Skip to content


Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.



nmap -p- -oA nmap_fast $(target)
nmap -p- -sV -sC -oA nmap_full $(target)
-Pn - no ICMP (no ping)


Network discovery

Command Description
nmap -PEPM -sP -vvvv -n Perform host discovery using ICMPv4 echo, timestamp and subnet mask request
nmap -PEPM -sP -n Perform host discovery using ICMPv4 echo, timestamp and subnet mask request


Command Description
nmap Scan a single IP
nmap Scan a host
nmap Scan a range of IPs
nmap Scan a subnet
nmap -iL list-of-ips.txt Scan targets from a text file


Command Description
nmap --open Show open ports
nmap -p 22 Scan a single port
nmap -p 1-100 Scan a range of ports
nmap -F Scan 100 most common ports (Fast)
nmap -p- Scan all 65535 ports

Scan type

Command Description
nmap -sS Scan using TCP SYN scan (default)
nmap -sT Scan using TCP connect scan
nmap -sA Scan using TCP ACK scan
nmap -sW Scan using TCP Windows scan
nmap -sM Scan using TCP Maimom scan
nmap -sN TCP Null scan
nmap -sF FIN scan
nmap -sX Xmas scan


Command Description
nmap -sU -p 123,161,162 Scan UDP ports


Category Description
auth These scripts perform authentication bypasses and anonymous querying of services; brute-force password
broadcast Use LAN broadcasting to identify hosts
brute Brute-force password grinding scripts run against exposed network services supporting authentication
default Default NSE scripts run using -sC or -A flags, this category includes intrusive scripts and so should be run only with permission
discovery Active discovery of information from the target environment, through querying open source and performing information gathering tests against exposed network services
dos Denial of service scripts that might impact availability
exploit Script that exploit particular vulnerabilities
external Script that send data to a third-party API or resources (i.e., WHOIS)
fuzzer Script that send randomized data to service
intrusive Those scripts can induce a crash, affect availability, or create content
malware Identify malware using network indicators
safe Script that aren't designed to crash service or impact performance
vuln Script that flag particular vulnerability


Command Description
nmap --script-help=ssl-heartbleed Get help for script
nmap -sV -p 443 --script=ssl-heartbleed.nse Scan using a specific NSE script
nmap -sV --script=smb* Scan with a set of scripts
nmap --script=http-title Gather page title from HTTP services
nmap --script=http-headers Get HTTP headers of web services
nmap --script=http-enum Find web apps from know paths
nmap --script=asn-query,whois,ip-geolocation-maxmind Find information about IP address

Save results

Command Description
nmap -oN output.txt Save result as TXT
nmap -oX output.txt Save result as XML


Command Description
nmap -sV --version-intensity 5 More aggressive service detection
nmap -sV --version-intensity 0 Lighter banner grabbing detection
nmap -Pn -p- Treat all hosts as online -- skip host discovery
nmap -A Detect OS and Services
nmap -sV Standard service detection
nmap -sV -sC Scan using default safe scripts

Script location

find /  -name *.nse 2>/dev/null