Nmap Logo
Nmap, short for ``Network Mapper,`` is a powerful open-source tool used for network discovery and security auditing. It's one of the most popular and widely used network scanning tools in the cybersecurity community. Nmap allows users to discover hosts, services, and open ports on computer networks, thus aiding in vulnerability assessment and penetration testing.
Download Nmap
Navigation
  • Basic Scans
  • Advanced Scanning
  • Scanning Specific Hosts
  • Script Scanning
  • Timing and Performance
  • Port Specification and Scan Order
  • Output Options
  • Additional Options
  • Host Discovery
  • Firewall/IDS Evasion and Spoofing
  • Scanning Behind a Proxy

Basic Scans

sudo nmap -sS 10.1.1.1   #TCP SYN scan
sudo nmap -sT 10.1.1.1   #TCP Connect scan
sudo nmap -sA 10.1.1.1   #TCP ACK scan
sudo nmap -sW 10.1.1.1   #TCP Window scan
sudo nmap -sM 10.1.1.1   #TCP Maimon scan
sudo nmap -sU 10.1.1.1   #UDP scan
sudo nmap -sN 10.1.1.1   #TCP Null scan
sudo nmap -sF 10.1.1.1   #TCP FIN scan
sudo nmap -sX 10.1.1.1   #TCP Xmas scan
sudo nmap -sY 10.1.1.1   #SCTP INIT scan
sudo nmap -sZ 10.1.1.1   #SCTP COOKIE ECHO scan
sudo nmap -sn 10.1.1.1   #Ping scan (no port scan)
sudo nmap -sL 10.1.1.1   #List scan
sudo nmap -sO 10.1.1.1   #IP Protocol scan

Advanced Scanning

sudo nmap -sV 10.1.1.1              #Version detection
sudo nmap -A 10.1.1.1               #OS detection, version detection, script scanning, and traceroute
sudo nmap -O 10.1.1.1               #OS detection
sudo nmap --osscan-guess 10.1.1.1   #Guess OS detection results
sudo nmap --osscan-limit 10.1.1.1   #Limit OS detection to promising targets

Scanning Specific Hosts

sudo nmap 10.1.1.1                     #Scan a single IP
sudo nmap 10.1.1.1 10.1.1.2            #Scan specific IPs
sudo nmap -iL inputfile.txt            #Input from list of hosts/networks
sudo nmap -iR 100                      #Scan 100 random hosts
sudo nmap --exclude 10.1.1.1           #Exclude specified hosts
sudo nmap --exclude-file exclude.txt   #Exclude list from file
sudo nmap hacker.com                   #Scan a domain
sudo nmap 10.1.1.1-254                 #Scan a range
sudo nmap 10.1.1.1/24                  #Scan a CIDR range

Script Scanning

sudo nmap -sC 10.1.1.1                                 #Default script scan
sudo nmap --script <script_name> 10.1.1.1              #Run specific script
sudo nmap --script-args <n1=v1,[n2=v2,...]> 10.1.1.1   #Provide arguments to scripts
sudo nmap --script-trace 10.1.1.1                      #Show all data sent and received
sudo nmap --script-updatedb                            #Update the script database

Timing and Performance

sudo nmap -T0 10.1.1.1                            #Paranoid (Serial, very slow, stealthy)
sudo nmap -T1 10.1.1.1                            #Sneaky (Slow, stealthy)
sudo nmap -T2 10.1.1.1                            #Polite (Slows down to use less bandwidth and target machine resources)
sudo nmap -T3 10.1.1.1                            #Normal (Default)
sudo nmap -T4 10.1.1.1                            #Aggressive (Speeds up scan; risks detection)
sudo nmap -T5 10.1.1.1                            #Insane (Very fast; likely to be detected)
sudo nmap --min-hostgroup <size> 10.1.1.1         #Minimum number of hosts per group
sudo nmap --max-hostgroup <size> 10.1.1.1         #Maximum number of hosts per group
sudo nmap --min-parallelism <num> 10.1.1.1        #Minimum number of parallel operations
sudo nmap --max-parallelism <num> 10.1.1.1        #Maximum number of parallel operations
sudo nmap --min-rtt-timeout <time> 10.1.1.1       #Minimum RTT timeout
sudo nmap --max-rtt-timeout <time> 10.1.1.1       #Maximum RTT timeout
sudo nmap --initial-rtt-timeout <time> 10.1.1.1   #Initial RTT timeout
sudo nmap --max-retries <num> 10.1.1.1            #Maximum retries
sudo nmap --host-timeout <time> 10.1.1.1          #Give up on target after this long
sudo nmap --scan-delay <time> 10.1.1.1            #Wait at least this long between probes
sudo nmap --max-scan-delay <time> 10.1.1.1        #Wait at most this long between probes
sudo nmap --defeat-rst-ratelimit 10.1.1.1         #Slow down to avoid RST rate limit
sudo nmap --min-rate <number> 10.1.1.1            #Send packets no slower than <number> per second
sudo nmap --max-rate <number> 10.1.1.1            #Send packets no faster than <number> per second

