Essential Nmap commands for network discovery, port scanning, service detection, and security auditing.
(Simple scans to discover hosts and open ports)
| Command(s) | Explanation |
|---|---|
nmap <target> |
Performs a basic scan on the target (default 1000 TCP ports). |
nmap <IP-range> |
Scans a range of IPs (e.g., nmap 192.168.1.1-100). |
nmap <subnet> |
Scans a whole subnet (e.g., nmap 192.168.1.0/24). |
nmap -iL <file> |
Reads target list from a file. |
nmap -sP <subnet> (old) / nmap -sn <subnet> (new) |
Host discovery (ping scan) without port scanning. |
(Control how ports are scanned)
| Command(s) | Explanation |
|---|---|
nmap -p <port> |
Scans a specific port (e.g., nmap -p 80). |
nmap -p <range> |
Scans a port range (e.g., nmap -p 20-100). |
nmap -p- <target> |
Scans all 65,535 ports. |
nmap -F <target> |
Fast scan (only top 100 ports). |
nmap -sS <target> |
SYN scan (stealth scan, default when run as root). |
nmap -sT <target> |
TCP connect scan (used if SYN not possible). |
nmap -sU <target> |
UDP port scan. |
nmap -sA <target> |
ACK scan (used to detect firewall rules). |
nmap -sW <target> |
Window scan (advanced firewall/OS detection). |
(Identify running services and versions)
| Command(s) | Explanation |
|---|---|
nmap -sV <target> |
Detects versions of services running on open ports. |
nmap -p <ports> -sV <target> |
Version detection on specific ports. |
nmap --version-intensity <0-9> |
Adjusts version detection intensity (0 = light, 9 = aggressive). |
(Discover operating systems and device details)
| Command(s) | Explanation |
|---|---|
nmap -O <target> |
Enables OS detection. |
nmap -A <target> |
Aggressive scan: includes OS detection, version detection, script scanning, traceroute. |
nmap --osscan-limit |
Limits OS detection to promising targets. |
nmap --osscan-guess |
Makes OS detection more aggressive. |
(Save and format results)
| Command(s) | Explanation |
|---|---|
nmap -oN <file> |
Normal output to a file. |
nmap -oG <file> |
Grepable output for easy parsing. |
nmap -oX <file> |
XML output (machine-readable). |
nmap -oA <basename> |
Saves results in all formats (normal, grepable, XML). |
(Bypass firewalls and IDS/IPS systems)