Nmap or Network Mapper is undoubtedly the best reconnaissance tool used by modern penetration testers. This open-source application has come a long way since its inception and proved to be a game-changer in network security. Nmap is widely used to determine critical information of a single network or range of networks. There’s an unending list of robust Nmap commands which allow security researchers to spot vulnerabilities in a network. Malicious users also heavily leverage Nmap for determining an entry point to unauthorized networks. Moreover, a large library of pre-built scripts makes Nmap more powerful than ever.

Nmap Commands for System Admins
You can easily find problems in external networks by simply performing some simple Nmap scans. It has excellent documentation, so you won’t have to memorize different Nmap commands altogether. You can easily find information from the manual if you know what functionality youre looking for. Additionally, a pre-built set of robust NSE scripts help automate common tasks. Since Nmap offers a massive combination of commands, its essential to master the basic commands first. We’ll show how to do simple network scans using Nmap in the following section.

Scan a Single Host
A host is any machine connected to a particular network. Nmap allows admins to scan hosts using their IP address or hostname easily. The below command scans the 1000 common ports and lists all open ports, their state, and service.

$ nmap

You can replace the IP with the hostname if you want, as shown below.

$ nmap hostname
Scan Multiple Hosts
Scanning multiple hosts at the same time is also very easy using Nmap. You can do this via simply entering the IP or hostnames one after another. The below example demonstrates this for you.

$ nmap
$ nmap hostname1 hostname2 hostname3
Nmap also provides a handy shorthand for this.

$ nmap,3,5
Scan Range of IP Addresses
You can also scan a range of IP addresses at once. The following command shows this in action.

$ nmap
This command will scan the first fifteen hosts of the subnetwork. Many people also use the wildcard for this purpose. Adding wildcards to your search will inspect every available host.

$ nmap 192.168.1.*
To scan an entire subnet, use the below command.

$ nmap
Read Hosts from File and Scan
Nmap can read host addresses from files and then scan them for port information. First, create a file containing some hosts, as shown.

$ echo -e " \nlocalhost" >> /tmp/hosts
$ cat /tmp/hosts
Now hosts should contain two lines consisting of localhost and the given IP range. Use the following command to read this using Nmap.

$ nmap -iL /tmp/hosts
Exclude Hosts from Nmap Scan

The –exclude option allows users to exclude specific hosts from a given IP range. You can use the –excludefile option to exclude hosts from a file. The below commands demonstrates this for you.

$ nmap --exclude,3,5
$ nmap -iL /tmp/hosts --excludefile /tmp/exclude
Here, the /tmp/exclude file contains the hosts that the user isn’t interested in. We’re not showcasing this file for keeping our guide as concise as possible.

Increase Scan Verbosity
The default search provides quite limited information. Nmap offers the -v option to add extra verbosity to your search. When used, this flag will force Nmap to output additional information about your search.

$ nmap -v
Simply adding this flag will enhance the output information by a considerable margin. Plus, it also helps beginners visualize how Nmap works under the hood.

Detect OS Information
Nmap is a suitable choice for many when it comes to remote OS detection. The -A flag tells Nmap to find and display OS information about the hosts youre testing.

$ nmap -A
$ nmap -A -v
So you can add the -v flag for getting additional information on your search result. Its a great way of mastering Nmap commands for beginners. The below command shows you how to detect OS information for hosts residing in a file.

$ nmap -v -A -iL /tmp/hosts
Get Firewall Information of Hosts

Any competitive system admin will keep networks behind firewalls. This may feed irrelevant information to potential Nmap searches. However, you can easily find out if a host is protected by a firewall using the next command.

$ nmap -sA
$ nmap -v -sA
If youre a starting Nmap user, we suggest you use the verbose flag v as much as possible. It will help you understand Nmaps workings in much detail.

Scan Firewall Protected Hosts
Hosts protected by external firewalls tend to feed unnecessary information to remote scanners like Nmap. If youve discovered your host of interest to be protected in such a way, use the below command.

$ nmap -PN hostname
$ nmap -PN
The above IP address represents the wireless router in my network. You can search for any hosts using either the IP or hostname.

Scan IPv6 Hosts
Although still not mainstream, IPv6 addresses are there and will become the standard representation of remote hosts in the near future. Nmap already rolls out support for IPv6 scanning. The following command shows you how to do this.

$ nmap -6 hostname
$ nmap --6 2001:0db8:85a3:0000:0000:8a2e:0370:7334
The hexadecimal representation denotes the host in the second example. You can add additional flags to increase the quality of your Nmap search results.

Scan Hosts for Specific Ports
Nmap allows admins to check hosts for only some specific ports. The below commands will demonstrate this with necessary examples.

