Nmap Commands

Command Description

Command	Description
`nmap -p- --min-rate=10000 <Target IP>`	Perform all port scan fast ( Ideal for CTFs not for real world targets )
`nmap -p 1-65535 -T4 -A -v <Target IP>`	Perform intense scan on all TCP ports
`nmap -p ports <Target IP>`	Run Nmap to identify IoT devices using insecure HTTP ports for transmitting data
`nmap -T4 -A -v -Pn <Target IP>`	Perform Intense scan with no ping
`nmap -T4 -A -v -PE -PS -PA Ports URL`	Footprint Web Infrastructure: Service Discovery
`nmap -sn <Target IP>`	Perform ping scan
`nmap -sn <Target IP/Subnet>`	Disable port scanning, host discovery only
`nmap -sn -PR <Target IP>`	ARP Ping Scan
`nmap -sn -PU <Target IP>`	UDP Ping Scan
`nmap -sn -PE <Target IP>`	ICMP ECHO Ping Scan
`nmap -sn -PE <IP range>`	ICMP ECHO Ping Sweep
`nnmap –sn –PP <Target IP>`	ICMP Timestamp Ping Scan
`nmap –sn –PM <Target IP>`	ICMP Address Mask Ping Scan
`nmap –sn –PS <Target IP>`	TCP SYN Ping Scan
`nmap –sn –PA <Target IP>`	TCP ACK Ping Scan
`nmap –sn –PO <Target IP>`	IP Protocol Ping Scan
`nmap -St -v <Target IP>`	TCP Connect/ Full Open Scan
`namp -sS -v <Target IP>`	Stealth Scan (Half-open Scan)
`nmap -sX -v <Target IP>`	Xmas Scan
`nmap -sM -v <Target IP>`	TCP Maimon Scan
`nmap -sA -v <Target IP>`	TCP Connect/ Full Open Scan
`nmap –badsum <Target IP>`	Sending Bad Checksums
`nmap --script smb-os-discovery.nse <Target IP>`	OS Discovery using Nmap Script Engine
`nmap -sV -T4 -O -F –version-light <Target IP>`	Perform quick scan plus
`nmap -sV -T4 -O -F –version-light scanme.nmap.org`	Perform quick scan plus
`nmap -sV –O –p <Target IP> nmap -sV --script http-enum <Target IP>`	NSE scripts to enumerate information about the target website/ web servers
`nmap target IP address -p 80 --script http-frontpage-login`	Checks whether target machines are vulnerable to anonymous Frontpage login
`nmap --script http-passwd --script-args http-passwd.root`	Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini
`nmap -sV --script http-enum <Target domain>`	Analyze Web Applications: Identify exposed Files and Directories of the target webserver
`nmap -iL list-of-ips.txt`	Scan targets from a text file
`nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]`	Command to detect NIC in promiscuous mode
`nmap <Target IP> --data Oxdeadbeef`	Create Custom Packets by Appending Custom Binary Data
`nmap <Target IP> --data-string “ph34r my` \|`33t skills”`	Create Custom Packets by Appending Custom String
`nmap <Target IP> --data-string 5`	Create Custom Packets by Appending Random Data
`nmap –sU –p 500 <Target IP>`	Perform a check on the status of ISAKMP over port 500
`nmap -sR <Target IP/network>`	Identify the RPC service running on the network
`nmap --script hostmap <host>`	Discover virtual domains with hostmap
`nmap --script http-trace -p80 localhost`	Detect a vulnerable server that uses the TRACE method
`nmap --script http-google-email <host>`	Harvest email accounts with http-google-email
`nmap -p80 --script http-userdir -enum localhost`	Enumerate users with http-userdir-enum
`nmap -p80 --script http-trace <host>`	Detect HTTP TRACE
`nmap -p80 --script http-waf-detect --script-args=”http-wafdetect. uri=/testphp. vulnweb.com/artists.php,http-wafdetect.detectBodyChanges” www.modsecurity.org`	Check if web server is protected by WAF/IPS
`nmap --script http-enum -p80 <host>`	Enumerate common web applications
`nmap -p80 --script http-robots.txt <host>`	Obtain robots.txt
`nmap -p80 --script http-test.txt <host>`	Obtain test.txt
`nmap --script=asn-query,whois,ip-geolocation-maxmind <Target IP>`	IP address Information
`nmap --script=http-title <Target IP/ Subnet>`	Gather page titles from HTTP services
`nmap --script=http-headers <Target IP/ Subnet>`	Get HTTP headers of web services
`nmap --script=http-enum <Target IP/ Subnet>`	Find web apps from known paths
`nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><Target IP>`	Perform complete scan of the IoT device that checks for both TCP and UDP services and ports
`nmap -sS -T4 -A -f -v <Target IP>`	Packet Fragmentation/ SYN/FIN scan using Nmap
`nmap -g 80 <Target IP>`	Source Port Manipulation/ Use given source port number
`nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,nmp-sysdescr <Target IP/ network>`	Scan for UDP DDOS reflectors
`nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><Target IP>`	Identify the IPv6 capabilities of a device
`nmap -T4 -A -v <Target IP>`	Perform intense scan
`nmap -T4 -A <Target IP/Subnet>`	Identify vulnerable services on service port by attackers by using RPC Enumeration
`nmap -p 23 <Target Domain>`	Telnet Enumeration
`nmap -p 23 --script telnet-ntlm-info <Target IP>`	Enumerate information from remote Microsoft Telnet services with NTLM authentication enabled
`nmap -p 23 –script telnet-brute.nse –script-args`	Perform brute-force attack against telnet server
`nmap -p 445 -A <Target IP>`	Enumerate SMB service running on the target IP address/ SMB Enumeration
`nmap -p 21 <Target Domain>`	FTP Enumeration
`nmap -p 69 <Target Domain>`	Enumerate TFTP service running on the target domain
`nmap -p 179 <Target IP>`	BGP Enumeration
