Nmap (Network Mapper) is one of the most powerful tools for network discovery, security auditing, and troubleshooting. Whether you're a developer, sysadmin, or security analyst, mastering Nmap can help you better understand networks and identify vulnerabilities.
In this guide, we’ll go through 100 essential Nmap commands, explaining each one line by line.
- Getting Started with Nmap Check Nmap Version nmap --version Displays the installed Nmap version. Get Help with Nmap nmap --help Lists all available options and command syntax. Check the Nmap Manual man nmap Opens the Nmap manual, which includes all options and usage. 2. Basic Host Discovery Ping a Host to Check if It's Online nmap -sn 192.168.1.1 Sends a ping request to check if the target is online without scanning ports. Scan a Single Host nmap 192.168.1.1 Checks common open ports on the target. Scan Multiple Hosts nmap 192.168.1.1 192.168.1.2 192.168.1.3 Scans multiple IP addresses. Scan a Subnet nmap 192.168.1.0/24 Scans all 256 devices in the 192.168.1.x range. Scan a Range of IP Addresses nmap 192.168.1.1-50 Scans IP addresses 192.168.1.1 to 192.168.1.50. Scan a Hostname nmap example.com Resolves the domain to an IP and scans it. 3. Port Scanning Scan for Open Ports nmap -p- 192.168.1.1 Scans all 65,535 ports instead of the default 1,000 ports. Scan Specific Ports nmap -p 22,80,443 192.168.1.1 Scans ports 22 (SSH), 80 (HTTP), and 443 (HTTPS). Scan a Range of Ports nmap -p 1-1000 192.168.1.1 Scans the first 1,000 ports. Detect Port Status nmap --reason 192.168.1.1 Shows why a port is open, closed, or filtered. 4. Advanced Scanning Techniques Perform a Stealth Scan (SYN Scan - Default) nmap -sS 192.168.1.1 Sends SYN packets without establishing a full connection (stealthy). Perform a Full TCP Connect Scan nmap -sT 192.168.1.1 Completes a three-way handshake, which is noisier but more reliable. Scan UDP Ports nmap -sU 192.168.1.1 Scans UDP ports, commonly used for DNS, VoIP, and SNMP. Perform an Aggressive Scan nmap -A 192.168.1.1 Enables OS detection, service version detection, and traceroute. Detect Operating System (OS) and Services nmap -O 192.168.1.1 Tries to determine the operating system of the target. nmap -sV 192.168.1.1 Detects the versions of running services. 5. Bypassing Firewalls & IDS Scan Using Decoy IPs nmap -D RND:10 192.168.1.1 Uses 10 random decoy IPs to obscure the real scanner. Spoof MAC Address nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1 Changes the scanner’s MAC address for anonymity. Use a Spoofed IP Address nmap -S 192.168.1.100 192.168.1.1 Makes the scan appear as if it’s coming from 192.168.1.100. 6. Nmap Scripting Engine (NSE) for Security Testing Run Vulnerability Scans nmap --script=vuln 192.168.1.1 Runs vulnerability detection scripts. Scan for Open Web Vulnerabilities nmap --script=http-vuln* 192.168.1.1 Checks for web-related vulnerabilities. Scan for SMB (Windows) Vulnerabilities nmap --script=smb-vuln* 192.168.1.1 Looks for Windows SMB vulnerabilities (e.g., EternalBlue). Check for SSL/TLS Issues nmap --script=ssl* 192.168.1.1 Identifies weak SSL/TLS configurations. 7. Optimizing & Saving Scan Results Increase Scan Speed nmap -T5 192.168.1.1 Uses the fastest scanning mode (aggressive). Save Output in a Text File nmap -oN output.txt 192.168.1.1 Saves results in a human-readable file. Save Output in XML Format nmap -oX output.xml 192.168.1.1 Saves results in XML format (for automation). 8. Scanning the Internet & Large Networks Scan the Top 100 Most Common Ports nmap --top-ports 100 192.168.1.1 Focuses on the most frequently used ports. Scan a Public Website for Services nmap -A example.com Performs an aggressive scan on a public website. Conclusion
Nmap is an incredibly powerful tool for network discovery, security auditing, and troubleshooting. Whether you're scanning local networks, testing for vulnerabilities, or analyzing services, these 100 essential Nmap commands will help you get the job done efficiently.
What’s your favorite Nmap command? Let’s discuss in the comments! 🚀
Top comments (0)