Nmap 7.x.x+
A practical reference guide (with examples) for network discovery and security auditing using Nmap (Network Mapper).
What is Nmap?
Nmap (Network Mapper) is a free and open-source tool used for network discovery, host detection, service enumeration, OS fingerprinting, and security auditing. It works by sending specially crafted packets to hosts and analyzing their responses.
nmap [Scan Type(s)] [Options] <target specification>
| Phase | Goal | Typical Actions | Common Nmap Options / Examples |
|---|---|---|---|
| Recon | Understand target scope with minimal noise | Identify IP ranges, resolve names, list hosts | -sL, -n, --system-dns |
| Discovery | Identify live hosts | Ping sweeps, ARP discovery, reachability | -sn, -PR, -Pn |
| Enumeration | Identify services and configurations | Port scanning, version detection, safe NSE | -p, -sV, -sC, --script discovery,safe,version |
| Validation | Confirm weaknesses without exploitation | Targeted vuln checks, auth testing | --script vuln, --script auth, script‑specific NSE |
| Mistake | What Happens | Why It Happens | How to Avoid It | Better Alternative |
|---|---|---|---|---|
| UDP scans taking forever | Scans appear to hang, take hours, or never complete | UDP is connectionless, many ports are silently dropped, retries are high by default | Limit ports, reduce retries, increase timing | -sU -p 53,67,161 --max-retries 2 -T4 |
Misusing -A everywhere |
Extremely noisy scans, IDS/IPS alerts, service disruption | -A combines OS detection, versioning, traceroute, and NSE scripts |
Use targeted flags only when needed | -sV, -O, or --script safe,discovery individually |
| NSE abuse in production | Service crashes, account lockouts, or incident response escalation | Running vuln, brute, dos, or exploit categories without context |
Stick to safe categories unless explicitly authorized | -sC, --script safe,version,discovery |
| Full port scans by default | Unnecessary noise and long scan times | Habitual -p 1-65535 usage |
Start small, expand only if justified | -F, --top-ports 1000 |
| Ignoring scan timing | Scans either miss hosts or trigger alerts | Using default timing in sensitive environments | Tune timing per engagement | -T2 (stealth) or -T4 (speed) |
| Forgetting DNS impact | Slow scans or noisy DNS logs | Reverse DNS enabled by default | Disable DNS when not needed | -n |
Nmap is not dangerous, careless usage is.
| Option | Description | Root Required |
|---|---|---|
-sS |
TCP SYN scan (stealth, default when run as root) | ✅ Yes |
-sT |
TCP connect scan | ❌ No |
-sU |
UDP scan | ✅ Yes |
-sN |
TCP NULL scan | ✅ Yes |
-sF |
TCP FIN scan | ✅ Yes |
-sX |
Xmas scan | ✅ Yes |
-sA |
TCP ACK scan | ✅ Yes |
-sW |
TCP Window scan | ✅ Yes |
-sI |
Idle (zombie) scan | ✅ Yes |
-sO |
IP protocol scan | ✅ Yes |
-sR |
RPC scan | ❌ No |
| Command | Description | Root Required |
|---|---|---|
nmap 192.168.1.1 |
Scan a single target | ❌ No |
nmap host1,host2 |
Scan multiple targets | ❌ No |
nmap 192.168.1.1-50 |
Scan a range of IPs | ❌ No |
nmap 192.168.1.0/24 |
Scan an entire subnet | ❌ No |
nmap -iL targets.txt |
Scan targets from file | ❌ No |
nmap -iR 10 |
Scan random hosts | ❌ No |
nmap --exclude <target> |
Exclude targets | ❌ No |
nmap --excludefile file.txt |
Exclude from file | ❌ No |
nmap -6 <target> |
IPv6 scan | ❌ No |
| Option | Description | Root Required |
|---|---|---|
-F |
Fast scan (top 100 ports) | ❌ No |
-p 22,80,443 |
Scan specific ports | ❌ No |
-p 1-65535 |
Scan all TCP ports | ❌ No |
-p T:80,U:53 |
Protocol-specific ports | ❌ No |
--top-ports N |
Scan top N ports | ❌ No |
-r |
Sequential scan | ❌ No |
--open |
Show only open ports | ❌ No |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Fast scan of common ports | nmap -F 192.168.1.1 |
-F (top 100 ports) |
❌ No |
| Scan specific TCP ports | nmap -p 22,80,443 192.168.1.1 |
-p (explicit ports) |
❌ No |
| Scan all TCP ports aggressively | nmap -p 1-65535 -T4 192.168.1.1 |
