nmap Network Scanning

nmap - Network exploration tool and security / port scanner

Much of the original documentation includes philosiphy and reasoning for using particular options. Read that at nmap.org

This version is terse version with minial description.

nmap [Scan Type...] [Options] target specification

Nmap ("Network Mapper") is an tool for network exploration and security auditing.
Uses raw packets to determine what hosts are available on the network, services (application ) offered, operating systems running, type of filters/firewalls , etc.
Commonly used for security audits, useful for network inventory, managing service upgrade schedules, and monitoring host or service uptime.

    Interesting ports table port number and protocol, service name, and state.
  1. Open an application is listening for connections/packets
  2. Unfiltered responsive to probes, but cannot determine whether they are open or closed.
  3. Filtered a firewall, filter, or other network obstacle is restricting access
  4. Closed ports have no application listening on them, now.
State combinations open.filtered and closed.filtered when it cannot be determined which states describe a port.
For IP protocol scan (-sO), information on supported protocols is provided.

-A: enables OS and version detection, script scanning
-T4: traceroute, for faster execution.
Pressing a key displays current activity, v/V increases/decrease verbosity, p/P enable/disable packet tracing

Aborted scans ( ^C) can be resumed with proper output option.

A representative scan

Scan agressive detection (with traceroute) and timing,
TCP SYN, only checking most popular ports, starting with level 2 verbosity,
outputting to a normal file called scan… the hosts within a small subnet:

sudo nmap -A -T4  -sS --top-ports 10  -v -oN scan-%T-%D  # .0-.15 

Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 07:39 EDT
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 07:39
Scanning 8 hosts [2 ports/host]
Completed Ping Scan at 07:39, 1.21s elapsed (8 total hosts)
Initiating Parallel DNS resolution of 8 hosts. at 07:39
Completed Parallel DNS resolution of 8 hosts. at 07:39, 0.02s elapsed
Nmap scan report for [host down]
Nmap scan report for [host down]
Nmap scan report for [host down]
Initiating Connect Scan at 07:39
Scanning 5 hosts [1000 ports/host]
Discovered open port 80/tcp on
Discovered open port 3306/tcp on
Discovered open port 21/tcp on
Discovered open port 80/tcp on

full file

sudo nmap -A -T4 scanme.nmap.org playground #scan 2 specific hosts Starting Nmap ( http://nmap.org ) Interesting ports on scanme.nmap.org ( (The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.0.52 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting ports on playground.nmap.org ( (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC (protocol 3.8) MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Pro RC1+ through final release Service Info: OSs: Windows, Windows XP Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds
nmap -sP `hostname`/24 |sed "/Nmap sc/N; s/\n//;s/Nmap scan report for//; s/Host is up//; s/(0\./\./;s/ latency)\.//"

Target Specification

next: Host Discovery
Everything on the command-line that isn't an option or option argument is treated as a target specification (
The simplest case is to specify a single target .

Multiple formats are permitted: nmap scanme.nmap.org   10.0.0,1,17-63.0-255

-iL tfile Include List, Reads targets from tfile.
    Example uses:
  • DHCP server exports a various 837 current leases.
  • Scan addresses not leased to locate hosts using unauthorized static IP addresses.

-iL=- reads hosts from STDIN, like piped from some filters (ex: grep, grep -v).
Entries separated by spaces, tabs, or newlines.
-iR num_hosts include num_hosts Random targets.
Undesirable IPs such as those in certain private, multicast, or unallocated address ranges are not generated.
Specify 0 for a continuing scan.

--exclude host1[,host2[,…]],           net1[,net2[,…]] Comma-separated list of targets to be excluded. Use hostnames, CIDR netblocks, octet ranges, etc.
Useful when the network includes untouchable mission-critical servers, systems that are known to react adversely to port scans, or subnets administered by others.
--excludefile file
targets are in a newline, space, or tab delimited file


A first step is to reduce a set of IP ranges to a list of active or interesting hosts depending on the scan's purpose. nmap.org

Network administrators may only be interested in hosts running a certain service, and may be comfortable using just an ICMP ping to check those hosts .
Security auditors should care about every single device with an IP address.
An external penetration tester may use a diverse set of probes in an attempt to locate possible exploits.

Simple ping with ICMP echo request can use a variety of options.

Dont send any packets using a scan list (-sL)
Disable ping (-PN) from a complex scana
Use arbitrary combinations of multi-port TCP SYN/ACK, UDP, and ICMP probes. See nmap.org

ARP discovery (-PR) is done on a local ethernet network (even if other -P* are specifieda).
For non-local targets, TCP ACK packet for port 80 and an ICMP echo request query is sent, (for unprivileged users, a SYN packet using the connect system call is sent instead ) Defaults are equivalent to -PA -PE.