$ nmap -p 21,22,80,443 localhost
$ nmap -p 21,22,80,443
You can also specify a range of ports, as shown below.

$ nmap -p 1-65535 localhost
This command will scan your localhost network for all common ports.

Additional Port Scanning Methods
Nmap can discover and inspect all types of ports. The next examples demonstrate how to scan for UDP ports, use wildcards, etc. To do UDP port scanning, use the following command.

$ nmap -p U:53, 67, 111
To scan both TCP and UDP ports, use the following syntax.

$ nmap -p -T:20-25,80,443 U:53, 67, 111
The next one scan for ports using a wildcard. It will scan for all available port configurations for the given host.

$ nmap -p "*"
The following Nmap command scans for only the 10 most common ports.

$ nmap --top-ports 10
List Hosts without Port Scanning
Since port scanning a host is intrusive, many admins do no directly scan their hosts for ports. Rather they use Nmap to send a simple ping to get a list of available hosts on a network. Malicious attackers also leverage such methods in an attempt to stay invisible.

$ sudo nmap -sn
You’ll need sudo privileges to get the most out of this command. Else Nmap won’t be able to send the TCP ACK request and may miss potential hosts.

Do a Fast Scan of Hosts

If you use Nmap for scanning random hosts and ports, it’ll take quite some time. Instead, you could use the fast mode where Nmap searches only for the most common ports and boosts up the scan time by some factors.

$ nmap -F
$ nmap -F localhost
The -F flag enters Nmap into this fast mode.

Display Open Ports Only

Nmap port scans list all open and filtered ports for a host. You can limit your output to only those hosts that have open ports. However, this command also prints out possibly open ports that are perhaps filtered by external applications.

$ nmap --open
$ nmap --open localhost
See Why a Port is in a Certain State

Nmap allows users to investigate why a certain port is in some specific state. You’ll need to utilize the –reason option for getting such results. The next command demonstrates this in action.

$ nmap --reason localhost
$ nmap --reason
The above commands will show the reasons behind a ports current state. This information greatly helps in debugging and allows experts to visualize their target ports better.

Display Network Interfaces and Routes

Understanding network configurations is essential to both security analysts and malicious users. Both want to how a potential host is connected with the worldwide web. You can use Nmap to outline the interfaces and routes of a selected host easily. The next command will show this in action.

$ nmap --iflist
The above command will display the routes and interfaces with information like device name, IP, gateway, and so on.

Set Timing Template

One of the most useful features of Nmap is its robust timing parameters. You can easily control the amount of time taken by each Nmap scan using the -T option. The next commands show this in action.

$ nmap --top-ports 10 -T4
This command will take significantly less time to complete when compared with the standard syntax. You can change the value of -T from 0 to 5, where 5 denotes the most aggressive scan and 0 the most polite. Aggressive timing parameters may cause Nmap to crash the hosts under inspection though. The default Nmap scan utilizes -T3.

Enable OS Detection
Although weve shown you how to get OS-specific information using the -A option, there’s another way to do this. The -O flag enables OS detection for a host or range of hosts.

$ nmap -v -O localhost
$ nmap -O
These Nmap commands might fail to recognize some OS, especially if theyre protected using firewalls. The next example shows you how to use aggressive OS detection for overcoming this.

$ nmap -O --osscan-guess
Detect Service and Version Information

The following commands demonstrate how you can use Nmap to detect service and version information. Malicious users usually use this to check whether a host is running any vulnerable service or not.

$ nmap -sV
Adding -sV enables Nmap version detection. It provides much similar information you got earlier using the -A option. Since this command scans all available hosts for the subnet, it may take a longer time. The next example speeds up this process using the -T option mentioned earlier.

$ nmap -T5 -sV
Scan Hosts Using TCP SYN

Often you’ll find remote systems firewalls blocking the standard ICMP pings sent by your usual Nmap port scans. You can use the TCP SYN scan to get out of this situation.

$ sudo nmap -PS20-25,80,110,443
The above command enables Nmap to discover if a host is up and scans its ports without completing the standard TCP communication.

Scan Hosts Using TCP ACK

The TCP ACK method works almost like the above command. However, they work really well at finding the existence of even the most protected remote hosts. Since TCP ACK packets send acknowledging data over established TCP connections, the remote hosts need to let them know their location.

$ sudo nmap -PA20-25,80,110,443
Both of the two above commands allow users to specify ports as they do with -p. However, neither -PS nor -PA allows any space after them. So be aware of this, or else your searches will not bring valid information.
Get OS Fingerprints
OS Fingerprinting refers to collecting passive information of remote hosts during network communications. Nmap allows system admins to do this, as demonstrated below easily. This is useful for cloaking the presence of your scan from the remote systems firewall but still getting relevant OS information.

