Nmap: The Ultimate Network Scanning Tool
- Last updated: Feb 8, 2025

Main Options
sT
: TCP connect scan, better use SYN which is quicker and stealthy.sS
: TCP SYN scan, also known as half-open scanning, quite unobtrusive and stealthy, since it never completes TCP connections.sU
: UDP scansP
: PING scanning for host discovery, a ICMP echo request is sent.PR
: ARP scan.F
: Fast scan, only scan ports included inside nmap-services file.p1-65535
: port interval, here we scan all ports.PN
: force a scan even if there is no ping response from addresses.P0
: Same as -PN.O
Try to determine OS target.oG
: save results into a file.n
: disable DNS resolution.R
: enable DNS resolution.iR
: scan random targets.
Examples
- TCP connect, scan ports from 1 to 65535, force scan, try to guess OS, target is
192.168.1.1
. Save results inside/tmp/001
file.
root@host:~# nmap -sT -p1-65535 -P0 -O -oG /tmp/001 192.168.1.1
- Scan
192.168.1.0/24
hosts family addresses:
root@host:~# nmap 192.168.1.0-255
- Scan SYN, random hosts, web service:
root@host:~# nmap -sS -iR 0 -p 80
- Spoof source address (10.0.0.0). Scan
10.0.0.1
host, set source port to80
:
root@host:~# nmap -S 10.0.0.0 -g 80 10.0.0.1
- Host Discovery scan for
10.0.0.0/24
network. Result will show IP and MAC addresses:
root@host:~# nmap -sP 10.0.0.0/24
- Complete scan of the
scanme.nmap.org
host. TCP SYN scan on every ports-p-
, we consider the host as active-PN
, agressive scan (-A
include services version detection-sV
, Script Engine-sC
, OS detection-O
and--traceroute
).
root@host:~# nmap -sS -PN -p- -A -T4 scanme.nmap.org
SSH Algorithm Scan
- Show algorithms that the target SSH2 server offers, this is useful when encountering the following message: "Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss":
root@host:~# nmap -p 22 --script ssh2-enum-algos 192.168.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-08 19:26 CET
Nmap scan report for 192.168.1.1
Host is up (0.0056s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (3)
| diffie-hellman-group16-sha512
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (2)
| ssh-rsa
| ssh-dss
| encryption_algorithms: (4)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| chacha20-poly1305@openssh.com
| mac_algorithms: (3)
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (1)
|_ none
Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
- Based on the reported information, we can deduce the SSH algorithms to configure:
root@host:~# ssh -o KexAlgorithms=+diffie-hellman-group16-sha512 -o HostKeyAlgorithms=+ssh-rsa 192.168.1.1
SMB version Scan
The SMBv1 protocol is now obsolete and can be used by attackers, so it's a good idea to identify which servers are still using it in order to disable it. To do this, we can use the smb-protocols script, which is capable of listing the SMB protocol versions used on a host.
- To display the SMB versions in use, use the following command (example here to scan the ip:
192.168.1.1
):
root@host:~# nmap -p 139,445 --script smb-protocols 192.168.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-08 10:28 CET
Nmap scan report for share.std.rocks (192.168.1.1)
Host is up (0.00052s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 202
| 210
| 300
| 302
|_ 311
Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds
sources : tux-planet, nmap.org