.txt | Scan targets from a file | ✔ | ✔ | ✔ |
| 38 | nmap --exclude target1,target2 | Exclude hosts from scan | ✔ | ✔ | ✔ |
| 39 | nmap -S spoofed_ip target | Spoof source IP address | ✔ | ✔ | ✔ |
| 40 | nmap --script "vuln and safe" target | Run safe vulnerability scripts | ✔ | ✔ | ✔ |
Note: All commands listed are compatible across Windows, Mac, and Linux, provided Nmap is properly installed and executed with appropriate permissions (e.g., administrative or root privileges when required).
Nmap is used for network discovery, management, and security auditing. It helps in discovering hosts, open ports, services, and potential vulnerabilities on a network.
Yes, Nmap is legal to use for authorized network scanning and security auditing. Scanning networks or systems without permission is illegal and unethical. Always obtain proper authorization before performing scans.
brew update brew upgrade nmapsudo apt-get update sudo apt-get install nmapwget https://nmap.org/dist/nmap-<version>.tar.bz2 tar xvjf nmap-<version>.tar.bz2 cd nmap-<version> ./configure make sudo make installYes, Nmap can help identify the presence of firewalls and IDS by analyzing responses or lack thereof. Techniques like ACK scans (-sA), FIN scans (-sF), and using decoys can provide insights into firewall rules and IDS behaviors.
The Nmap Scripting Engine allows users to write and use scripts to automate a wide variety of networking tasks, including advanced service detection, vulnerability detection, and more. It significantly extends Nmap’s capabilities.
You can perform a stealth scan using the SYN scan (-sS), which sends SYN packets and analyzes the response without completing the TCP handshake.
Use the -p- option to scan all 65535 TCP ports:
nmap -p- target
Yes, Nmap can scan UDP ports using the -sU option. Note that UDP scans can be slower and less reliable due to the nature of the protocol.
Use the output options:
-oN output.txt-oX output.xml-oG output.grep-oA outputTiming templates (-T0 to -T5) control the speed and aggressiveness of scans. Lower numbers are slower and more cautious, while higher numbers are faster but more likely to be detected and less reliable on congested networks.
Nmap is an indispensable tool for network administrators and security professionals. Its powerful features and versatility make it suitable for tasks ranging from simple network discovery to complex security auditing and compliance testing. By understanding and utilizing the wide array of commands and options available, users can effectively manage and secure their networks across Windows, Mac, and Linux platforms.
Whether you’re performing basic scans or leveraging advanced scripting capabilities, Nmap provides the flexibility and power needed to handle various network scenarios. Always remember to use Nmap responsibly and ethically, ensuring you have proper authorization before scanning any networks or systems.
For more detailed information and updates, visit the official Nmap documentation and the Nmap Reference Guide.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.