`nmap -sS -sU -T4 -A -v <Target IP>`	Perform intense scan and scanning for UDP
`nmap -sV -v -p 139,445 <Target IP/Subnet>`	Detect all exposed Netbios servers on the subnet
`nmap -sV -v --script nbstat.nse <Target IP>`	map’s nbstat NSE script allow attackers to retrieve target’s NetBIOS names and MAC addresses
`nmap -sU --script nbstat.nse -p 137 <Target IP address>`	Find target Netbios name
`nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 <Target IP address>`	Check if Netbios servers are vulnerable to MS08-067
`nmap -sV --version-intensity 0 <Target IP>`	Lighter banner grabbing detection
`nmap -sV --version-intensity 5 <Target IP>`	More aggressive Service Detection
`nmap -sV <Target IP>`	Attempts to determine the version of service running/ Standard service detection/ Service Version Discovery in Zenmap
`nmap --script-help=ssl-heartbleed`	Get help for a script
`nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain=<domain> -p53 <hosts>`	Attempts to pull a zone file (AXFR) from a DNS server
`nmap --script http-robots.txt <hosts>`	Harvests robots.txt files from discovered web servers
`nmap --script smb-brute.nse -p445 <hosts>`	Attempts to determine valid username and password combinations via automated guessing
`nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>`	Attempts to run a series of programs on the target machine, using credentials provided as scriptargs
`nmap -sV -p 443 --script=ssl-heartbleed <Target IP/Subnet>`	Detect Heartbleed SSL Vulnerability
`nmap <Target IP>-50 -sL --dns-server <Target IP>`	Query the Internal DNS for hosts, list targets only
`nmap -iR 10 -sn -traceroute`	Traceroute to random targets, no port scan
`nmap <Target IP>-1/24 -PR -sn -vv`	Arp discovery only on local network, no port scan
`nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn`	Discovery only on ports x, no port scan
`nmap -sP <Target IP/Subnet>`	Ping scans the network, listing machines that respond to ping
`nmap -v -sS -A -T4 <Target IP>`	Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection, traceroute and scripts against target services
`nmap -v -sV -O -sS -T5 <Target IP>`	Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection
`nmap -iL ip-addresses.txt`	Scans a list of IP addresses
`nmap — script-args=unsafe=1 —script smb-check-vulns.nse -p 445 <Target IP>`	Check if Netbios servers are vulnerable to MS08–067
`nmap –Pn –p- -sI zombie target`	Attack
`nmap –b ftp rely host`	FTP Bounce Scan :@:. is the name or IP address of a vulnerable FTP server
`nmap -T0 <Target IP>`	Paranoid (0) Intrusion Detection System evasion
`nmap -T1 <Target IP>`	Sneaky (1) Intrusion Detection System evasion
`nmap -T2 <Target IP>`	Polite (2) slows down the scan to use less bandwidth and use less target machine resources
`nmap -T3 <Target IP>`	Normal (3) default speed
`nmap -T4 <Target IP>`	Aggressive (4) speeds scan; assumes you are on a reasonably fast and reliable network
`nmap -T5 <Target IP>`	Insane (5) speeds scan; assumes you are on extraordinarily fast network
`nmap --script=ftp <Target IP>`	Scan with a single script
`nmap --script=http* <Target IP>`	Scan with a wildcard script
`nmap --script=banner,http <Target IP>`	Scan with two scripts
`nmap --script "not intrusive" <Target IP>`	Scan default, but remove intrusive scripts
`nmap -Pn --script=http-sitemap-generator xyz.com`	HTTP site map generator
`nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000`	Fast search for random web servers
`nmap -Pn --script=dns-brute xyz.com`	Brute forces DNS hostnames guessing subdomain
`nmap -n -Pn -vv -O -sV --script smb-enum,smb-ls,smb-mbenum,smb-os-discovery,smb-s,smb-vuln,smbv2 -vv <Target IP>`	Safe SMB scripts to run
`nmap --script whois*<Target Domain>`	Whois query
`nmap -p80 --script http-unsafe-output-escaping <Target Website>`	Detect cross site scripting vulnerabilities
`nmap -p80 --script http-sql-injection <Target>`	Check for SQL injections
`nmap --data-length x <Target IP>`	Appends random data to sent packets
`nmap -oN file.file --append-output <Target IP>`	Append a scan to a previous scan file
`nmap --iflist`	Shows the host interface and routes
`nmap -6 2607:f0d2:5664:51::5`	Enable IPV6 scanning
`nmap -T0 -b username:password@ftpserver.tld :21 victim.tld`	Uses the username “username”, the password “password”, the FTP server “ftpserver.tld” and port 21 on said server to scan victim.tld.
`nmap -sU -sT -p U:[ports],T:[ports] <Target IP>`	Scan ports by protocol
`nmap -sV –version-trace <Target IP>`	Troubleshooting version scans
`nmap –script [script.nse] <Target IP>`	Execute individual scripts
`nmap –script [expression] <Target IP>`	Execute multiple scripts
`nmap –script [category] <Target IP>`	Execute scripts by category
`nmap –script [category1,category2, etc]`	Execute multiple scripts categories
`nmap –script [script] –script-trace <Target IP>`	Troubleshoot scripts
`$ docker -H <docker host> run --network=host --rm marsmensch/nmap -ox <IP Range>`	Use Nmap to scan the host’s internal network to identify running services
`ndiff [scan1.xml] [scan2.xml]`	Comparison using Ndiff
`ndiff -v [scan1.xml] [scan2.xml]`	Ndiff verbose mode
`ndiff –xml [scan1.xm]`	XML output mode

