Lighter than the official manual but summarizing many options.

Table of contents

Scan for active hosts

  • Ping sweep: use ICMP to scan for up hosts (previously -sP)
    nmap -sn
  • TCP SYN ping: TCP RST if port is closed, 3-way handshake if port is open
    nmap -PS 21,80,8080,443,3306
  • TCP ACK ping: TCP RST if port is open
    nmap -PA 21,80,8080,443,3306
  • UDP ping : ICMP port unreachable if active, ICMP host/network unreachable if inactive
    nmap -PU
  • ARP ping (local network only)
    nmap -PR
  • Disable/enable DNS resolution for every host (faster/slower)
    nmap -n/-R

Scan host open ports

  • Scan 1000 most common TCP ports
    nmap -sT
  • Scan 1000 most common UDP ports
    nmap -sU
  • Scan 20 most common TCP ports
    nmap -sT --top-ports=20
  • Scan range of TCP ports
    nmap -sT -p 1-1337
  • Scan known ports in nmap-services file (~1200)
    nmap -F
  • TCP SYN scan: default for root user, doesn’t establish full TCP connection
    nmap -sS
  • TCP connect() scan: default for non-root user, does establish full TCP connection
    nmap -sT
  • UDP scan: DNS, SNMP, DHCP (can be combined with TCP scans)
    nmap -sU
  • Null/FIN/Xmas TCP scans: exploit TCP RFC breach to determine if a port is open/closed
    • Null scan: no TCP flag:
      nmap -sN
    • FIN scan: only FIN TCP flag:
      nmap -sF
    • Xmas scan: FIN, PSH and URG TCP flags:
      nmap -sX
    • Response: RST => closed | none => open
  • TCP ACK scan: Only determines if the firewall rules are statefull/stateless
    • Reponse: RST => non-filtered | none/ICMP => filtered
      nmap -sA
  • TCP window scan: Same as TCP ACK scan but can determine open/closed ports
    • If RST response: TCP window > 0 => open | TCP window = 0 => closed
      nmap -sW
  • Idle scan: full stealth blind TCP port scan
    nmap -sI
    nmap -sI
  • Scan host even if ping scan fails
    nmap -PN
  • Give the reason of the port state
    nmap --reason

Ports states

  • open
    • The service accepts TCP/UDP connections
  • closed
    • No service listening
  • filtered
    • Probes blocked by a firewall
  • unfiltered
    • Only from TCP ACK ping: port is accessible but nmap is unable to determine if open/closed. Other scan techniques can help finding it out
  • open|filtered
    • Nmap cannot determine if the service doesn’t respond or if it is behind a firewall
  • closed|filtered
    • Only from Idle scan bases of IP packets identifier: nmap cannot determine if the port is closed or behind a firewall

Get more info on host

  • OS detection (based on default OS TTL, TCP window, stuff like that)
    nmap -O
  • OS detection (based on host’s SMB server)
    nmap --script smb-os-discovery.nse
  • Aggressive scan (shortcut for ‘-O -sV -sC –traceroute’)
    nmap -A

Get more info on services

  • Services versions detection
    nmap -sV
    nmap -sV --version-intensity 9
  • Zone transfer
    nmap --script=dns-zone-transfer -p53

Timing and performance

  • Paranoid: 0
    • IDS evasion
    • 5 minutes between porbes
  • Sneaky: 1
    • IDS evasion
    • 15 seconds between probes
  • Polite: 2
    • Less bandwidth/target machine resources
    • May take 10 times longer than default (0.4 seconds between probes)
  • Normal: 3
    • Default
  • Aggressive: 4
    • Reasonably fast, modern and reliable network
  • Insane: 5
    • Sacrifice some accuracy for speed
    • Not recommended
  • nmap -T5

Firewall/IDS evasion and spoofing

  • Fragment packets (only TCP/UDP scans and OS detection)
    nmap -f -sS -sU -O
  • Spoof source IP address (Reply sent to spoofed IP)
    nmap -S -e eth0 -Pn
  • Spoof source MAC address
    • Random MAC address
      nmap --spoof-mac 0
    • Specific vendor
      nmap --spoof-mac Apple
    • Specific MAC address
      nmap --spoof-mac 01:02:03:04:05:06
      nmap --spoof-mac deadcafebabe
  • Source port nmap --source-port 1337
    nmap -g 1337
  • Randomize target hosts order
    nmap --randomize-hosts
  • Relay TCP connections through proxies
    • No authentication
    • Only HTTP and SOCKS4
      nmap --proxies,
  • Append data to sent packets
    • Binary data (hex format)
      nmap --data 0xdeadbeef
    • String data
      nmap --data-string "l1k3 my h4xx0r 5k1llz ?"
    • Random data (number of bytes to append)
      nmap --data-length 10

Nmap Script Engine (NSE)

  • Scan using the default set of scripts (legal disclaimer)
    nmap -sC
    nmap --script=default
  • Script located in a custom directory (nmap default scripts in $NMAPDIR/scripts/scripts.db)
    nmap --datadir=/home/user/nmap-scripts/ --script "my-script1,my-script2"
    nmap --script "/home/user/nmap-scripts/my-script1.nse"
  • Wildcard script selection (only works in scripts.db)
    nmap --script "http-*"
  • Not intrusive scripts
    nmap --script "not intrusive"
  • Scripts in categories default OR safe
    nmap --script "default,safe"
  • Scripts in categories default AND safe
    nmap --script "default and safe"
  • Scripts in categories default OR safe, not starting with “http”
    nmap --script "(default or safe) and not http-*"
  • Print incoming/outcoming scripts communications
    nmap -sC --script-trace
  • Update scripts.db (used by itself)
    • Useful if scripts were added/removed from nmap’s default location, or changed categories
      nmap --script-updatedb

Output options

  • Verbosity level
    nmap -v3
  • Debugging level
    nmap -d9
  • Reason of scan results
    nmap --reason
  • Periodic timing stats
    nmap --stats-every 30s

Save results in a file

  • Normal format
    nmap -oN scan.nmap
  • XML format
    nmap -oX nmap.xml
  • Grepable format
    nmap -oG scan.gnmap
  • Skiddy format (recommended for hacking)
    nmap -oS hacking.txt
  • All formats (.nmap, .xml, .gnmap)
    nmap -oA scan
  • Append rather than overwrite
    nmap -oN scan.nmap --append-output
  • Resume scan from file
    nmap --resume scan.nmap


  • IPv6 scanning
    nmap -6

Runtime interaction

  • Verbosity level increase/decrease
  • Debugging level increase/decrease
  • Packet tracing on/off
  • Runtime interaction help screen
  • Status message (time elapsed, scan current %)
    Any key (space ftw)