In this tutorial I have list down the list of common Nmap commands that might be useful.

Target Specific

SwitchExampleDescription
nmap 192.168.33.200Scan a single IP
nmap 192.168.33.200 192.168.33.203Scan specific IPs
nmap 192.168.33.1-254
nmap 192.168.33.*
Scan a range
nmap www.dracocybersecurity.comScan a domain
nmap 192.168.33.0/24Scan using CIDR notation
-iLnmap -iL targets.txtScan targets from a file
-iRnmap -iR 100Scan 100 random hosts
–excludenmap 192.168.33.* –exclude 192.168.33.1Exclude listed hosts

Scan Techniques

SwitchExampleDescription
-sSnmap 192.168.33.200 -sSTCP SYN port scan (Default)
-sTnmap 192.168.33.200 -sTTCP connect port scan
(Default without root privilege)
-sUnmap 192.168.33.200 -sUUDP port scan
-sAnmap 192.168.33.200 -sATCP ACK port scan
-sWnmap 192.168.33.200 -sWTCP Window port scan
-sMnmap 192.168.33.200 -sMTCP Maimon port scan

Host Discovery

SwitchExampleDescription
-sLnmap 192.168.33.200-203 -sLNo Scan. List targets only
-snnmap 192.168.33.200/24 -snDisable port scanning. Host discovery only.
-Pnnmap 192.168.33.200-205 -PnDisable host discovery. Port scan only.
-PSnmap 192.168.33.200-205 -PS22-25,80TCP SYN discovery on port x.Port 80 by default
-PAnmap 192.168.33.200-205 -PA22-25,80TCP ACK discovery on port x.Port 80 by default
-PUnmap 192.168.33.200-205 -PU53UDP discovery on port x.Port 40125 by default
-PRnmap 192.168.33.1-1/24 -PRARP discovery on local network
-nnmap 192.168.33.200 -nNever do DNS resolution

Port Specification

SwitchExampleDescription
-pnmap 192.168.33.200 -p 21Port scan for port x
-pnmap 192.168.33.200 -p 21-100Port range
-pnmap 192.168.33.200 -p U:53,T:21-25,80Port scan multiple TCP and UDP ports
-p-nmap 192.168.33.200 -p-Port scan all ports
-pnmap 192.168.33.200 -p http,httpsPort scan from service name
-Fnmap 192.168.33.200 -FFast port scan (100 ports)
–top-portsnmap 192.168.33.200 –top-ports 2000Port scan the top x ports
-p-65535nmap 192.168.33.200 -p-65535Leaving off initial port in range
makes the scan start at port 1
-p0-nmap 192.168.33.200 -p0-Leaving off end port in rangemakes the scan go through to port 65535

Service and Version Detection

SwitchExampleDescription
-sVnmap 192.168.33.200 -sVAttempts to determine the version of the service running on port
-sV –version-intensitynmap 192.168.33.200 -sV –version-intensity 8Intensity level 0 to 9. Higher number increases possibility of correctness
-sV –version-lightnmap 192.168.33.200 -sV –version-lightEnable light mode. Lower possibility of correctness. Faster
-sV –version-allnmap 192.168.33.200 -sV –version-allEnable intensity level 9. Higher possibility of correctness. Slower
-Anmap 192.168.33.200 -AEnables OS detection, version detection, script scanning, and traceroute

OS Detection

SwitchExampleDescription
-Onmap 192.168.33.200 -ORemote OS detection using TCP/IP
stack fingerprinting
-O –osscan-limitnmap 192.168.33.200 -O –osscan-limitIf at least one open and one closed
TCP port are not found it will not try
OS detection against host
-O –osscan-guessnmap 192.168.33.200 -O –osscan-guessMakes Nmap guess more aggressively
-O –max-os-triesnmap 192.168.33.200 -O –max-os-tries 1Set the maximum number x of OS
detection tries against a target
-Anmap 192.168.33.200 -AEnables OS detection, version detection, script scanning, and traceroute

Timing and Performance

SwitchExampleDescription
-T0nmap 192.168.33.200 -T0Paranoid (0) Intrusion Detection
System evasion
-T1nmap 192.168.33.200 -T1Sneaky (1) Intrusion Detection System
evasion
-T2nmap 192.168.33.200 -T2Polite (2) slows down the scan to use
less bandwidth and use less target
machine resources
-T3nmap 192.168.33.200 -T3Normal (3) which is default speed
-T4nmap 192.168.33.200 -T4Aggressive (4) speeds scans; assumes
you are on a reasonably fast and
reliable network
-T5nmap 192.168.33.200 -T5Insane (5) speeds scan; assumes you
are on an extraordinarily fast network
SwitchExample inputDescription
–host-timeout <time>1s; 4m; 2hGive up on target after this long
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>1s; 4m; 2hSpecifies probe round trip time
–min-hostgroup/max-hostgroup <size<size>50; 1024Parallel host scan group
sizes
–min-parallelism/max-parallelism <numprobes>10; 1Probe parallelization
–scan-delay/–max-scan-delay <time>20ms; 2s; 4m; 5hAdjust delay between probes
–max-retries <tries>3Specify the maximum number
of port scan probe retransmissions
–min-rate <number>100Send packets no slower than <numberr> per second
–max-rate <number>100Send packets no faster than <number> per second