-p, -T4 |
❌ No |
| Top 1000 most common ports | nmap --top-ports 1000 192.168.1.1 |
--top-ports |
❌ No |
| TCP SYN stealth scan | sudo nmap -sS 192.168.1.1 |
-sS |
✅ Yes |
| Combined TCP and UDP scan | nmap -sT -sU -p T:22,80,U:53 192.168.1.1 |
-sT, -sU |
❌ Partial ✅ (UDP requires root) |
| Option | Description | Root Required |
|---|---|---|
-sV |
Service/version detection | ❌ No |
--version-trace |
Troubleshoot version scan | ❌ No |
-O |
OS detection | ✅ Yes |
--osscan-guess |
Aggressive OS guessing | ✅ Yes |
-A |
Aggressive scan (OS, version, scripts) | ✅ Yes |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Identify service versions | nmap -sV 192.168.1.1 |
-sV |
❌ No |
| OS detection | sudo nmap -O 192.168.1.1 |
-O |
✅ Yes |
| Aggressive OS guessing | sudo nmap -O --osscan-guess 192.168.1.1 |
--osscan-guess |
✅ Yes |
| Full aggressive reconnaissance | sudo nmap -A 192.168.1.1 |
-A |
✅ Yes |
| Option | Description | Root Required |
|---|---|---|
-sn |
Host discovery only | ❌ No |
-Pn |
Skip host discovery | ❌ No |
-PS |
TCP SYN ping | ❌ No |
-PA |
TCP ACK ping | ❌ No |
-PU |
UDP ping | ❌ No |
-PY |
SCTP INIT ping | ❌ No |
-PE |
ICMP echo request | ❌ No |
-PP |
ICMP timestamp | ❌ No |
-PM |
ICMP address mask | ❌ No |
-PO |
IP protocol ping | ❌ No |
-PR |
ARP ping (local LAN) | ✅ Yes |
--traceroute |
Perform traceroute | ❌ No (*some environments may require privileges depending on probe type) |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Discover live hosts on subnet | nmap -sn 192.168.1.0/24 |
-sn (host discovery only) |
❌ No |
| Scan host even if ping is blocked | nmap -Pn 192.168.1.1 |
-Pn (skip discovery) |
❌ No |
| Disable DNS for faster discovery | nmap -n 192.168.1.0/24 |
-n (no reverse DNS) |
❌ No |
| Option | Description | Root Required |
|---|---|---|
-n |
Disable DNS resolution | ❌ No |
-R |
Force reverse DNS | ❌ No |
--system-dns |
Use OS DNS resolver | ❌ No |
--dns-servers |
Specify DNS servers | ❌ No |
-sL |
List scan (no packets sent) | ❌ No |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Disable DNS resolution | nmap -n 192.168.1.1 |
-n (no DNS lookup) |
❌ No |
| Force reverse DNS resolution | nmap -R 192.168.1.1 |
-R (reverse DNS) |
❌ No |
| Use system DNS resolver | nmap --system-dns 192.168.1.1 |
--system-dns |
❌ No |
| Specify custom DNS servers | nmap --dns-servers 8.8.8.8,1.1.1.1 192.168.1.1 |
--dns-servers |
❌ No |
| List targets without sending probes | nmap -sL 192.168.1.0/24 |
-sL (list scan) |
❌ No |
| Option | Description | Root Required |
|---|---|---|
-f |
Fragment packets | ✅ Yes |
--mtu N |
Set MTU | ✅ Yes |
-D RND:N |
Decoy scan | ✅ Yes |
--source-port P |
Spoof source port | ✅ Yes |
--data-length N |
Append random data | ✅ Yes |
--randomize-hosts |
Randomize target order | ❌ No |
--spoof-mac |
Spoof MAC address | ✅ Yes |
--badsum |
Send bad checksums | ✅ Yes |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Fragment packets to evade IDS | sudo nmap -sS -f 192.168.1.1 |
-f |
✅ Yes |
| Use decoy addresses | sudo nmap -sS -D RND:5 192.168.1.1 |
-D |
✅ Yes |
| Spoof source port and MAC | sudo nmap -sS --source-port 53 --spoof-mac 0 192.168.1.1 |
--source-port, --spoof-mac |
✅ Yes |
| Randomize host order | nmap --randomize-hosts 192.168.1.0/24 |
--randomize-hosts |
❌ No |
| Option | Description | Root Required |
|---|---|---|
--scanflags |
Custom TCP flags | ✅ Yes |
--send-eth |
Send raw Ethernet packets | ✅ Yes |
--send-ip |
Send raw IP packets | ✅ Yes |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Send custom TCP flags | sudo nmap --scanflags SYNFIN 192.168.1.1 |
--scanflags |
✅ Yes |
| Force raw Ethernet packet sending | sudo nmap --send-eth 192.168.1.1 |
--send-eth |
✅ Yes |
| Force raw IP packet sending | sudo nmap --send-ip 192.168.1.1 |
--send-ip |
✅ Yes |
| Custom flags with stealth SYN scan | sudo nmap -sS --scanflags SYNACK 192.168.1.1 |
-sS, --scanflags |
✅ Yes |
| Option | Description | Root Required |