Host discovery is followed by a port scan to each host determined to be online, by default. Even if you specify non-default host discovery types such as UDP probes (-PU)

-sL ScanList Lists each host of the network(s), without sending any packets to the target hosts!
Does reverse-DNS resolution on the hosts to lookup their names.
Good sanity check to validate addresses specification for targets.

Example: List all hosts within the subnet as this host (and use sed to supress titles and numeric only addreses):

nmap -sL   `hostname`/22 |sed "s/Nmap scan report for//"

Starting Nmap 7.00 ( http://nmap.org ) at 2016-02-23 20:53 EST
rtr.germans (
scanner.germans ( 
smackerPro (
DGermans-iPad.germans (
Nmap done: 1024 IP addresses (0 hosts up) scanned in 28.8 seconds 

 > nmap -sL |sed "s/Nmap scan report for// ; /^ [[:digit:]]/d "| column 

Starting Nmap 7.00 ( https://nmap.org ) at 2016-04-22 08:52 EDT      (not best example      (_)  )
Nmap done: 32 IP addresses (0 hosts up) scanned in 0.24 seconds

Scan Ping
Scan No Port, ping scan aka ping sweep (supresses port scan).

  • Privileged user: sends an ICMP echo request, a TCP SYN to port 443, a TCP ACK to port 80 and an ICMP timestamp request.
    On a local ethernet network, ARP requests are used unless --send-ip was specified.
  • Unprivileged user: only a SYN packet is sent (using a connect call) to port 80 and 443.

When combined with other discovery probe types (-P*, except -PN (pingNot) ) , the default probes (ACK and echo request) are overridden.
Recommended when strict firewalls are in use, otherwise hosts will be missed if the firewall drops probes or responses.

Slightly intrusive, allows light reconnaissance of a target without attracting much attention.

Valuable as it counts available machines and checks server availability.
More reliable than pinging the broadcast address because many hosts do not reply to that.

Traceroute and NSE host scripts may be also requested, but no further testing (such as port scanning or OS detection) is performed.

 sudo nmap -sP   `hostname`/24 |sed "/Nmap/N; s/\n//;s/Nmap scan report for//; s/Host is up//; s/(0\./\./;s/ latency)\.//"
Starting Nmap 7.00 ( http://nmap.org ) at 2012-09-23 20:49 EDT .0059s
kitchen.germans ( .0073s .0080s
smackerPro ( .00022s
rDNS record for smackerPro.germans .016s 
IP-STB1.germans ( .015s 
Nmap done: 256 IP addresses (6 hosts up) scanned in 5.37 seconds

sudo nmap -sP   `hostname`/24 |sed "s/Nmap scan report for/\n/"

Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 19:17 EDT
Host is up (0.0038s latency).
MAC Address: 00:18:01:8F:23:ED (Actiontec Electronics)

 kitchen.germans (
Host is up (0.013s latency).
MAC Address: 00:1B:21:A4:32:BD (Intel Corporate)
Host is up (0.013s latency).
MAC Address: 00:50:FC:9C:E0:18 (Edimax Technology CO.)

 smackerPro (
Host is up.
Host is up (0.0036s latency).
MAC Address: 18:20:32:9F:54:75 (Apple)

 IP-STB1.germans (
Host is up (0.0047s latency).
MAC Address: 00:1F:C4:EF:5D:F1 (Motorola Mobility)
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.71 seconds

-PR ARP Ping Any response means the host is up. Fastest.
Used when scanning ethernet hosts on a local ethernet network, even if different ping types are specified.
To avoid an ARP scan, specify --send-ip.
-PS portlist TCP SYN Ping Sends an empty packet with the SYN flag set as if attempting to establish a connection.
Default port 80

Syntax is as for the -p except that port type specifiers like T: are not allowed.
Examples: -PS22 and -PS22-25,80,113,1050,35000 (No space between -PS and the port list)
Multiple probes are sent in parallel.

additional information at nmap.org
Use with TCP ACK ping probe to maximize the chances of bypassing firewalls.

-PA portlist TCP ACK Ping Similar to SYN ping, ACK flag is set instead.
This acknowledges data over an established TCP connection, since no such connection exists, remote hosts should always respond with a RST packet, disclosing their existence.
Default 80.

additional information at nmap.org

Use with TCP SYN Ping probe to maximize the chances of bypassing firewalls.

-PU portlist UDP Ping Sends an empty (unless --data-length is specified) UDP packet to the given ports.
Default:31338, a highly uncommon port as sending to open ports is undesirable for this scan .

Bypasses firewalls and filters that only screen TCP.

additional information at nmap.org

-PY port_list SCTP INIT Ping SCTP packet containing a minimal INIT chunk.
Default: destination port is 80.0
-PE ICMP echo request type 8 (frequently blocked)
-PP ICMP timestamp request code 13,
-PM ICMP address mask request code 17
-PO protolist IP Protocol Ping Send packets with the specified protocol number .
The protolist is in the format as port lists
Default: send multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).
For the ICMP, IGMP, TCP (protocol 6), and UDP (protocol 17), the packets are sent with the proper protocol headers while other protocols are sent with no additional data beyond the IP header (unless --data-length is specified).

