Kernel of Truth

Top 50 Nmap Commands

Contents

Top 50 Nmap Commands for Cybersecurity Engineers

Basic Discovery Commands

1. nmap -sn 192.168.1.0/24

Ping sweep of network range

  • Discovers live hosts without port scanning
  • Use for initial network reconnaissance and asset discovery
  • -sn disables port scan, only does host discovery

2. nmap -sL 192.168.1.0/24

List scan – no packets sent

  • Shows what hosts would be scanned without actually scanning
  • Useful for DNS reverse lookups and target validation
  • Good for planning scans and avoiding accidental scans

3. nmap 192.168.1.1

Basic scan of single host

  • Scans top 1000 most common ports
  • Default TCP SYN scan for privileged users
  • Starting point for most penetration tests

4. nmap 192.168.1.1-10

Scan range of IP addresses

  • Scans multiple consecutive hosts
  • Efficient for small subnet segments
  • Alternative to CIDR notation for specific ranges

5. nmap -iL targets.txt

Scan targets from file

  • Reads target list from text file
  • Essential for large-scale assessments
  • Supports various input formats (IPs, hostnames, ranges)

Port Scanning Techniques

6. nmap -sS 192.168.1.1

TCP SYN scan (stealth scan)

  • Half-open scan, doesn’t complete three-way handshake
  • Stealthier than full TCP connect
  • Default scan type for privileged users

7. nmap -sT 192.168.1.1

TCP connect scan

  • Full TCP connection established
  • More detectable but works without root privileges
  • Used when SYN scan isn’t possible

8. nmap -sU 192.168.1.1

UDP scan

  • Scans UDP ports (often overlooked)
  • Critical for finding DNS, SNMP, DHCP services
  • Slower than TCP scans but essential for complete assessment

9. nmap -sA 192.168.1.1

TCP ACK scan

  • Determines firewall rules and port filtering
  • Doesn’t determine if ports are open/closed
  • Useful for firewall mapping and rule discovery

10. nmap -sW 192.168.1.1

TCP Window scan

  • Exploits TCP window size implementation differences
  • Can determine open ports on some systems
  • Alternative when other scans are blocked

Port Specification

11. nmap -p 80,443 192.168.1.1

Scan specific ports

  • Targets only specified ports
  • Faster than full port scans
  • Use when you know target services

12. nmap -p 1-65535 192.168.1.1

Full port scan

  • Scans all possible TCP ports
  • Comprehensive but time-consuming
  • Essential for thorough security assessments

13. nmap -p- 192.168.1.1

Scan all ports (shorthand)

  • Same as above but shorter syntax
  • Scans ports 1-65535
  • Use for complete port enumeration

14. nmap --top-ports 100 192.168.1.1

Scan top N most common ports

  • Focuses on most likely open ports
  • Balances speed with coverage
  • Good for quick assessments

15. nmap -F 192.168.1.1

Fast scan mode

  • Scans top 100 most common ports
  • Quick reconnaissance option
  • Useful for initial discovery

Timing and Performance

16. nmap -T4 192.168.1.1

Aggressive timing template

  • Faster scan with higher bandwidth usage
  • T0-T5 scale (paranoid to insane)
  • T4 good balance of speed and stealth

17. nmap -T1 192.168.1.1

Slow/sneaky timing

  • Evades intrusion detection systems
  • Much slower but stealthier
  • Use when stealth is priority over speed

18. nmap --min-rate 1000 192.168.1.1

Minimum packet rate

  • Ensures minimum packets per second
  • Controls scan speed more precisely
  • Useful for time-constrained assessments

19. nmap --max-retries 2 192.168.1.1

Limit retry attempts

  • Reduces scan time on unresponsive hosts
  • Prevents hanging on filtered ports
  • Improves overall scan efficiency

Service and Version Detection

20. nmap -sV 192.168.1.1

Service version detection

  • Identifies service versions on open ports
  • Critical for vulnerability assessment
  • Enables targeted exploit selection

21. nmap -sV --version-intensity 9 192.168.1.1

Aggressive version detection

  • Maximum probes for version identification
  • More accurate but slower and noisier
  • Use when detailed version info needed

22. nmap -sC 192.168.1.1

Default script scan

  • Runs default NSE scripts
  • Equivalent to –script=default
  • Good balance of useful scripts

23. nmap -A 192.168.1.1

Aggressive scan options

  • Combines -sV, -sC, -O, and traceroute
  • Comprehensive information gathering
  • Noisy but very informative

Operating System Detection

24. nmap -O 192.168.1.1

Operating system detection

  • Identifies target OS using TCP/IP fingerprinting
  • Essential for exploit selection
  • Requires at least one open port

25. nmap -O --osscan-guess 192.168.1.1

Aggressive OS detection

  • Forces OS detection even with limited info
  • More aggressive fingerprinting
  • Use when standard OS detection fails