|---|---|---|
-T0 – -T5 |
Timing templates | ❌ No |
--ttl N |
Set IP TTL | ❌ No |
--min-parallelism |
Minimum parallel probes | ❌ No |
--max-parallelism |
Maximum parallel probes | ❌ No |
--min-rate |
Minimum packet rate | ❌ No |
--max-rate |
Maximum packet rate | ❌ No |
--scan-delay |
Delay between probes | ❌ No |
--max-scan-delay |
Maximum delay | ❌ No |
--host-timeout |
Per-host timeout | ❌ No |
--max-retries |
Max retries | ❌ No |
--defeat-rst-ratelimit |
Bypass RST limits | ❌ No |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Polite, low‑noise scan | nmap -T2 192.168.1.1 |
-T2 |
❌ No |
| Aggressive fast scan | nmap -T4 192.168.1.1 |
-T4 |
❌ No |
| Rate‑limited scan | nmap --min-rate 10 --max-rate 100 192.168.1.1 |
--min-rate, --max-rate |
❌ No |
| Bypass RST rate limits | nmap --defeat-rst-ratelimit 192.168.1.1 |
--defeat-rst-ratelimit |
❌ No |
| Option | Description | Root Required |
|---|---|---|
-oN file.txt |
Normal output | ❌ No |
-oX file.xml |
XML output | ❌ No |
-oG file.gnmap |
Grepable output | ❌ No |
-oA file |
All output formats | ❌ No |
--stats-every |
Periodic stats | ❌ No |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Save output in all formats | nmap -oA scan_results 192.168.1.1 |
-oA |
❌ No |
| Command | Description | Root Required |
|---|---|---|
ndiff scan1.xml scan2.xml |
Compare scans | ❌ No |
ndiff -v |
Verbose comparison | ❌ No |
ndiff --xml |
XML comparison output | ❌ No |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Compare two scan results | ndiff scan_old.xml scan_new.xml |
ndiff |
❌ No |
| Verbose comparison output | ndiff -v scan_old.xml scan_new.xml |
-v |
❌ No |
| XML‑formatted diff output | ndiff --xml scan_old.xml scan_new.xml |
--xml |
❌ No |
| Track changes after service updates | ndiff baseline.xml post_update.xml |
ndiff |
❌ No |
| Option | Description | Root Required |
|---|---|---|
-h |
Help | ❌ No |
-V |
Show Nmap version | ❌ No |
-v |
Verbose output | ❌ No |
-d |
Debug output | ❌ No |
--reason |
Show port state reasons | ❌ No |
--packet-trace |
Trace packets | ✅ Yes |
--iflist |
Show interfaces | ❌ No |
-e iface |
Specify interface | ✅ Yes |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Verbose debug scan | nmap -vv -d 192.168.1.1 |
-vv, -d |
❌ No |
| Packet tracing | sudo nmap -sS --packet-trace 192.168.1.1 |
--packet-trace |
✅ Yes |
| Option | Description | Root Required |
|---|---|---|
-sC |
Default scripts | ❌ No |
--script script.nse |
Run specific script | ❌ No |
--script category |
Run script category | ❌ No |
--script cat1,cat2 |
Multiple categories | ❌ No |
--script-trace |
Debug scripts | ❌ No |
--script-updatedb |
Update script DB | ❌ No |
| Purpose | Command | Key Options Used | Root Required |
|---|---|---|---|
| Run default scripts | nmap -sC 192.168.1.1 |
-sC |
❌ No |
| Run vulnerability scripts | nmap --script vuln 192.168.1.1 |
--script vuln |
❌ No |
| Run multiple script categories | nmap --script discovery,auth 192.168.1.1 |
--script |
❌ No |
| Trace script execution | nmap --script vuln --script-trace 192.168.1.1 |
--script-trace |
❌ No |
| Category | What It Does | Risk Level | Noise / Detectability | Common Example Scripts | Safe for Production | Typical Alert Source | Engagement Phase |
|---|---|---|---|---|---|---|---|
auth |
Tests authentication mechanisms and access controls. | Medium | Medium | ssh-auth-methods, ftp-anon, http-auth |
SIEM, Auth logs, IDS | Enumeration / Priv Esc | |
broadcast |
Discovers hosts/services using broadcast or multicast traffic. | Low | High (LAN-visible) | broadcast-dhcp-discover, broadcast-dns-service-discovery |
IDS, Network monitors | Discovery / Recon | |
brute |
Attempts brute-force authentication against services. | High | High | ssh-brute, ftp-brute, http-form-brute |
❌ No | IDS/IPS, Auth logs | Credential Access / Exploit |
default |
Safe, commonly useful scripts run with -sC. |
Low | Low–Medium | http-title, ssh-hostkey, ssl-cert |