Looks for either responses using the same protocol as a probe, or ICMP protocol unreachable message's signifing the protocol isn't supported on the destination host. Either response signifies the target is alive.

-Pn Ping Not: skip discovery ping.
WARNING: Causes scanning functions to be performed against every target specified. Normally, heavier probing such as port scans are only performed against hosts that were found to be up.

For machines on a local ethernet network, ARP scanning will still be performed (unless --send-ip is specified) because MAC addresses are needed to further scan targets .

Additional options useful with scan options.
--traceroute Trace path to host performed post-scan. Works with all scan types except -sT and -sI.
--reason Host and port state reasons
Displays the type of the packet that determined a port or hosts state.
For example, A RST packet from a closed port or an echo reply from an alive host. The information provided is determined by the type of scan or ping. The SYN scan and SYN ping (-sS and -PS) are very detailed, but the TCP connect scan (-sT) is limited.
Enabled by the debug option (-d) and results are always stored in XML log.
-n No DNS resolution, DNS can be slow this can slash times.
-R DNS resolution for ALL targets always do reverse DNS resolution. Normally reverse DNS is only performed against responsive (online) hosts.
--system-dns Use system DNS resolver
By default, IP addresses are resolved by sending queries directly to the name servers configured on your host.
The system resolver is always used for IPv6 scans.
--dns-servers server1[,server2[,...]] Servers to use for reverse DNS queries
Default is to determine DNS servers (for rDNS resolution) from the your host. Ignored with --system-dns or an IPv6 scan.
Using multiple servers is often faster. Improves stealth.

Scan the network for port 53 then try list scans (-sL) specifying each name server one at a time with --dns-servers to find one which works correctly.

back to host discoverey, output control

Port Scanning

next:Service and Version

nmap target scans more than 1,660 TCP ports on target.

Port states are not intrinsic properties of the port itself, but describe how Nmap sees them.
For example, a scan from within the same network as the target may show port 135/tcp as open,
a scan with the same options from across the Internet might show that port as filtered.

The port states defined by Nmap:

  1. open An application is actively accepting TCP connections or UDP packets on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers want to exploit the open ports, administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network.

  2. closed Accessible (receives and responds to packets), but there is no application listening on it.
    Helpful determining that a host is up for host discovery, or ping scanning, and as part of OS detection.
    May become open is a daemon starts and begins fielding queries on this port.
    Administrators may consider controlling these with a firewall causing it to would appear filtered

  3. filtered Cannot determine if the port is open because packet filtering prevents probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. Sometimes respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common.
    Several probes are sent in case the probe was dropped due to network congestion rather than filtering. slowing down the scan dramatically.
  4. unfiltered port is accessible, but Nmap is unable to determine whether it is open or closed.
    Only the ACK scan, used to map firewall rulesets, classifies ports into this state.
    Scanning unfiltered ports with other scan types such as Window , SYN , or FIN scans, may resolve the port as open.
  5. open.filtered unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response which could also mean that a packet filter dropped the probe or any response it elicited. UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
  6. closed|filtered Nmap is unable to determine whether a port is closed or filtered. It is only by the IP ID idle scan.

Port Scanning Techniques

Most are only available to privileged users. Nmap sometimes works for unprivileged users when WinPcap has been loaded.
Unprivileged users can execute connect and FTP bounce .

Only one method may be used at a time, except that UDP scan (-sU) may be combined with any one of the TCP scan types.
Form -sC.
Default: SYN, (or connect if the user does not have proper privileges to send raw packets or if IPv6 targets were specified.

-sS TCP SYN fast
Quickly, scanning thousands of ports per second, not hampered by restrictive firewalls.
Relatively unobtrusive and stealthy
Does not depend on idiosyncrasies of implementation.
Allows clear, reliable differentiation between the open, closed, and filtered

Sends SYN packet, as if going to open a connection.
A response of SYN/ACK indicates the port is listening (open), RST (reset) is indicative of a non-listener.
If no response is received after several retransmissions or if an ICMP unreachable error is received marked filtered .

-sT TCP connect not fast
Default when SYN is not specified, when no raw packet privileges or scanning IPv6 networks.
Does not write raw packets, rather asks the operating system to establish a connection with the target by issuing the connect system call. The same high-level system call that web browsers and other applications use to establish a connection.

Less efficient than SYN which is usually a better choice. Target machines are more likely to log the connection. Unix systems will add a note to syslog, for connects without sending data.

