nmap scan tool

• Last updated: May 29, 2023

Main options

• sT : TCP connect scan, better use SYN which is quicker and stealthy.
• sS : TCP SYN scan, also known as half-open scanning, quite unobtrusive and stealthy, since it never completes TCP connections.
• sU : UDP scan
• sP : PING scanning for host discovery, a ICMP echo request is sent.
• PR : ARP scan.
• F : Fast scan, only scan ports included inside nmap-services file.
• p1-65535 : port interval, here we scan every ports.
• PN : force scan, even if no ping response from adresses.
• P0 : Same as PN.
• O : Try to determine OS target.
• oG : save result into file.
• n : disable DNS resolution.
• R : enable DNS resolution.
• iR : random target scan.

Examples

• TCP connect, scan ports from 1 to 65535, force scan, try to guess OS, target is 192.168.1.1. Save results inside /tmp/001 file.

root@host:~# nmap -sT -p1-65535 -P0 -0 -oG /tmp/001 192.168.1.1

• Scan 192.168.1.0/24 hosts family addresses

root@host:~# nmap 192.168.1.0-255

• Scan SYN, random hosts, web service

root@host:~# nmap -sS -iR 0 -p 80

• Spoof source address (10.0.0.0). Scan 10.0.0.1 host, set source port to 80

root@host:~# nmap -S 10.0.0.0 -g 80 10.0.0.1

• Host Discovery scan for 10.0.0.0/24 network. Result will show ip and MAC addresses.

root@host:~# nmap -sP 10.0.0.0/24

• Complete scan of the scanme.nmap.org host. TCP SYN scan on every ports -p-, we consider the host as active -PN, agressive scan (-A include services version detection -sV, Script Engine -sC, OS detection -O and --traceroute).

root@host:~# nmap -sS -PN -p- -A -T4 scanme.nmap.org

sources : tux-planet, nmap.org