Complete Nmap Commands Reference
Master network scanning with this comprehensive guide to Nmap commands. From basic scans to advanced security testing.
What is Nmap?
Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon. It's used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap is widely used by network administrators, security professionals, and ethical hackers for:
- Network inventory: Discover all devices connected to your network
- Security auditing: Find open ports and potential vulnerabilities
- Service detection: Identify running services and their versions
- OS fingerprinting: Detect operating systems of network devices
Basic Nmap Scans
Standard Nmap Scan
BasicThe most basic Nmap scan. Scans the 1,000 most common TCP ports on the target host.
nmap [hostname]Example:
nmap scanme.nmap.org
Fast Scan
BasicScans only the 100 most common ports. Much faster than a standard scan, ideal for quick assessments.
nmap -F [hostname]Use case:
Perfect for quickly checking if basic services are running
Ping Scan (Host Discovery)
BasicOnly performs a ping scan to discover which hosts are online. No port scanning is performed.
nmap -sn [hostname]Note: Previously used -sP flag, now -sn is preferred
Port Scanning Techniques
Scan Specific Ports
IntermediateTarget specific ports or port ranges for more focused scanning.
nmap -p 21,22,25,80,110,143,443,445 [hostname]Common ports:
- 21: FTP | 22: SSH | 25: SMTP | 80: HTTP
- 110: POP3 | 143: IMAP | 443: HTTPS | 445: SMB
Scan All TCP Ports
IntermediateComprehensive scan of all 65,535 TCP ports. Takes longer but ensures no open ports are missed.
nmap -p- [hostname]Warning: This scan can take a long time to complete
UDP Port Scan
AdvancedScan UDP ports instead of TCP. UDP scanning is slower and less reliable but important for finding services like DNS, DHCP, and SNMP.
nmap -sU [hostname]nmap -sU -p- [hostname] # All UDP portsScan Top N Ports
BasicScan the most commonly used ports. Customize the number based on your needs.
nmap --top-ports 20 [hostname]Replace 20 with any number to scan that many of the most common ports
Service & Version Detection
Service Version Detection
IntermediateProbe open ports to determine service and version information. Essential for vulnerability assessment.
nmap -sV [hostname]nmap -sV -p 21,22,25,80,110,143,443,445 [hostname]What you'll discover:
- • Service name (e.g., Apache, nginx, OpenSSH)
- • Version numbers (e.g., Apache 2.4.41)
- • Operating system hints
Aggressive Version Detection
AdvancedMore intensive version detection with a higher likelihood of triggering IDS/IPS systems.
nmap -sV --version-intensity 9 [hostname]Intensity levels: 0 (lightest) to 9 (most aggressive). Default is 7.
Operating System Detection
Enable OS Detection
IntermediateAttempt to identify the operating system of the target machine using TCP/IP fingerprinting.
nmap -O [hostname]Requires at least one open and one closed port to work effectively
Aggressive Scan (OS + Version + Scripts + Traceroute)
AdvancedCombines OS detection, version detection, script scanning, and traceroute in one powerful command.
nmap -A [hostname]This is equivalent to:
nmap -O -sV -sC --traceroute [hostname]
Nmap Scripting Engine (NSE)
Run Default Scripts
IntermediateExecute a collection of default NSE scripts for common enumeration and vulnerability detection.
nmap -sC [hostname]Retrieve HTTP Headers
BasicExtract HTTP headers from web servers to identify technologies and potential security issues.
nmap --script http-headers [hostname]Banner Grabbing
BasicRetrieve service banners to identify service types and versions.
nmap --script banner [hostname]HTTP Vulnerability Scanning
AdvancedRun all HTTP vulnerability detection scripts against web servers.
nmap --script "http-vuln*" [hostname]Warning: Use only on systems you own or have permission to test
Reverse DNS Lookup
BasicPerform reverse DNS lookups to map IP addresses to hostnames.
nmap -sn -Pn --script fcrdns [hostname]Malware Detection
AdvancedCheck if the web server is hosting known malware or is compromised.
nmap -sV --script=http-malware-host [hostname]Advanced Scanning Techniques
Firewall/IDS Evasion
AdvancedUse fragmented packets and decoys to evade firewalls and intrusion detection systems.
nmap -f [hostname] # Fragment packetsnmap -D RND:10 [hostname] # Use 10 decoy IPsACK Scan (Firewall Detection)
AdvancedDetermine firewall rules and whether ports are filtered. Doesn't determine if ports are open.
nmap -sA [hostname]Helps map out firewall rulesets and filter configurations
Timing Templates
IntermediateControl scan speed from paranoid (stealth) to insane (fast but detectable).
nmap -T0 [hostname] # Paranoid (IDS evasion)nmap -T4 [hostname] # Aggressive (faster)Templates:
T0 (Paranoid) | T1 (Sneaky) | T2 (Polite) | T3 (Normal) | T4 (Aggressive) | T5 (Insane)
Save Output to File
BasicSave scan results in various formats for later analysis or reporting.
nmap -oN output.txt [hostname] # Normal formatnmap -oX output.xml [hostname] # XML formatnmap -oA output [hostname] # All formatsBest Practices & Legal Considerations
Legal Authorization
Always obtain written permission before scanning networks or systems you don't own. Unauthorized scanning is illegal in many jurisdictions.
Timing Matters
Use appropriate timing templates. Aggressive scans can disrupt services. Start with polite scans (T2) and adjust as needed.
Document Everything
Save scan outputs using -oA for comprehensive records. This helps with analysis and provides evidence of your findings.
Privacy & Ethics
Respect privacy and follow ethical hacking guidelines. Use your skills to improve security, not to cause harm.