-sU UDP slow
Sends an empty (no data) UDP header to targeted ports.
A service may respond with a UDP packet, open.
If an ICMP port unreachable error is returned, the port is closed or filtered.
If no response is received after retransmissions, the port is classified as open.filtered.

Open and filtered ports rarely send any response, leaving time out and then conduct retransmissions just in case the probe or response were lost.
Closed ports may send back an ICMP port unreachable error. But hosts rate limit ICMP port unreachable messages by default.

Detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop.
A limit of one packet per second makes a 65,536-port scan take more than 18 hours!.

To speed up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using --host-timeout to skip slow hosts.

Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.
Can be combined with a TCP scan type such as SYN (-sS) to check both during the same run.

TCP NULL Does not set any bits (TCP flag header is 0)
FIN Sets only the TCP FIN bit.
Xmas Sets FIN, PSH, and URG , lighting the packet up like a Christmas tree.
(more are possible with --scanflags

Exploit subtle loopholes to differentiate between open and closed ports.
See nmap.org.

used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
Never determines open or open.filtered ports.
See nmap.org.
-sW TCP Window
Like ACK. Exploits an implementation detail to differentiate open from closed.
Rather than always displaying unfiltered when a RST is returned.
Examines the TCP Window field of the RST packets returned.
-sM TCP Maimon
As NULL, FIN, and Xmas scans, except that the probe is FIN/ACK.
--scanflags n |
Argument can be a numerical flag value such as 9 (PSH and FIN), or
symbolic name URG, ACK, PSH, RST, SYN, and FIN combinations . Example: --scanflags URGACKPSHRSTSYNFIN

Specify a TCP scan type (such as -sA or -sF) default: SYN.

-sI zombie host[:probeport] idle
advanced scan method allows a blind TCP port scan of the target (no packets are sent to the target from your real IP address).
zombie machine you specify must be up and meet certain criteria.
Too complex to fully describe here, see nmap.org/book/idlescan.html

Stealthy, permits mapping out IP-based trust relationships between machines. The port listing shows open ports from the perspective of the zombie host. So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules).

Use a colon and a port number to the zombie host to probe a particular port for IP ID changes. default for TCP pings (80).
Ports can be specified by name in nmap-services.. Use wildcards * and ? with the names.

For example, to scan ftp and all ports whose names begin with http, use -p ftp,http*. Avoid shell expansions and quote the argument to -p.

Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in nmap-services. For example, scan all ports in nmap-services equal to or below 1024: -p [-1024]. Avoid shell expansions and quote the argument to -p.

-sO IP protocol
allows determintion which IP protocols (TCP, ICMP, IGMP, etc.) are supported
Not a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers.
Uses the -p option to select scanned protocol numbers, reports its results within the normal port table format.

similar to UDP scan. Instead of iterating through the port number field of a UDP packet, it sends IP packet headers and iterates through the 8-bit IP protocol field. The headers are usually empty, containing no data and not even the proper header for the claimed protocol. The three exceptions are TCP, UDP, and ICMP. A proper protocol header for those is included since some systems won't send them otherwise and because Nmap already has functions to create them. Instead of watching for ICMP port unreachable messages, protocol scan is on the lookout for ICMP protocol unreachable messages. If Nmap receives any response in any protocol from the target host, Nmap marks that protocol as open. An ICMP protocol unreachable error (type 3, code 2) causes the protocol to be marked as closed Other ICMP unreachable errors (type 3, code 1, 3, 9, 10, or 13) cause the protocol to be marked filtered (though they prove that ICMP is open at the same time). If no response is received after retransmissions, the protocol is marked open.filtered

-b FTP relay host (FTP bounce scan) FTP server to port scan other hosts. ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not.
Bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would.
FTP bounce scan with -b argument of the form [username:password]@server[:port].
Server is the name or IP address of a vulnerable FTP server.
Omit username:password anonymous login credentials (user: anonymous password:-wwwuser@) are used.
Port defaults to 21.

If bypassing a firewall is your goal, scan the target for open port 21 (or even for any FTP services if you scan all ports with version detection), then try a bounce scan using each. Nmap will tell you whether the host is vulnerable or not. If you are just trying to cover your tracks, you don't need to (and, in fact, shouldn't) limit yourself to hosts on the target . Before you go scanning random Internet addresses for vulnerable FTP servers, consider that sysadmins may not

Port Specification and Scan Order

By default, all ports up to and including 1024(priveledge ports) as well as higher numbered ports listed in the nmap-services file for the protocols being scanned.

--top-ports n Scans the n highest-ratio ports found in nmap-services
-sS -top-ports 20
 21/tcp   ftp            22/tcp   ssh             23/tcp   telnet          25/tcp  smtp          
 53/tcp   domain         80/tcp   http           110/tcp   pop3           111/tcp  rpcbind       
135/tcp   msrpc         139/tcp   netbios-ssn    143/tcp   imap           443/tcp  https         
445/tcp   microsoft-ds  993/tcp   imaps          995/tcp   pop3s         1723/tcp  pptp          
3306/tcp  mysql         3389/tcp  ms-wbt-srvr   5900/tcp   vnc           8080/tcp  http-proxy    
‑‑port‑ratio r Scans all ports in nmap-services with a ratio greater r
Selected examples:
domain  53/udp  .213496    dhcps   67/udp  .228010    dhcpc   68/udp  .140118    
finger  79/tcp  .006022    ftp     21/tcp  .197667 (control)    
http    80/tcp  .484143    https   443/tcp .208669    
ntp     123/udp .330879    pop3    110/tcp .077142    
route   520/udp .139376    smtp    25/tcp  .131314    ssh     22/tcp  .182286     
syslog  514/udp .119804    telnet  23/tcp  .221265    tftp    69/udp  .102835    
zeroconf 5353/udp.100166    
ipp     631/udp .450281    # Internet Printing Protocol    
-p port ranges Only scan specified ports
Individual ports , ranges (Default 1-65535). port zero is allowed if specifed explicitly.
For IP protocol scanning (-sO), specifies the protocol numbers (0-255).

When scanning both TCP and UDP ports, specify a particular protocol by preceding the port numbers by T: or U:. The qualifier lasts until another qualifier. For example:
-p U:53,111,137,T:21-25,80,139,8080
To scan both UDP and TCP, specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT).
If no protocol qualifier is given, the port numbers are added to all protocol lists.

Ports can also be specified by name according to what the port is referred to in the /usr/local/share/nmap/nmap-services including wildcards * and ? . For example, to scan FTP and all ports whose names begin with "http", use -p ftp,http*.
Be careful about shell expansions and quote the argument if unsure.

Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in nmap-services. For example, the following will scan all ports in /usr/local/share/nmap/nmap-services equal to or below 1024:
"-p [-1024]".

-F Fast (limited port)
Only scan ports listed in the /usr/local/share/nmap/nmap-services file which comes with Nmap (or the protocols file for -sO). which contains so many TCP ports (more than 2,000!), the speed difference from a default TCP scan (about 1650 ports) isn't dramatic.
Provide a custom nmap-services file using few ports and make scan blinding fast using --servicedb or --datadir.
-r Don't randomize ports
Except for certain commonly accessible ports performed early, for efficiency reasons ports are scanned randomly.
This randomization is normally desirable, -r for sequential port scanning. xxx

Back to ports

Service and Version Detection

After ports are discovered, version detection interrogates them . See nmap.org target=nmap>nmap.org

Some UDP ports are left in the open.filtered state after UDP scan is unable to determine whether the port is open or filtered.
Version detection elicits a response from these and change the state to open if it succeeds. open.filtered TCP ports are treated the same way.

-A enables version detection among other things.

-sV Version detection
-A also which enables version detection, among other things.

--allports Don't exclude any ports from version detection
By default, skips TCP port 9100 because some printers print anything sent to that port. This behavior can be changed by modifying or removing the Exclude directive in nmap-service-probes or specify --allports to scan all ports regardless of any Exclude directive.

--version-intensity intensity Probes are assigned a rarity value between 1 and 9.
The lower-numbered probes are effective against a wide variety of common services, while the higher numbered ones are rarely useful.
The intensity level specifies which probes should be applied.
The higher the number, the more likely it is the service will be correctly identified, but take longer.
The intensity must be between 0 and 9.
Default: 7.

When a probe is registered to the target port via the nmap-service-probes ports directive, that probe is tried regardless of intensity level. This ensures that the DNS probes will always be attempted against any open port 53, the SSL probe will be done against 443, etc.

--version-light --version-intensity 2. faster, but it is slightly less likely to identify services.
--version-all --version-intensity 9
--version-trace Output debugging info about version scanning, a subset of --packet-trace.
-sR RPC scan When RPC services are discovered, addition interragation is automatically performed
in conjunction with the various port scans.
Takes all ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and what program and version number they serve up. Effectively obtain the same info as rpcinfo -p even if the target's portmapper is behind a firewall (or protected by TCP wrappers).
Decoys do not currently work with RPC scan.
Enabled as part of version scan (-sV) . Version detection includes this and is more comprehensive, -sR
is rarely needed.

OS Detection

See nmap.org target=nmap>nmap.org.

OS detection is enabled and controlled with :

-O Enable OS detection
Use Agressive( -A) to include version (-sV) and script scanning (-sC) and traceroute (--traceroute) .
--osscan-limit Limit OS detection to promising targets.
Saves substantial time, particularly on -PN scans against many hosts.
Only with -O or -A.
Guess OS when unable to detect a perfect match.
Sometimes displays near-matches as possibilities, imperfect match notice is output with confidence level .
--max-os-tries nmaximum number of detection tries when failing to find a perfect match.
Default:5 if conditions are favorable , 2 when conditions aren't good.
A lower value (1) speeds up, higher value rarely used.


Automate a wide variety of networking tasks. The scripts are executed in parallel.

Too funky to describe here.

See nmap.org/book/nse-usage.html#nse-categories.
Scripting details at nmap.org/book/nse.html

-sC Performs a script scan using the default set of scripts, equivalent to --script=default.
Scripts in this category are considered
intrusive and should not be run against a target without permission.

--script script-categories | directory | filename | all
--script-args name1=value1,name2={name3=value3},name4=value4
--script-trace all incoming and outgoing communication performed by a script is output.
--script-updatedb updates the script database


A default scan (nmap hostname) on the local network takes a fifth of a second.
UDP scanning and version detection can increase scan times substantially. See nmap.org

Too funky to describe here.

See nmap.org

Time parameters are in milliseconds by default. Append `s', `m', or `h' to the value to specify seconds, minutes, or hours.
--host-timeout arguments 900000, 900s, and 15m are equivalent.
--min-hostgroup numhosts
--max-hostgroup numhosts
Adjust parallel scan group sizes.
--min-parallelism np
--max-parallelism np
Adjust probe parallelization
--min-rtt-timeout time
--max-rtt-timeout time
--initial-rtt-timeout time
Adjust probe timeouts
--max-retries numtries port scan probe retransmissions
--host-timeout time Give up on slow target hosts
--scan-delay time
--max-scan-delay time
Adjust delay between probes
--min-rate n
300 means try to keep the sending rate at or above 300 packets per second.
--max-rate n
100 limits sending to 100 packets per second on a fast network.
0.1 for a slow scan of one packet every ten seconds.
--defeat-rst-ratelimit Using this option can reduce accuracy. With a SYN scan, the non-response results in the port being labeled filtered rather than the closed state we see when RST packets are received.
-T paranoid|
Timing template
paranoid serializing the scan so only one port is scanned at a time, waits 5minutes between probes avoiding IntrusionDetectionSystem.
sneaky waits 15 seconds to avoid IDS, use less bandwidth and target machine resources.
Polite waits .4 seconds Normal is the default sends scans in parallel.
Aggressive mode speeds scans up expecting a reasonably fast and reliable network.
insane expects extraordinarily fast network or are willing to sacrifice some accuracy for speed.

Firewall/IDS Evasion and Spoofing

Network obstructions such as firewalls make mapping a network exceedingly difficult.
IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks.
Intrusion Prevention Systems (IPS) that block traffic deemed malicious.
Deploying only modern, patched FTP servers is a far more powerful defense than trying to prevent the distribution of tools implementing the FTP bounce attack.

Too funky to describe here.

See nmap.org

-e interface Use specified interface
-f m
--mtu m
fragment packets using the specified MTU
-D decoy1
Cloak a scan with decoys
Makes it appear to the remote host that the decoys are scanning the target too.
-S IP_Address Spoof source address
--source-port p
-g p
Spoof source port number
A common misconception is to trust traffic based only on the source port number.
--data-length n Append random data to sent packets
Normally minimalist packets containing only a header are sent.
   S |
   T |
   U |
   R [hop hop …] |
   L [hop hop …]

--ip-options hex string

Send packets with specified IP options
IP protocol options are rarely seen and can be useful in some cases.
Use record route (R) to determine a path to a target when traceroute-style approaches fail.
Record-timestamp (T) or both (U)if packets are being dropped by a certain firewall.
Loose or strict source routing specified with an
L or S followed by a space and then a space-separated list of IP addresses, specify a different route.

--ip-options use \xdd hexadecimal format to specify option bits explicitly.
Repeat characters by following them with an asterisk and a repeat count.
Example: \x01\x07\x04\x00*36\x01 includes 36 NULLs.
Display options in packets specify --packet-trace.
see seclists.org/nmap-dev/2006/q3/0052.htm.l

--ttl value
--randomize-hosts May make the scans less obvious to network monitoring systems.
Combine it with slow (timing options . See nmap.org
--spoof-mac MAC address, prefix, or vendor name Spoof MAC address
Implies --send-eth Address of 0 uses random MAC. See nmap.org Examples: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. Only affects raw packet scans such as SYN scan or OS detection, not connection-oriented features such as version detection or the Nmap Scripting Engine.

--badsum Send packets with bogus TCP/UDP checksums
Responses are likely coming from a firewall or IDS that didn't the checksum. See nmap.org/p60-12


Output files may be used to resume aborted scans.

  1. interactive output, to standard output (stdout), default .
  2. Normal output, similar to interactive except displays less runtime information and warnings
  3. XML output can be converted to HTML, easily parsed by programs such as Nmap graphical user interfaces, or imported into databases.
  4. grepable output which includes most information for a target host on a single line. Deprecated but still generated via -oA

interactive output is displayed in addition to file output.

filenames support strftime-like conversions: %H, %M, %S, %m, %d, %y, and %Y. %T is %H%M%S, %R is %H%M and %D is %m%d%y.
Example: -oX 'scan-%T-%D.xml' will output to scan-144840-121307.xml.

-oN filenormal output to file .
-oX file XML output See nmap.org
-oS file Script output
like interactive output, except it is post-processed See nmap.org
-oG file grepable output See nmap.org

Consists of comments and target lines wich include labeled fields, separated by tabs and followed with a colon:
Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID, and Status

Ports is a comma separated list of port entries. and of the form of seven slash (/) separated subfields.
Port number, State, Protocol, Owner, Service, SunRPC info, and Version

# Nmap 7.00 scan initiated Tue Mar  1 12:14:37 2016 as: nmap -v -v -sS --top-ports 10 -oA train_%T -A smackerpro.local/23
# Ports scanned: TCP(10;21-23,25,80,110,139,443,445,3389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: ()    Ports: 21/filtered/tcp//ftp///, 22/filtered/tcp//ssh///, 23/filtered/tcp//telnet///, 25/closed/tcp//smtp///, 
        80/open/tcp//http//lighttpd/, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
        3389/closed/tcp//ms-wbt-server///    Seq Index: 195  IP I+D Seq: All zeros
Host: ()   Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 
        80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
Host: ()   Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 
        80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 

See nmap.org/book/output-formats-grepable-output.html.

-oA basename all formats to: basename.nmap, basename.xml, and basename.gnmap.

Verbosity and debugging options

-v verbosity.
Open ports shown as found and completion time estimates are provided.
Use it twice or more for more. While running, v increases verbosity, V decreases. See nmap.org
-d [level] debug output
While running, d increases, D decreases. See nmap.org
--packet-trace Trace packets and data
output summary of every packet sent or received. Used for debugging. See nmap.org
--open Show only open (or possibly open) ports. See nmap.org
--iflist (List interfaces and routes)
outputs interface list and system routes, useful for debugging. See nmap.org
--log-errors Log errors/warnings to normal mode output file
Usually go only to the screen (interactive output), leaving any normal-format output files (usually specified with -oN) uncluttered.
messages will appear in interactive mode too.
An alternative to --log-errors is redirecting interactive output (including the standard error stream) to a file. See nmap.org

Miscellaneous output options

--resume filename Resume aborted scan
If normal (-oN) logs were kept, resume scanning.
No other arguments are permitted
--append-output See nmap.org
--stylesheet path or URL Set XSL stylesheet to transform XML output. See nmap.org
--webxml Load stylesheet from Nmap.Org . See nmap.org
--no-stylesheet (Omit XSL stylesheet declaration from XML)


-6 Enable IPv6 scanning
Ping scanning (TCP-only), connect scanning, and version detection .
Use IPv6 syntax to specify an address like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0.
Hostnames are recommended.
Output includes the IPv6 address on the "interesting ports" line
see nmap.org
-A Aggressive scan
enables OS detection (-O), version and (-sV) script scanning (-sC) and traceroute (--traceroute).
Do not use against target networks as it is considered intrusive.
Does not set timing options (such as -T4) or verbosity (-v) .

--datadir ddircustom data file location for: nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap-mac-prefixes, and nmap-os-db.
--servicedb or --versiondb may be used.
Files not found in ddir, are searched for in $NMAPDIR, then ~/.nmap, location of the Nmap executable and then a compiled-in location such as /usr/local/share/nmap or /usr/share/nmap

Causes a fast scan (-F) to be used.