✅ Yes | Minimal | Recon / Enumeration |
discovery |
Gathers information about hosts, services, and network layout. | Low | Low | dns-brute, http-enum, snmp-info |
✅ Yes | IDS, DNS logs | Recon |
dos |
Tests for denial-of-service vulnerabilities. | Critical | Very High | http-slowloris, ssl-dos |
❌ No | IDS/IPS, Service logs | Exploit / Attack |
exploit |
Actively exploits vulnerabilities to gain access. | Critical | Very High | smb-vuln-ms17-010, ftp-vsftpd-backdoor |
❌ No | IDS/IPS, Endpoint logs | Exploit / Post-Exploitation |
external |
Queries third-party or external services for information. | Low | Low (external visibility) | whois-ip, ip-geolocation |
External DNS logs | Recon / Open Source Intel | |
fuzzer |
Sends malformed or unexpected input to services. | High | High | dns-fuzz, rtsp-fuzzer |
❌ No | IDS/IPS, App logs | Exploit / Attack |
intrusive |
Performs aggressive checks that may disrupt services. | High | High | http-methods, snmp-brute |
❌ No | IDS/IPS, App logs | Enumeration / Exploit |
malware |
Detects known malware infections or backdoors. | Medium | Medium | smtp-strangeport, irc-botnet-channels |
AV/EDR, Network monitors | Post-Exploitation / Detection | |
safe |
Non-intrusive scripts designed to avoid disruption. | Low | Low | http-headers, ssl-cert |
✅ Yes | Minimal | Recon / Enumeration |
version |
Enhances service version detection. | Low | Low | http-server-header, mysql-info |
✅ Yes | Minimal | Enumeration |
vuln |
Checks for known vulnerabilities without exploitation. | Medium | Medium | ssl-heartbleed, http-vuln-cve2017-5638 |
IDS, Vulnerability scanners | Vulnerability Assessment / Recon |
| Category | Example Purpose | Example Command | Why You’d Use This | Expected Noise / Detection |
|---|---|---|---|---|
auth |
Enumerate supported SSH authentication methods | nmap --script ssh-auth-methods 192.168.1.1 |
Identify allowed auth mechanisms before brute-force or password spraying | Auth logs, SIEM |
broadcast |
Discover hosts via DHCP broadcast | nmap --script broadcast-dhcp-discover |
Identify live hosts and network configuration on local LAN | IDS, network monitoring |
brute |
Attempt SSH credential brute-force | nmap --script ssh-brute 192.168.1.1 |
Test for weak or default credentials | IDS/IPS, auth logs (high confidence alert) |
default |
Run safe default discovery scripts | nmap -sC 192.168.1.1 |
Quick, low-risk service enumeration | Minimal logging |
discovery |
Enumerate HTTP directories and services | nmap --script http-enum 192.168.1.1 |
Identify exposed web content and applications | Web server logs |
dos |
Test HTTP service for Slowloris DoS vulnerability | nmap --script http-slowloris 192.168.1.1 |
Validate susceptibility to resource exhaustion | IDS/IPS, service instability |
exploit |
Check for MS17-010 (EternalBlue) vulnerability | nmap --script smb-vuln-ms17-010 192.168.1.1 |
Identify critical SMB vulnerabilities | IDS/IPS, EDR |
external |
Retrieve WHOIS information for target IP | nmap --script whois-ip 192.168.1.1 |
Gather ownership and ISP data | External DNS / OSINT logs |
fuzzer |
Fuzz DNS service for input handling bugs | nmap --script dns-fuzz 192.168.1.1 |
Identify crashes or parsing flaws | IDS/IPS, application logs |
intrusive |
Enumerate allowed HTTP methods | nmap --script http-methods 192.168.1.1 |
Detect risky methods like PUT or DELETE | Web logs, IDS |
malware |
Detect suspicious IRC botnet behavior | nmap --script irc-botnet-channels 192.168.1.1 |
Identify compromised hosts | EDR, network monitoring |
safe |
Retrieve HTTP security headers | nmap --script http-headers 192.168.1.1 |
Assess security posture with minimal impact | Minimal |
version |
Enhanced service version enumeration | nmap --script version 192.168.1.1 |
Improve accuracy of service fingerprinting | Minimal |
vuln |
Check for Heartbleed vulnerability | nmap --script ssl-heartbleed 192.168.1.1 |
Identify known cryptographic flaws | IDS, vulnerability scanners |