Nmap – Basic Commands

Common Switches:

-sU Scan UDP ports
-sS Scan default TCP ports
-A All
-sV Service Detection
-O OS detection
T1, T2, T3, T4, T5 Timing – T1 is the slowest T5 is the fastest
-p Port
-iL Input list

Default Scan:

Nmap -sS
  • Scans up to 1000 hosts per second
  • Only sends syn request
  • Stealthy

Full TCP 3 way handshake connection

Nmap -sT
  • Slow and generates a lot of traffic
  • Uses the underlying operating system to send the packets
  • Does 3 way handshake with each port it scans
  • May flag IDS

Ping Scan

Nmap -sn
  • See which servers are up/ down

Version Enumeration

Nmap -sV
  • Used to see which version of software is running on open ports

Port Scanning

Nmap -p 22
  • -p used to scan specific ports
  • -p- used to scan all ports
  • Can be used to scan UDP and TCP ports
    • Nmap -p U:53,T:22,25
    • –exclude-ports 53

Operating System Detection

Nmap -O
  • OS fingerprinting

Scan ICMP Disabled Hosts

Nmap -Pn (older versions of nmap use P0)
  • Used to find hosts that don’t respond to ping
  • Treats all hosts as live
  • Very noisy

Scan a List of Files

Nmap -iL filename.txt
  • Used to scan hosts in file


Nmap -T0-5
  • Timing of the scan
  • How fast or slow the scan is 0 being the slowest scanning one port every 5 minutes
  • T4 is a good comfortable speed

Output Results to File

Nmap -p- -oG nmap-scan.txt

Nmap output files:

  • -oG – greppable output format
  • -oN – Normal output what you see on the screen
  • -oX – XML output format
  • -oA – Combined format with all of the above as 3 separate files

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *