rss logo

nmap scan tool

Nmap Logo

Main Options

  • sT : TCP connect scan, better use SYN which is quicker and stealthy.
  • sS : TCP SYN scan, also known as half-open scanning, quite unobtrusive and stealthy, since it never completes TCP connections.
  • sU : UDP scan
  • sP : PING scanning for host discovery, a ICMP echo request is sent.
  • PR : ARP scan.
  • F : Fast scan, only scan ports included inside nmap-services file.
  • p1-65535 : port interval, here we scan every ports.
  • PN : force scan, even if no ping response from adresses.
  • P0 : Same as PN.
  • O : Try to determine OS target.
  • oG : save result into file.
  • n : disable DNS resolution.
  • R : enable DNS resolution.
  • iR : random target scan.


  • TCP connect, scan ports from 1 to 65535, force scan, try to guess OS, target is Save results inside /tmp/001 file.
root@host:~# nmap -sT -p1-65535 -P0 -0 -oG /tmp/001
  • Scan hosts family addresses
root@host:~# nmap
  • Scan SYN, random hosts, web service
root@host:~# nmap -sS -iR 0 -p 80
  • Spoof source address ( Scan host, set source port to 80
root@host:~# nmap -S -g 80
  • Host Discovery scan for network. Result will show ip and MAC addresses.
root@host:~# nmap -sP
  • Complete scan of the host. TCP SYN scan on every ports -p-, we consider the host as active -PN, agressive scan (-A include services version detection -sV, Script Engine -sC, OS detection -O and --traceroute).
root@host:~# nmap -sS -PN -p- -A -T4

SSH Algorithms Scan

  • Show algorithms that the target SSH2 server offers, it's useful when encountering the message: "Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss":
root@host:~# nmap -p 22 --script ssh2-enum-algos Starting Nmap 7.93 ( ) at 2023-12-08 19:26 CET Nmap scan report for Host is up (0.0056s latency). PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms: (3) | diffie-hellman-group16-sha512 | diffie-hellman-group14-sha1 | diffie-hellman-group1-sha1 | server_host_key_algorithms: (2) | ssh-rsa | ssh-dss | encryption_algorithms: (4) | aes128-ctr | aes192-ctr | aes256-ctr | | mac_algorithms: (3) | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms: (1) |_ none Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
  • Based on the reported information, we can deduce the SSH algorithms to configure:
root@host:~# ssh -o KexAlgorithms=+diffie-hellman-group16-sha512 -o HostKeyAlgorithms=+ssh-rsa

sources : tux-planet,

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address