$ nmap -sT
The above connection scheme is known as TCP connect scan in Nmap.

Scan Using IP Protocols

Sometime you might come across hosts that do not allow the IP protocols youre sending. You can get around this issue by determining what IP protocols the host allows by using the below command.

$ nmap -v -sO
Once you get the supported protocols, you can use the appropriate Nmap command to scan this host.

Scan for Weaknesses in Firewall/IDS
its very common for testers to stumble upon firewalls or intrusion detection systems that reject Nmaps scanning attempts. Thankfully, robust Nmap commands allow users to get around this issue by giving them firewall information. The below commands will demonstrate this for you.

$ nmap -sN
$ nmap -sF
$ nmap -sX
The first command sends a null TCP flag, the second one sets the FIN bit, and the last one sets FIN, PSH, and URG bits. They trick non-stateful firewalls in giving up information about a ports’ state.

Scan Remote Hosts using SCTP

The SCTP scan is a silent but useful scan technique preferred by testers due to its effectiveness. Only highly configured IDS systems can detect such scans, so they perform very well in real-life scenarios.

$ sudo nmap -sZ --top-ports 20 -T4
The above command scan for the top 20 common ports for the specified subnet. You can omit the timing parameter if you want to be more stealthy and has no problem to wait for a few more minutes.

Scan Remote Hosts using Idle Scan

Also known as Zombie host scan, this type of scan literally creates a zombie host on the network and scan other hosts from that host.

$ sudo nmap -sI
In the above command, is the zombie host, and is the target remote machine.

Scan Remote Hosts using ARP Pings

This is the best Nmap command to discover remote hosts as of now. Since no firewalls can block ARP requests, this is a useful technique for seasoned network testers.

$ sudo nmap -PR
However, you’ll need to have access to the local network if you want to use this command. But it shouldnt be a problem for professional penetration testers.

Determine Route to Remote Host
If youre a seasoned system admin, chances are youve already worked with traceroute. It is a compelling UNIX tool that maps routes to target machines in a network. The below command demonstrates how you can use traceroute from Nmap.

$ sudo nmap --traceroute
This command will output the HOP distances and the times to reach the destination.

Disable Reverse DNS Resolution for All Hosts

By default, Nmap performs reverse DNS resolution for only hosts that are discovered online. However, they decrease Nmaps performance by a considerable factor. Ethical hackers usually turn this off for all hosts since they could obtain DNS information legally from their clients.

$ nmap -n
This will increase your search speed by a significant margin. I usually use this instead of -T to maintain my search speed while still maintaining anonymity.

Retrieve Version Information

Earlier, weve obtained version information for OS and other services. The problem is that most of the time Nmap shows the default services associated with a port. This can cause problems for testers since hosts can use any other services instead of the default service for some ports.

$ nmap -V
This command will display much relevant information such as the platform, compilation tools, and so on.

Control Version Detection

weve shown you how to detect version information of remote services using the standard -sV flag. The following command demonstrates how to control version detection using similar Nmap commands.

$ nmap -sV --version-intensity 5
This performs very aggressive version detection and is likely to alarm the remote host. You can lower the value of the –version-intensity option to increase anonymity. However, this will limit version detection. The next command performs a light banner grabbing of the specified host.

$ nmap -sV --version-intensity 1
Scan Hosts Using Ip Fragments

Nmap allows system admins to scan remote hosts via utilizing fragmented IP packets. It essentially breaks down the IP packets into small parts and makes them hard to detect via external IDS/firewalls.

$ sudo nmap -f
Users can also set personalized offsets using the –mtu option, as shown below.

$ sudo nmap --mtu 16
Use Decoy IP Addresses

Since most commercial systems are protected by highly configured firewalls, they often detect remote port scans very fast. This is problematic for both security auditors and intrusive system breakers. Nmap allows users to use decoy IPs for cloaking their identity for this purpose.

$ nmap --top-ports 10 -D10.1.1.2,,
Lets assume your IP is the second one(, and youre scanning Now the remote host will know about the scan but can’t know for sure about their origin.

Use Default Safe Scripts

NSE comes pre-loaded with a large number of safe scripts that do their tasks exceptionally well. The next command utilizes the default safe script for version detection.

$ nmap -sV -sC
Usually, scanning with NSE scripts rather than standard options will yield more accurate information. The above command executes the default version detection script for Nmap.

Use Specific NSE Scripts

You can locate all the available NSE scripts in your system using the command $ locate *.nse. These scripts are written using Lua and allows users to create personalized scripts that you want. The next command uses a specific NSE script called whois-ip.

$ nmap --script=whois-ip.nse scanme.nmap.org
You can easily replace the hostname with your target IP to get relevant whois information. Note that the .nse extension is not mandatory.