NSE Scripts

26. nmap --script vuln 192.168.1.1

Vulnerability detection scripts

  • Runs scripts that check for known vulnerabilities
  • Automated vulnerability discovery
  • Essential for security assessments

27. nmap --script=http-enum 192.168.1.1

HTTP enumeration

  • Discovers web directories and files
  • Finds common web application paths
  • Critical for web application testing

28. nmap --script=smb-vuln* 192.168.1.1

SMB vulnerability scripts

  • Checks for SMB-related vulnerabilities
  • Includes EternalBlue, MS17-010 checks
  • Essential for Windows network assessments

29. nmap --script=ssl-enum-ciphers -p 443 192.168.1.1

SSL/TLS cipher enumeration

  • Lists supported SSL/TLS ciphers
  • Identifies weak encryption
  • Important for HTTPS security assessment

30. nmap --script=dns-brute domain.com

DNS subdomain brute force

  • Discovers subdomains through brute force
  • Expands attack surface discovery
  • Use for comprehensive domain reconnaissance

Firewall Evasion

31. nmap -f 192.168.1.1

Fragment packets

  • Splits packets to evade firewalls
  • Can bypass simple packet filters
  • Use when normal scans are blocked

32. nmap -D RND:10 192.168.1.1

Decoy scan

  • Uses random decoy IP addresses
  • Hides true source of scan
  • Makes attribution more difficult

33. nmap -S 192.168.1.100 192.168.1.1

Spoof source IP

  • Appears to come from different IP
  • Requires raw packet crafting
  • Use for attribution evasion

34. nmap --source-port 53 192.168.1.1

Specify source port

  • Some firewalls allow traffic from specific ports
  • Port 53 (DNS) often allowed outbound
  • Useful for firewall bypass

Output and Reporting

35. nmap -oA scan_results 192.168.1.1

Output all formats

  • Creates .nmap, .xml, and .gnmap files
  • Comprehensive output for analysis
  • Standard practice for documentation

36. nmap -oX results.xml 192.168.1.1

XML output

  • Machine-readable format
  • Easy to parse and import
  • Required for many security tools

37. nmap -oG greppable.txt 192.168.1.1

Greppable output

  • One line per host format
  • Easy to grep and filter
  • Good for quick analysis

38. nmap -v 192.168.1.1

Verbose output

  • Shows scan progress and details
  • Helpful for troubleshooting
  • Use -vv for even more verbosity

Advanced Techniques

39. nmap --script=broadcast-discover

Broadcast discovery

  • Discovers hosts using broadcast protocols
  • Finds devices not responding to ping
  • Useful in restrictive network environments

40. nmap --script=snmp-brute 192.168.1.1

SNMP community string brute force

  • Tests common SNMP community strings
  • Can reveal network device information
  • Critical for network infrastructure assessment

41. nmap -6 2001:db8::1

IPv6 scanning

  • Scans IPv6 addresses
  • Important as IPv6 adoption grows
  • Often overlooked in security assessments

42. nmap --traceroute 192.168.1.1

Include traceroute

  • Shows network path to target
  • Reveals network topology
  • Useful for understanding network architecture

43. nmap --script=http-methods 192.168.1.1

HTTP methods enumeration

  • Lists allowed HTTP methods
  • Identifies dangerous methods (PUT, DELETE)
  • Important for web application security

44. nmap --script=ftp-anon 192.168.1.1

Anonymous FTP access

  • Checks for anonymous FTP login
  • Common misconfiguration
  • Quick way to find data exposure

Specialized Scans

45. nmap --script=mysql-empty-password 192.168.1.1

MySQL empty password check

  • Tests for MySQL accounts without passwords
  • Common database misconfiguration
  • Critical security vulnerability

46. nmap -sn --script=broadcast-dhcp-discover

DHCP server discovery

  • Finds rogue DHCP servers
  • Important for network security
  • Detects potential man-in-the-middle attacks

47. nmap --script=smb-os-discovery 192.168.1.1

SMB OS and version detection

  • Detailed Windows system information
  • Identifies exact Windows version
  • Essential for Windows environment assessment

48. nmap --script=http-title 192.168.1.1

HTTP title grabbing

  • Extracts web page titles
  • Helps identify web applications
  • Quick way to inventory web services

49. nmap --resume scan_results.xml

Resume interrupted scan

  • Continues previously interrupted scan
  • Saves time on large assessments
  • Essential for long-running scans

50. nmap --script=banner 192.168.1.1

Banner grabbing

  • Collects service banners
  • Reveals software versions
  • Foundation of vulnerability assessment

Best Practices

  • Always obtain proper authorization before scanning
  • Use appropriate timing based on network sensitivity
  • Combine multiple techniques for comprehensive assessment
  • Document all findings with proper output formats
  • Consider network impact and adjust scan intensity accordingly
  • Keep Nmap updated for latest features and scripts
  • Understand legal implications in your jurisdiction