Nmap
Quick Reference
Section titled “Quick Reference”nmap [scan type] [options] <target>Targets can be IPs (10.10.10.1), ranges (10.10.10.1-50), CIDR (10.10.10.0/24), or hostnames (example.com). Multiple targets separated by spaces.
Scan Types
Section titled “Scan Types”| Flag | Scan | Notes |
|---|---|---|
-sS | TCP SYN (stealth) | Default with root. Half-open — doesn’t complete handshake. |
-sT | TCP connect | Full handshake. Default without root. Slower, logged by target. |
-sU | UDP | Slow. Combine with -sS for both protocols. |
-sn | Ping sweep (no port scan) | Host discovery only. |
-sV | Version detection | Probes open ports for service/version info. |
-sA | ACK scan | Maps firewall rules (filtered vs unfiltered). |
-sN / -sF / -sX | Null / FIN / Xmas | Stealth scans exploiting RFC 793. Unreliable on Windows. |
Common Options
Section titled “Common Options”| Flag | Purpose |
|---|---|
-p 22,80,443 | Scan specific ports |
-p- | Scan all 65535 ports |
-p 1-1000 | Scan port range |
--top-ports 100 | Scan the N most common ports |
-O | OS detection |
-A | Aggressive: OS detection + version + scripts + traceroute |
-T0 to -T5 | Timing template (0=paranoid, 3=default, 5=insane) |
-oN file | Normal output to file |
-oX file | XML output |
-oG file | Grepable output |
-oA basename | All three output formats |
-v / -vv | Verbose / very verbose |
--open | Only show open ports |
-Pn | Skip host discovery (treat host as online) |
-n | No DNS resolution |
--reason | Show why a port is in a particular state |
Common Patterns
Section titled “Common Patterns”Fast initial sweep
Section titled “Fast initial sweep”nmap -sS -p- --min-rate 5000 -oN full-scan.txt 10.10.10.xFinds all open TCP ports quickly. Follow up with targeted version/script scans on discovered ports.
Targeted service enumeration
Section titled “Targeted service enumeration”nmap -sCV -p 22,80,443,8080 -oN services.txt 10.10.10.x-sCV is shorthand for -sC -sV — runs default scripts and version detection on the specified ports.
UDP scan (top ports)
Section titled “UDP scan (top ports)”sudo nmap -sU --top-ports 50 --min-rate 3000 -oN udp.txt 10.10.10.xUDP is slow — limit to top ports unless you have time. Requires root.
Subnet host discovery
Section titled “Subnet host discovery”nmap -sn 10.10.10.0/24 -oG hosts.txtQuick ping sweep. Grepable output is easy to parse for live hosts:
grep "Up" hosts.txt | awk '{print $2}'NSE Scripts
Section titled “NSE Scripts”Nmap Scripting Engine — hundreds of scripts for enumeration, vuln scanning, brute forcing.
# Run default scriptsnmap -sC 10.10.10.x
# Run specific scriptnmap --script http-enum 10.10.10.x
# Run script categorynmap --script vuln 10.10.10.x
# Script with argumentsnmap --script http-brute --script-args http-brute.path=/admin 10.10.10.xUseful script categories
Section titled “Useful script categories”| Category | Purpose |
|---|---|
default | Safe, general-purpose enumeration |
vuln | Vulnerability checks |
safe | Won’t crash services or exploit anything |
intrusive | May crash services — use with caution |
discovery | Service and host discovery |
auth | Authentication checks |
brute | Brute-force attacks |
List all scripts: ls /usr/share/nmap/scripts/
Search scripts: grep -l "smb" /usr/share/nmap/scripts/*.nse
Output Tips
Section titled “Output Tips”Save everything with -oA — you’ll want the grepable and XML formats later:
nmap -sCV -p- -oA full-scan 10.10.10.xThis creates full-scan.nmap, full-scan.gnmap, and full-scan.xml.
Converting XML to HTML report
xsltproc full-scan.xml -o report.htmlOr use nmap’s built-in stylesheet:
xsltproc /usr/share/nmap/nmap.xsl full-scan.xml -o report.html