Scan for Common Files/Directories

The http-enum.nse NSE script sends over 2000 queries for common files and directories. You can use this script to get critical information on whether some known services exist on a remote server or not.

$ nmap -n --script=http-enum.nse
This command will try to obtain essential service information using the said script.

Get HTTP Page Titles

You can use the Nmap http-title script for obtaining the titles of remote web pages. This can be extremely helpful at deducing the content of remote servers. Check out the below command to see this into action.

$ nmap --script=http-title
This command will fetch and display the HTTP title.

Use Multiple Script Categories

By default, NSE scripts are categorized by their usage, such as brute, discovery, exploit, and vuln. You can instruct Nmap to use all scripts that belong to some categories, as shown below.

$ nmap --script discovery,brute
The above command will utilize all NSE scripts that belong to the categories’ discovery and brute. So, it will try to discover available hosts and try to brute-force them.

Use Wildcards for Script Selection
Nmap allows you to use the wildcard character “*” for selecting all scripts that match some criteria. The following command will utilize all scripts that start with ssh.

$ nmap --script "ssh*"
You can add additional options to these types of Nmap commands for greater flexibility.

Use Boolean Expressions for Script Selection

Nmap allows users to select their NSE scripts using boolean expressions such as and, or, not. The below commands will demonstrate some examples of this.

$ nmap --script "not vuln"
$ nmap --script "default or broadcast"
$ nmap --script /path/to/scripts
The first example loads all NSE scripts but vuln. The second command loads scripts from either default or broadcast categories. The final example loads scripts from a directory. You can write personalized NSE scripts and load them this way.

Get Script Documentation

Since Nmap offers an abundance of default and custom scripts, its hard to remember the details about them. Thankfully, Nmap offers excellent documentation for its NSE scripts. The below commands will show you how to invoke them for detailed information.

$ nmap --script-help "ssh-*"
$ nmap --script-help "ssh-*" and "discovery"
The first example shows help for all scripts that start with ssh- and the second one shows discovery scripts alongside the ssh-ones.

Miscellaneous Nmap Commands

Since Nmap commands allow users to combine a plethora of options, you can easily create an unending number of commands. We outline some often used commands in the below section.

Inspect Heartbleed Vulnerability

The SSL Heartbleed vulnerability is a well-known attack surface for starting malicious attackers. The next command checks whether a host contains this vulnerability using the NSE script heartbleed.

$ nmap -sV -p 443 --script=ssl-heartbleed
The output of this command can help network admins to check for outdated SSL services and patch them before any intrusion attempts.

Retrieve IP Information

Digging up IP information is one of the first tasks remote attackers do when checking up on a target. Some essential IP information includes whois data, geolocation, etc. The next command illustrates Nmaps usage in such passive reconnaissance.

$ nmap --script=whois*,ip-geolocation-maxmind,asn-query
This command finds out information about the remote hosts whois entry, geolocation, and asn queries using ready-made NSE scripts.

Save Nmap Outputs

Although Nmaps default output format is great, often, you’ll want to save your scan output for later use. its very easy, as you can see from the below examples.

$ nmap -oN scan-report -n
$ nmap -n > scan-report
The first example scans the remote host and saves the output to a file called scan-report in the current directory. You can also do this using the Unix redirection operator, as demonstrated by the second example.

Additional Output Formats

There’re several Nmap commands that allow users to format their output more conveniently. The below examples demonstrate some essential ones for you.

$ nmap -oX scan-report.xml -n
$ nmap -oG scan-report -n
$ nmap -oA scan-report -n
The first one saves scan results as an XML file. The second example saves the result in a format that can be easily accessed by grep. The last example tells Nmap to save results in all formats.

Feed Nmap Scan Results to Nikto

Nikto is a compelling vulnerability scanner that is used to detect dangerous files, misconfigured CGIs, legacy servers, and so on. The following command feeds Nmap scan results to Nikto.

$ nmap --top-ports 10 -oG - | /path/of/nikto.pl -h -
Now Nikto will use your Nmap result for performing its own scan.

Grab Banner Using NSE Script

Banner grabbing is a widely used information-gathering technique that reveals service information of open ports in remote hosts. The below command grabs the banners of a network using the NSE banner script.

$ nmap --script=banner
Consult Nmap Documentation

Since Nmap has largely grown over time, its pretty hard to remember all of its functions for beginners. Luckily, the Nmap documentation provides excellent information to help to start users with this issue.

$ nmap --help
$ man nmap
The first command will provide you with all available options for Nmap. You can consult the manual if looking for detailed information using the last one.

We use cookies to personalize and enhance your experience on our site. By using our site, you agree to our use of cookies.
  More information about cookies