NSE Scripts

SwitchExampleDescription
-sCnmap 192.168.33.200 -sCScan with default NSE scripts. Considered useful for discovery and safe
–script defaultnmap 192.168.33.200 –script defaultScan with default NSE scripts. Considered useful for discovery and safe
–scriptnmap 192.168.33.200 –script=bannerScan with a single script. Example banner
–scriptnmap 192.168.33.200 –script=http*Scan with a wildcard. Example http
–scriptnmap 192.168.33.200 –script=http,bannerScan with two scripts. Example http and banner
–scriptnmap 192.168.33.200 –script “not intrusive”Scan default, but remove intrusive scripts
–script-argsnmap –script snmp-sysdescr –script-args snmpcommunity=admin 192.168.33.200NSE script with arguments

Useful NSE Script Examples

CommandDescription
nmap -Pn –script=http-sitemap-generator scanme.nmap.orghttp site map generator
nmap -n -Pn -p 80 –open -sV -vvv –script banner,http-title -iR 1000Fast search for random web servers
nmap -Pn –script=dns-brute domain.comBrute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV –script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.33.200Safe SMB scripts to run
nmap –script whois* domain.comWhois query
nmap -p80 –script http-unsafe-output-escaping scanme.nmap.orgDetect cross site scripting vulnerabilities
nmap -p80 –script http-sql-injection scanme.nmap.orgCheck for SQL injections

Firewall / IDS Evasion and Spoofing

SwitchExampleDescription
-fnmap 192.168.33.200 -fRequested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
–mtunmap 192.168.33.200 –mtu 32Set your own offset size
-Dnmap -D 192.168.33.101,192.168.33.102,
192.168.33.103,192.168.33.23 192.168.33.1
Send scans from spoofed IPs
-Dnmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ipAbove example explained
-Snmap -S www.microsoft.com www.facebook.comScan Facebook from Microsoft (-e eth0 -Pn may be required)
-gnmap -g 53 192.168.33.200Use given source port number
–proxiesnmap –proxies http://192.168.33.200:8080, http://192.168.33.2:8080 192.168.33.200Relay connections through HTTP/SOCKS4 proxies
–data-lengthnmap –data-length 200 192.168.33.200Appends random data to sent packets

Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D 192.168.33.101,192.168.33.102,192.168.33.103,192.168.33.23 192.168.33.1

Output

SwitchExampleDescription
-oNnmap 192.168.33.200 -oN normal.fileNormal output to the file normal.file
-oXnmap 192.168.33.200 -oX xml.fileXML output to the file xml.file
-oGnmap 192.168.33.200 -oG grep.fileGrepable output to the file grep.file
-oAnmap 192.168.33.200 -oA resultsOutput in the three major formats at once
-oG –nmap 192.168.33.200 -oG –Grepable output to screen. -oN -, -oX – also usable
–append-outputnmap 192.168.33.200 -oN file.file –append-outputAppend a scan to a previous scan file
-vnmap 192.168.33.200 -vIncrease the verbosity level (use -vv or more for greater effect)
-dnmap 192.168.33.200 -dIncrease debugging level (use -dd or more for greater effect)
–reasonnmap 192.168.33.200 –reasonDisplay the reason a port is in a particular state, same output as -vv
–opennmap 192.168.33.200 –openOnly show open (or possibly open) ports
–packet-tracenmap 192.168.33.200 -T4 –packet-traceShow all packets sent and received
–iflistnmap –iflistShows the host interfaces and routes
–resumenmap –resume results.fileResume a scan

Helpful Nmap Output examples

CommandDescription
nmap -p80 -sV -oG – –open 192.168.33.200/24 | grep openScan for web servers and grep to show which IPs are running web servers
nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d ” ” -f5 > live-hosts.txtGenerate a list of the IPs of live hosts
nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txtAppend IP to the list of live hosts
ndiff scanl.xml scan2.xmlCompare output from nmap using the ndif
xsltproc nmap.xml -o nmap.htmlConvert nmap xml files to html files
grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | lessReverse sorted list of how often ports turn up

Miscellaneous Options

SwitchExampleDescription
-6nmap -6 2607:f0d0:1002:51::4Enable IPv6 scanning
-hnmap -hnmap help screen

Other Useful Nmap Commands

CommandDescription
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -snDiscovery only on ports x, no port scan
nmap 192.168.33.1-1/24 -PR -sn -vvArp discovery only on local network, no port scan
nmap -iR 10 -sn -tracerouteTraceroute to random targets, no port scan
nmap 192.168.33.200-250 -sL –dns-server 192.168.23.23Query the Internal DNS for hosts, list targets only