nmap -p- --min-rate=10000 <Target IP>

Perform all port scan fast ( Ideal for CTFs not for real world targets )

nmap -p 1-65535 -T4 -A -v <Target IP>

Perform intense scan on all TCP ports

nmap -p ports <Target IP>

Run Nmap to identify IoT devices using insecure HTTP ports for transmitting data

nmap -T4 -A -v -Pn <Target IP>

Perform Intense scan with no ping

nmap -T4 -A -v -PE -PS -PA Ports URL

Footprint Web Infrastructure: Service Discovery

nmap -sn <Target IP>

Perform ping scan

nmap -sn <Target IP/Subnet>

Disable port scanning, host discovery only

nmap -sn -PR <Target IP>

ARP Ping Scan

nmap -sn -PU <Target IP>

UDP Ping Scan

nmap -sn -PE <Target IP>

ICMP ECHO Ping Scan

nmap -sn -PE <IP range>

ICMP ECHO Ping Sweep

nnmap –sn –PP <Target IP>

ICMP Timestamp Ping Scan

nmap –sn –PM <Target IP>

ICMP Address Mask Ping Scan

nmap –sn –PS <Target IP>

TCP SYN Ping Scan

nmap –sn –PA <Target IP>

TCP ACK Ping Scan

nmap –sn –PO <Target IP>

IP Protocol Ping Scan

nmap -St -v <Target IP>

TCP Connect/ Full Open Scan

namp -sS -v <Target IP>

Stealth Scan (Half-open Scan)