--versiondb service probes file (Specify custom service probes file)
--send-eth send raw ethernet
Send data at link layeri rather then network layer. default, chooses the layer best for the platform it is on. See nmap.org
--send-ip Send at raw IP level
rather than lower level ethernet frames. complement of --send-eth
--privileged enough to perform raw socket sends, packet sniffing which require root privileges on *nix .
Must preceed flags requiring privileges
$NMAP_PRIVILEGED set as an equivalent
--unprivileged user lacks raw socket privileges, opposite of --privileged.
$NMAP_UNPRIVILEGED set as an alternative
--release-memory before quitting only useful for memory-leak debugging.
--interactive Start in interactive mode offers a prompt allowing launching multiple scans see nmap.org
output version number and exit.
help summary page
 Nmap 4.76 ( http://nmap.org )
           Usage: nmap [Scan Type(s)] [Options] {target specification}
             Can pass hostnames, IP addresses, networks, etc.
             Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
             -iL : Input from list of hosts/networks
             -iR : Choose random targets
             --exclude : Exclude hosts/networks
             --excludefile : Exclude list from file
           HOST DISCOVERY:
             -sL: List Scan - simply list targets to scan
             -sP: Ping Scan - go no further than determining if host is online
             -PN: Treat all hosts as online -- skip host discovery
             -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
             -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
             -PO [protocol list]: IP Protocol Ping
             -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
             --dns-servers : Specify custom DNS servers
             --system-dns: Use OS's DNS resolver
             -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
             -sU: UDP Scan
             -sN/sF/sX: TCP Null, FIN, and Xmas scans
             --scanflags : Customize TCP scan flags
             -sI : Idle scan
             -sO: IP protocol scan
             -b : FTP bounce scan
             --traceroute: Trace hop path to each host
             --reason: Display the reason a port is in a particular state
             -p : Only scan specified ports
               Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
             -F: Fast mode - Scan fewer ports than the default scan
             -r: Scan ports consecutively - don't randomize
             --top-ports : Scan  most common ports
             --port-ratio : Scan ports more common than 
             -sV: Probe open ports to determine service/version info
             --version-intensity : Set from 0 (light) to 9 (try all probes)
             --version-light: Limit to most likely probes (intensity 2)
             --version-all: Try every single probe (intensity 9)
             --version-trace: Show detailed version scan activity (for debugging)
           SCRIPT SCAN:
             -sC: equivalent to --script=default
             --script=:  is a comma separated list of
                      directories, script-files or script-categories
             --script-args=: provide arguments to scripts
             --script-trace: Show all data sent and received
             --script-updatedb: Update the script database.
           OS DETECTION:
             -O: Enable OS detection
             --osscan-limit: Limit OS detection to promising targets
             --osscan-guess: Guess OS more aggressively
             Options which take 


Keys pressed during execution change options, output status message .
lowercase increase the amount of output , Uppercase Decrease
v / V increase / decrease verbosity
d / D increase / decrease debugging
p / P turn on / off packet tracing
? Output a runtime interaction help screen
Anything else Print out a status message like this:
Stats: 0:00:08 elapsed; 111 hosts completed (5 up), 5 undergoing Service Scan

Service scan Timing: About 28.00% done; ETC: 16:18 (0:00:15 remaining)


Here are some Nmap usage examples, from the simple and routine to a little more complex and esoteric. Some actual IP addresses and domain names are used to make things more concrete. In their place you should substitute addresses/names from your own network.. While I don't think port scanning other networks is or should be illegal, some network administrators don't appreciate unsolicited scanning of their networks and may complain. Getting permission first is the best approach.

For testing purposes, you have permission to scan the host scanme.nmap.org. This permission only includes scanning via Nmap and not testing exploits or denial of service attacks. To conserve bandwidth, please do not initiate more than a dozen scans against that host per day. If this free scanning target service is abused, it will be taken down and Nmap will report Failed to resolve given hostname/IP: scanme.nmap.org. These permissions also apply to the hosts scanme2.nmap.org, scanme3.nmap.org, and so on, though those hosts do not currently exist.

nmap -v scanme.nmap.org

This option scans all reserved TCP ports on the machine scanme.nmap.org -v option enables verbose mode.

nmap -sS -O scanme.nmap.org/24

Launches a stealth SYN scan against each machine that is up out of the 255 machines on "class C" network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Launches host enumeration and a TCP scan at the first half of each of the 255 possible 8 bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

nmap -v -iR 100000 -PN -p 80

choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -PN since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap

This scans 4096 IPs for any web servers (without pinging them) and saves the output in XML format.

Please refer to nmap.org for: BUGS, AUTHOR: Fyodor

Hundreds of people have made valuable contributions to Nmap over the years. These are detailed in the CHANGELOG file which is distributed with Nmap and also available from http://nmap.org/changelog.html.


Nmap Copyright and Licensing The Nmap Security Scanner is (C) 1996-2008 Insecure.Com LLC. Nmap is also a registered trademark of Insecure.Com LLC. This program is free software; you may redistribute and/or modify it under the terms of the GNU General Public License…

No Warranty

Inappropriate Usage

United States Export Control Classification


Gordon "Fyodor" Lyon Insecure.Org Author. Copyright (C) 2008 Nmap Project


  1. wikipedia article
  2. RFC 1122
  3. RFC 792
  4. RFC 1918
  5. UDP
  6. TCP RFC
  7. RFC 959
  8. RFC 1323
  9. IP protocol
  10. Nmap::Scanner
  11. Nmap::Parser
  12. tunnel brokers
  13. Creative Commons Attribution License
  14. Apache Software Foundation
  15. Libpcap portable packet capture library
  16. WinPcap library
  17. PCRE library
  18. Libdnet
  19. OpenSSL cryptography toolkit
  20. Lua programming language
Insecure.Org Zero Day 09/12/2008 NMAP(1) The newest version of Nmap can be obtained from nmap.org.

The newest version of the man page is available at http://nmap.org/book/man.html.