Port Specification and Scan Order

sudo nmap -p 80 10.1.1.1                  #Scan specific port
sudo nmap -p 1-65535 10.1.1.1             #Scan all ports
sudo nmap -p U:53,T:80 10.1.1.1           #Scan UDP port 53 and TCP port 80
sudo nmap --top-ports 20 10.1.1.1         #Scan top 20 ports
sudo nmap --top-ports 1000 10.1.1.1       #Scan top 1000 ports
sudo nmap -F 10.1.1.1                     #Fast scan (default 100 ports)
sudo nmap --port-ratio <ratio> 10.1.1.1   #Scan top ports up to the given ratio

Output Options

sudo nmap -oN outputfile.txt 10.1.1.1     #Normal output
sudo nmap -oX outputfile.xml 10.1.1.1     #XML output
sudo nmap -oS outputfile.s 10.1.1.1       #Script kiddie output
sudo nmap -oG outputfile.gnmap 10.1.1.1   #Grepable output
sudo nmap -oA outputfile 10.1.1.1         #All formats (N, X, G)
sudo nmap --append-output 10.1.1.1        #Append to output files
sudo nmap --resume <filename> 10.1.1.1    #Resume aborted scan

Additional Options

sudo nmap -v 10.1.1.1              #Increase verbosity level
sudo nmap -vv 10.1.1.1             #Even more verbosity
sudo nmap -d 10.1.1.1              #Increase debugging level
sudo nmap -dd 10.1.1.1             #Even more debugging
sudo nmap --reason 10.1.1.1        #Show reason for host and port state
sudo nmap --open 10.1.1.1          #Only show open ports
sudo nmap --packet-trace 10.1.1.1  #Show all packets sent and received
sudo nmap --iflist                 #Show host interfaces and routes
sudo nmap --append-output          #Append to output files
sudo nmap --resume <filename>      #Resume aborted scan

Host Discovery

sudo nmap -PS80,443 10.1.1.1  #TCP SYN discovery on port 80 and 443
sudo nmap -PA80,443 10.1.1.1  #TCP ACK discovery on port 80 and 443
sudo nmap -PU53 10.1.1.1      #UDP discovery on port 53
sudo nmap -PY 10.1.1.1        #SCTP INIT ping
sudo nmap -PE 10.1.1.1        #ICMP Echo discovery
sudo nmap -PP 10.1.1.1        #ICMP Timestamp discovery
sudo nmap -PM 10.1.1.1        #ICMP Address Mask discovery
sudo nmap -Pn 10.1.1.1        #No ping - skips the discovery stage altogether
sudo nmap -n 10.1.1.0/24      #No DNS resolution on the active IP address it finds
sudo nmap -R 10.1.1.0/24      #Always do reverse DNS resolution on the target IP

Firewall/IDS Evasion and Spoofing

sudo nmap -f 10.1.1.1                                                 #Fragment packets
sudo nmap -D RND:10 10.1.1.1                                          #Decoy scan with 10 random decoys
sudo nmap -S 192.168.0.1 10.1.1.1                                     #Spoof source address
sudo nmap -g 53 10.1.1.1                                              #Use given source port number
sudo nmap --source-port 53 10.1.1.1                                   #Use given source port number
sudo nmap --data-length 50 10.1.1.1                                   #Append random data to sent packets
sudo nmap --ip-options <options> 10.1.1.1                             #Send packets with specified ip options
sudo nmap --ttl <value> 10.1.1.1                                      #Set IP time-to-live field
sudo nmap --spoof-mac <mac address, prefix, or vendor name> 10.1.1.1  #Spoof MAC address

Scanning Behind a Proxy

sudo nmap --proxies <url1,url2> 10.1.1.1   #Use proxies for scan