liminfo

Nmap Reference

Free reference guide: Nmap Reference

36 results

About Nmap Reference

This Nmap Reference is a searchable cheat sheet covering all major Nmap commands, including host discovery techniques (ping scan, TCP SYN/ACK ping, UDP ping, ICMP echo, target list loading), and port scanning methods (SYN stealth scan, TCP connect, UDP scan, NULL/FIN/Xmas scans, timing templates).

The reference provides detailed coverage of service version detection with adjustable intensity levels, OS fingerprinting with aggressive guessing options, and the Nmap Scripting Engine (NSE) including vulnerability scanning, SMB enumeration, HTTP directory brute-forcing, SSL certificate inspection, and custom script argument passing.

It also includes output format options for saving scan results in normal text, XML, and grepable formats, along with verbosity and debug flags for troubleshooting scan behavior during security assessments and network audits.

Key Features

  • Host discovery commands: ping scan (-sn), skip ping (-Pn), TCP SYN/ACK ping, UDP ping, ICMP echo
  • Port scanning methods: SYN stealth (-sS), TCP connect (-sT), UDP (-sU), NULL/FIN/Xmas, and timing templates (T0-T5)
  • Flexible port specification: individual ports, ranges, all ports (-p-), and top-N most common ports
  • Service version detection (-sV) with configurable intensity and aggressive mode (-A)
  • OS fingerprinting (-O) with aggressive guessing and traceroute network path analysis
  • NSE scripts for vulnerability scanning, SMB enumeration, HTTP brute-forcing, and SSL certificate checks
  • Output in normal (-oN), XML (-oX), grepable (-oG), or all formats simultaneously (-oA)
  • Verbose (-v/-vv) and debug (-d/-dd) output modes for detailed scan analysis

Frequently Asked Questions

What is the difference between SYN scan (-sS) and TCP connect scan (-sT)?

SYN scan (-sS) sends a SYN packet and analyzes the response without completing the TCP handshake, making it stealthier and faster. It is the default scan type and requires root/admin privileges. TCP connect scan (-sT) completes the full three-way handshake, which is more detectable but does not require elevated privileges and works when raw packets are unavailable.

How do I scan all 65535 ports on a target?

Use nmap -p- <target> to scan all 65535 TCP ports. For a faster scan of only the most common ports, use --top-ports 100 or --top-ports 1000. You can also specify exact ports with -p 22,80,443 or port ranges with -p 1-1000. Combining with -T4 speeds up the scan using aggressive timing.

What does the -A flag do in Nmap?

The -A flag enables aggressive scanning, which combines OS detection (-O), service version detection (-sV), default NSE scripts (-sC), and traceroute (--traceroute) into a single command. It provides comprehensive information about the target but is slower and more detectable than individual scan types.

How do I use NSE scripts to scan for vulnerabilities?

Run nmap --script vuln <target> to execute all vulnerability detection scripts. For specific checks, use named scripts like --script ssl-cert for SSL certificate info, --script smb-enum-shares for SMB share enumeration, or --script http-enum for HTTP directory discovery. Pass script arguments with --script-args for customization.

What are Nmap timing templates and which should I use?

Nmap offers timing templates from T0 (paranoid, very slow) to T5 (insane, very fast). T0-T1 are for IDS evasion, T3 is the default balanced mode, and T4 is recommended for most assessments as it offers aggressive but reliable scanning. T5 may sacrifice accuracy for speed. Use -T4 for general use and -T1 or -T2 when stealth is required.

How do I save Nmap scan results?

Use -oN <file> for normal text output, -oX <file> for XML (useful for parsing and importing into tools), -oG <file> for grepable format (easy text processing), or -oA <basename> to save in all three formats simultaneously. The XML format is particularly useful for integration with vulnerability management platforms.

What is the difference between -Pn and -sn in Nmap?

-sn performs a ping scan (host discovery only) without port scanning, useful for quickly finding live hosts on a network. -Pn does the opposite: it skips the host discovery phase entirely and treats all specified hosts as online, then proceeds to scan ports. Use -Pn when ICMP is blocked by firewalls and you know the target is alive.

How does OS detection (-O) work in Nmap?

Nmap OS detection sends specially crafted TCP, UDP, and ICMP probes to the target and analyzes subtle differences in the responses (TCP window size, TTL, DF bit, options ordering, etc.) to fingerprint the operating system. Use --osscan-guess for more aggressive matching when exact matches are not found, and --osscan-limit to only attempt OS detection on hosts with at least one open and one closed port.