Basic Nmap Switches

Some basic but useful nmap switches to get started:      

Common Switches

-sU Scan UDP ports
-sS Scan default TCP ports
-A All
-sV Service detection
-O OS detection
T1, T2, T3, T4, T5 Timing - T1 slowest | T5 fastest
-p Port
-iL Input List

Default Scan

Nmap -sS
  • Scans up to 1000 hosts per second
  • Only sends syn requests
  • Stealthy

Full TCP Three Way Handshake Connection

Nmap -sT
  • Slow and generates a lot of traffic
  • Uses the underlying operating system to send the packets
  • Does three way handshake with each port it scans
  • May flag IDS and other systems designed to detect scanning activity

Ping Scan

Nmap -sn
  • See which servers in the range are up/down
  • Note: Some systems do not respond to pings and falsely present as being down

Version Enumeration/ Banner Grabbing

Nmap -sV
  • Used to see which software and software versions are running on the open ports

Port Scanning

Nmap -p 22
  • -p used to scan specific ports
  • -p- used to scan all ports
  • Can be used to scan UDP and TCP ports
  • Nmap -p U:53,T:22,25
  • –exclude-ports 53

Operating System Detection

Nmap -O
  • OS fingerprinting

Scan ICMP Disabled Hosts

Nmap -Pn (older versions of nmap use P0)
  • Used to find hosts that do not respond to ping
  • Treats all hosts as live
  • Can be very noisy

Scan a List of Files

Nmap -iL filename.txt
  • Used to scan a list of hosts in a text file


Nmap -T0 -5
  • Used to control the timing of the scan
  • How fast or slow the scan runs, 0 being the slowest scanning one port every 5 minutes
  • T4 is generally a comfortable speed

Output Results to File

Nmap -p- -oG nmap-scan.txt
  • -oG – greppable output format
  • -oN – Normal output what you see on the screen
  • -oX – XML output format
  • -oA – Combined format with all of the above as 3 separate files