nmap -sX -v <Target IP>

Xmas Scan

nmap -sM -v <Target IP>

TCP Maimon Scan

nmap -sA -v <Target IP>

TCP Connect/ Full Open Scan

nmap –badsum <Target IP>

Sending Bad Checksums

nmap --script smb-os-discovery.nse <Target IP>

OS Discovery using Nmap Script Engine

nmap -sV -T4 -O -F –version-light <Target IP>

Perform quick scan plus

nmap -sV -T4 -O -F –version-light scanme.nmap.org

Perform quick scan plus

nmap -sV –O –p <Target IP> nmap -sV --script http-enum <Target IP>

NSE scripts to enumerate information about the target website/ web servers

nmap target IP address -p 80 --script http-frontpage-login

Checks whether target machines are vulnerable to anonymous Frontpage login

nmap --script http-passwd --script-args http-passwd.root

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini

nmap -sV --script http-enum <Target domain>

Analyze Web Applications: Identify exposed Files and Directories of the target webserver

nmap -iL list-of-ips.txt

Scan targets from a text file

nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]

Command to detect NIC in promiscuous mode

nmap <Target IP> --data Oxdeadbeef

Create Custom Packets by Appending Custom Binary Data

nmap <Target IP> --data-string “ph34r my |33t skills”

Create Custom Packets by Appending Custom String

nmap <Target IP> --data-string 5

Create Custom Packets by Appending Random Data

nmap –sU –p 500 <Target IP>

Perform a check on the status of ISAKMP over port 500

nmap -sR <Target IP/network>

Identify the RPC service running on the network

nmap --script hostmap <host>

Discover virtual domains with hostmap

nmap --script http-trace -p80 localhost

Detect a vulnerable server that uses the TRACE method

nmap --script http-google-email <host>

Harvest email accounts with http-google-email

nmap -p80 --script http-userdir -enum localhost

Enumerate users with http-userdir-enum

nmap -p80 --script http-trace <host>

Detect HTTP TRACE

nmap -p80 --script http-waf-detect --script-args=”http-wafdetect. uri=/testphp. vulnweb.com/artists.php,http-wafdetect.detectBodyChanges” www.modsecurity.org

Check if web server is protected by WAF/IPS

nmap --script http-enum -p80 <host>

Enumerate common web applications

nmap -p80 --script http-robots.txt <host>

Obtain robots.txt

nmap -p80 --script http-test.txt <host>

Obtain test.txt

nmap --script=asn-query,whois,ip-geolocation-maxmind <Target IP>

IP address Information

nmap --script=http-title <Target IP/ Subnet>

Gather page titles from HTTP services

nmap --script=http-headers <Target IP/ Subnet>

Get HTTP headers of web services

nmap --script=http-enum <Target IP/ Subnet>

Find web apps from known paths

nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><Target IP>

Perform complete scan of the IoT device that checks for both TCP and UDP services and ports

nmap -sS -T4 -A -f -v <Target IP>

Packet Fragmentation/ SYN/FIN scan using Nmap

nmap -g 80 <Target IP>

Source Port Manipulation/ Use given source port number

nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,nmp-sysdescr <Target IP/ network>

Scan for UDP DDOS reflectors

nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><Target IP>

Identify the IPv6 capabilities of a device

nmap -T4 -A -v <Target IP>

Perform intense scan

nmap -T4 -A <Target IP/Subnet>

Identify vulnerable services on service port by attackers by using RPC Enumeration

nmap -p 23 <Target Domain>

Telnet Enumeration

nmap -p 23 --script telnet-ntlm-info <Target IP>

Enumerate information from remote Microsoft Telnet services with NTLM authentication enabled

nmap -p 23 –script telnet-brute.nse –script-args

Perform brute-force attack against telnet server

nmap -p 445 -A <Target IP>

Enumerate SMB service running on the target IP address/ SMB Enumeration

nmap -p 21 <Target Domain>

FTP Enumeration

nmap -p 69 <Target Domain>

Enumerate TFTP service running on the target domain

nmap -p 179 <Target IP>

BGP Enumeration

nmap -sS -sU -T4 -A -v <Target IP>

Perform intense scan and scanning for UDP

nmap -sV -v -p 139,445 <Target IP/Subnet>

Detect all exposed Netbios servers on the subnet

nmap -sV -v --script nbstat.nse <Target IP>

map’s nbstat NSE script allow attackers to retrieve target’s NetBIOS names and MAC addresses

nmap -sU --script nbstat.nse -p 137 <Target IP address>

Find target Netbios name

nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 <Target IP address>

Check if Netbios servers are vulnerable to MS08-067

nmap -sV --version-intensity 0 <Target IP>

Lighter banner grabbing detection

nmap -sV --version-intensity 5 <Target IP>

More aggressive Service Detection

nmap -sV <Target IP>

Attempts to determine the version of service running/ Standard service detection/ Service Version Discovery in Zenmap

