Nmap#

The network mapper. Host discovery, port scanning, service and version detection, OS fingerprinting, and a scripting engine (NSE) for everything from banner grabs to vuln checks.

Setup#

Install on Debian-family, confirm the version, refresh the script database, and grant the raw-socket capability so the binary can run privileged scans without sudo.

Command

Action

sudo apt install nmap

install on Debian / Ubuntu

nmap --version

confirm version and feature flags

nmap --script-updatedb

refresh the NSE script index

sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip "$(command -v nmap)"

grant raw-socket capability for non-root SYN scans

Host Discovery#

Find hosts on the network. -sn is the ping-sweep mode (no port scan); -Pn skips discovery and treats every target as up. Combine ICMP, ARP, and TCP probes for tighter answers on filtered networks.

Command

Action

nmap -sn 10.0.0.0/24

ping sweep across a /24

nmap -sn --send-ip 10.0.0.0/24

force IP-layer probes on local subnet (skip ARP)

nmap -Pn 10.0.0.5

skip discovery, treat as up

nmap -PE -PS22,80,443 -PA80 10.0.0.0/24

ICMP-echo + TCP SYN + ACK probes

nmap -PR 10.0.0.0/24

ARP-only discovery on local segment

nmap -n --dns-servers 1.1.1.1 10.0.0.0/24

disable reverse DNS / set a resolver

nmap -iL targets.txt

read targets from a file

nmap --exclude 10.0.0.1,10.0.0.250 10.0.0.0/24

exclude specific hosts

Port Scanning#

Pick a scan technique and a port range. -sS is the SYN / half-open default; -sT is the unprivileged full-connect; -sU is UDP (slow). -T<n> sets the timing template; -T4 is the typical baseline, -T2 for stealth.

Command

Action

nmap 10.0.0.5

default scan (top 1000 TCP ports)

nmap -p- 10.0.0.5

all 65535 TCP ports

nmap -p 22,80,443,8000-8100 10.0.0.5

specific ports and ranges

nmap --top-ports 1000 10.0.0.0/24

the 1000 most common ports

nmap -sS -T4 10.0.0.5

SYN scan, aggressive timing

nmap -sT 10.0.0.5

full TCP-connect (no raw sockets needed)

nmap -sU --top-ports 50 10.0.0.5

top-50 UDP ports

nmap -sN 10.0.0.5

NULL scan (no flags)

nmap -sF 10.0.0.5

FIN scan

nmap -sX 10.0.0.5

Xmas scan (FIN, PSH, URG)

nmap -sA 10.0.0.5

ACK scan (firewall ruleset mapping)

nmap --reason 10.0.0.5

explain why a port is open / closed / filtered

Service and OS#

Banner-grab to identify services and versions, then fingerprint the operating system from response timing and TCP/IP quirks. -A bundles -sV -O --traceroute --script=default for a one-shot “tell me everything” pass.

Command

Action

nmap -sV 10.0.0.5

service / version detection

nmap -sV --version-intensity 9 10.0.0.5

exhaustive version probes

nmap -sV --version-light 10.0.0.5

faster, fewer probes

nmap -O 10.0.0.5

OS fingerprint

nmap -O --osscan-guess 10.0.0.5

guess OS even on weak match

nmap --traceroute 10.0.0.5

traceroute to target

nmap -A 10.0.0.5

aggregate: -sV -O --traceroute --script=default

NSE Scripts#

The Nmap Scripting Engine. default runs the safe-by-default set; vuln runs vulnerability checks; * globs match by service family. Scripts live under /usr/share/nmap/scripts/; --script-help describes their args.

Command

Action

nmap --script=default 10.0.0.5

run the default-category scripts

nmap --script=vuln 10.0.0.5

run vulnerability scripts

nmap --script=safe 10.0.0.5

run only scripts marked safe

nmap --script "http-*" -p 80,443 10.0.0.5

all HTTP-prefixed scripts

nmap --script smb-enum-shares,smb-os-discovery -p 445 10.0.0.5

specific SMB scripts

nmap --script ssh-brute --script-args userdb=u.txt,passdb=p.txt -p 22 10.0.0.5

script with arguments

nmap --script-help "ssh-*"

read help for matching scripts

nmap --script-trace --script=default 10.0.0.5

trace script execution for debugging

locate nse | head

list installed scripts on disk

Stealth and Evasion#

Slow the scan, fragment packets, spoof source addresses, and pick trusted source ports. Note that aggressive evasion still leaves fingerprints in modern IDS and EDR; use this only with authorization (engagement scope, CTF, lab).

Command

Action

sudo nmap -sS -T2 10.0.0.5

polite timing

sudo nmap -sS -T1 10.0.0.5

sneaky timing (very slow)

sudo nmap -sS -f 10.0.0.5

fragment packets (small MTU)

sudo nmap -sS --mtu 24 10.0.0.5

custom MTU for fragmentation

sudo nmap --scan-delay 1s --max-retries 1 10.0.0.5

delay between probes, fewer retries

sudo nmap -D RND:5 10.0.0.5

5 random decoy source IPs

sudo nmap -D 10.0.0.10,10.0.0.20,ME 10.0.0.5

explicit decoys plus the real source

sudo nmap -S 10.0.0.99 -e eth0 10.0.0.5

spoof source IP (requires interface)

sudo nmap --source-port 53 -sS -p 80 10.0.0.5

fixed source port (DNS, NTP)

sudo nmap --data-length 50 10.0.0.5

append random payload bytes

sudo nmap --badsum 10.0.0.5

send invalid TCP / UDP checksums

Output#

Five output flavours. -oA writes all three primary formats (normal, XML, grepable). XML is the format other tools (Metasploit, ndiff, automation pipelines) actually want.

Command

Action

nmap -oN scan.nmap 10.0.0.5

normal (human-readable) output

nmap -oX scan.xml 10.0.0.5

XML output (machine-readable)

nmap -oG scan.gnmap 10.0.0.5

grepable output (one host per line)

nmap -oA scan 10.0.0.5

write normal + XML + grepable

nmap -oN - 10.0.0.5

normal output to stdout

nmap --append-output -oN scan.nmap 10.0.0.5

append rather than overwrite

xsltproc scan.xml -o scan.html

render XML to HTML

ndiff before.xml after.xml

diff two XML scans