Overview
Nmap (Network Mapper) is a powerful open-source tool for network exploration and security auditing. It is widely used to identify what devices are running on a network, discover open ports, detect security risks, and map network infrastructure.
Basic Syntax
1
| nmap <target-ip> [FLAGS]
|
Host Discovery
| Flag | Description |
|---|
| -PS | TCP SYN Ping |
| -PE | ICMP Echo request |
| -Pn | No host discovery - assume host is up (useful if ICMP is blocked) |
| -sn | Host discovery only (no port scan) |
| -PA | TCP ACK Ping |
| -sP | Deprecated, same as -sn |
| -sU | UDP scan |
Port Scanning
| Flag | Description |
|---|
| -sT | TCP Connect scan (reliable, completes full handshake) |
| -sS | SYN Stealth scan (half-open, faster, requires root) |
| -F | Fast scan (top 100 ports) |
| -n | Disable DNS resolution for faster scanning |
| -p | Specify ports (comma-separated or range) |
OS & Service Detection
| Flag | Description |
|---|
| -O | OS detection |
-O --osscan-guess | Aggressively guess OS |
| -A | Aggressive scan: OS detection, version detection, script scanning, traceroute |
| -sV | Service/version detection |
-sV --version-intensity 8 | Aggressive version scanning |
- OS fingerprinting via TTL:
Windows: TTL ~128 Linux: TTL ~64
Nmap Scripting Engine (NSE)
Scripts are located at /usr/share/nmap/scripts/ | grep -e "<service_name>".
| Command | Description |
|---|
--script-help=<script> | View script help |
--script=<category> | Run scripts from a specific category |
--script=ftp-* | Run all scripts related to FTP (wildcard) |
Firewall Detection & IDS Evasion
| Flag | Description |
|---|
| -sA | ACK scan (Windows: “unfiltered” means firewall off) |
| -sN | Null scan (no flags set) |
--ttl <value> | Set packet TTL |
| -f | Fragment packets (SYN scan only) |
--mtu <value> | Set custom packet size |
| -D | Decoy scan (spoofed IPs) |
| -g | Change source port |
--data-length <n> | Append random data to packets |
| Flag | Description |
|---|
--stats-every=<time> | Show status every X seconds |
--scan-delay <time> | Delay between probes |
--host-timeout <time> | Give up on a host after timeout |
-T<0-5> | Timing template (0=paranoid, 5=insane) |
--min-parallelism / --max-parallelism | Control packet sending rate |
--max-retries | Limit retries |
--min-rtt-timeout / --max-rtt-timeout | Adjust RTT timeouts |
Output Options
| Flag | Description |
|---|
| -oN | Normal output |
| -oX | XML output |
| -oS | Script kiddie format |
| -oG | Grepable output |
Notes on Filtered Ports
A filtered port indicates a firewall or packet filter is dropping packets. Use evasion techniques like -f, -D, or --data-length to bypass filters. Additionally, --reason provides detailed information on why a port is filtered. Example: nmap --reason -p 445 <target-ip>
This guide covers the essential Nmap flags and their applications, from basic host discovery to advanced firewall evasion. Use these techniques responsibly and only on networks you have permission to scan.