nmap --script-help=ssl-heartbleed

Get help for a script

nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain=<domain> -p53 <hosts>

Attempts to pull a zone file (AXFR) from a DNS server

nmap --script http-robots.txt <hosts>

Harvests robots.txt files from discovered web servers

nmap --script smb-brute.nse -p445 <hosts>

Attempts to determine valid username and password combinations via automated guessing

nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>

Attempts to run a series of programs on the target machine, using credentials provided as scriptargs

nmap -sV -p 443 --script=ssl-heartbleed <Target IP/Subnet>

Detect Heartbleed SSL Vulnerability

nmap <Target IP>-50 -sL --dns-server <Target IP>

Query the Internal DNS for hosts, list targets only

nmap -iR 10 -sn -traceroute

Traceroute to random targets, no port scan

nmap <Target IP>-1/24 -PR -sn -vv

Arp discovery only on local network, no port scan

nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn

Discovery only on ports x, no port scan

nmap -sP <Target IP/Subnet>

Ping scans the network, listing machines that respond to ping

nmap -v -sS -A -T4 <Target IP>

Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection, traceroute and scripts against target services

nmap -v -sV -O -sS -T5 <Target IP>

Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection

nmap -iL ip-addresses.txt

Scans a list of IP addresses

nmap — script-args=unsafe=1 —script smb-check-vulns.nse -p 445 <Target IP>

Check if Netbios servers are vulnerable to MS08–067

nmap –Pn –p- -sI zombie target

Attack

nmap –b ftp rely host

FTP Bounce Scan :@:. is the name or IP address of a vulnerable FTP server

nmap -T0 <Target IP>

Paranoid (0) Intrusion Detection System evasion

nmap -T1 <Target IP>

Sneaky (1) Intrusion Detection System evasion

nmap -T2 <Target IP>

Polite (2) slows down the scan to use less bandwidth and use less target machine resources

nmap -T3 <Target IP>

Normal (3) default speed

nmap -T4 <Target IP>

Aggressive (4) speeds scan; assumes you are on a reasonably fast and reliable network

nmap -T5 <Target IP>

Insane (5) speeds scan; assumes you are on extraordinarily fast network

nmap --script=ftp <Target IP>

Scan with a single script

nmap --script=http* <Target IP>

Scan with a wildcard script

nmap --script=banner,http <Target IP>

Scan with two scripts

nmap --script "not intrusive" <Target IP>

Scan default, but remove intrusive scripts

nmap -Pn --script=http-sitemap-generator xyz.com

HTTP site map generator

nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000

Fast search for random web servers

nmap -Pn --script=dns-brute xyz.com

Brute forces DNS hostnames guessing subdomain

nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv <Target IP>

Safe SMB scripts to run

nmap --script whois*<Target Domain>

Whois query

nmap -p80 --script http-unsafe-output-escaping <Target Website>

Detect cross site scripting vulnerabilities

nmap -p80 --script http-sql-injection <Target>

Check for SQL injections

nmap --data-length x <Target IP>

Appends random data to sent packets

nmap -oN file.file --append-output <Target IP>

Append a scan to a previous scan file

nmap --iflist

Shows the host interface and routes

nmap -6 2607:f0d2:5664:51::5

Enable IPV6 scanning

nmap -T0 -b username:password@ftpserver.tld :21 victim.tld

Uses the username “username”, the password “password”, the FTP server “ftpserver.tld” and port 21 on said server to scan victim.tld.

nmap -sU -sT -p U:[ports],T:[ports] <Target IP>

Scan ports by protocol

nmap -sV –version-trace <Target IP>

Troubleshooting version scans

nmap –script [script.nse] <Target IP>

Execute individual scripts

nmap –script [expression] <Target IP>

Execute multiple scripts

nmap –script [category] <Target IP>

Execute scripts by category

nmap –script [category1,category2, etc]

Execute multiple scripts categories

nmap –script [script] –script-trace <Target IP>

Troubleshoot scripts

$ docker -H <docker host> run --network=host --rm marsmensch/nmap -ox <IP Range>

Use Nmap to scan the host’s internal network to identify running services

ndiff [scan1.xml] [scan2.xml]

Comparison using Ndiff

ndiff -v [scan1.xml] [scan2.xml]

Ndiff verbose mode

ndiff –xml [scan1.xm]

XML output mode

PreviousNmap Port Scan Types NextNmap Port Selection

Last updated 8 months ago