Back to Blog

Complete Nmap Command Reference Guide

Notion
26 min read
TechnologyTutorialCybersecuritySecurityLinux

A comprehensive guide to Nmap (Network Mapper) commands, from basic scanning to advanced techniques. This guide progresses from simple concepts to complex scanning strategies.

Table of Contents

  1. Introduction to Nmap
  2. Basic Scanning Techniques
  3. Host Discovery
  4. Port Scanning Techniques
  5. Service and Version Detection
  6. OS Detection
  7. Timing and Performance
  8. Firewall/IDS Evasion
  9. Output Formats
  10. NSE Scripts
  11. Advanced Combinations
  12. Practical Examples

🎯 Interactive Knowledge Checks

Test your understanding as you learn! Each section below has quiz questions to reinforce key concepts.

Introduction to Nmap

Nmap (Network Mapper) is an open-source tool for network discovery and security auditing. It's used to discover hosts and services on a computer network by sending packets and analyzing responses.

Basic Syntax:

nmap [Scan Type] [Options] {target specification}

Installation:

# Debian/Ubuntu
sudo apt-get install nmap
 
# RHEL/CentOS
sudo yum install nmap
 
# macOS
brew install nmap

Basic Scanning Techniques

Simple Host Scan

Command:

nmap 192.168.1.1

What it does: Scans the most common 1,000 TCP ports on the target host.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
3306/tcp open mysql
 
Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

Scan Multiple Hosts

Command:

nmap 192.168.1.1 192.168.1.2 192.168.1.3

What it does: Scans multiple specific IP addresses.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap scan report for 192.168.1.2
Host is up (0.0015s latency).
PORT   STATE SERVICE
443/tcp open https
 
Nmap done: 3 IP addresses (3 hosts up) scanned in 1.23 seconds

Scan IP Range

Command:

nmap 192.168.1.1-20

What it does: Scans IPs from 192.168.1.1 to 192.168.1.20.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
 
Nmap scan report for 192.168.1.5
Host is up (0.0012s latency).
 
...(continues for all live hosts)...
 
Nmap done: 20 IP addresses (5 hosts up) scanned in 2.67 seconds

Scan Entire Subnet

Command:

nmap 192.168.1.0/24

What it does: Scans all 254 hosts in the subnet (192.168.1.1 - 192.168.1.254).

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT   STATE SERVICE
80/tcp open  http
 
...(output for each live host)...
 
Nmap done: 256 IP addresses (15 hosts up) scanned in 5.43 seconds
 
 
<details>
<summary>🧠 Quiz: Basic Scanning</summary>
 
**Question 1:** What is the default number of ports scanned with a basic `nmap 192.168.1.1` command?
- A) 100 ports
- B) 1,000 ports
- C) 10,000 ports
- D) All 65,535 ports
 
**Answer:** B) 1,000 ports (the most common ports)
 
---
 
**Question 2:** Which command would you use to scan IPs from 192.168.1.1 to 192.168.1.50?
- A) `nmap 192.168.1.1-50`
- B) `nmap 192.168.1.0/50`
- C) `nmap 192.168.1.1:50`
- D) `nmap --range 192.168.1.1-50`
 
**Answer:** A) `nmap 192.168.1.1-50`
 
---
 
**Question 3:** How many total IP addresses does `nmap 192.168.1.0/24` attempt to scan?
- A) 24
- B) 254
- C) 256
- D) 512
 
**Answer:** C) 256 (including .0 and .255, though typically only 254 are usable)
 
---
 
**✅ Practical Challenge:**
Try scanning your home router (usually 192.168.1.1 or 192.168.0.1). What ports are open? Can you identify what services are running?

nmap 192.168.1.1

</details>

Host Discovery

Host discovery determines which hosts are online before port scanning.

Ping Scan (No Port Scan)

Command:

nmap -sn 192.168.1.0/24

What it does: Only discovers which hosts are up, doesn't scan ports. Also called "ping sweep."

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Nmap scan report for 192.168.1.5
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0015s latency).
 
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.11 seconds

Skip Host Discovery

Command:

nmap -Pn 192.168.1.1

What it does: Treats all hosts as online, skips ping. Useful when ICMP is blocked.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up.
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds

TCP SYN Ping

Command:

nmap -PS22,80,443 192.168.1.0/24

What it does: Sends TCP SYN packets to specified ports to discover hosts.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Nmap scan report for 192.168.1.5
Host is up (0.0012s latency).
 
Nmap done: 256 IP addresses (2 hosts up) scanned in 1.89 seconds

ARP Ping (Local Network)

Command:

sudo nmap -PR 192.168.1.0/24

What it does: Uses ARP requests for host discovery on local network (fastest method).

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.00050s latency).
MAC Address: AA:BB:CC:DD:EE:FF (TP-LINK)
 
Nmap done: 256 IP addresses (8 hosts up) scanned in 0.45 seconds

Port Scanning Techniques

TCP SYN Scan (Stealth Scan)

Command:

sudo nmap -sS 192.168.1.1

What it does: Half-open scan, sends SYN packet, doesn't complete TCP handshake. Requires root/admin. Default scan type with privileges.

How it works:

  • Sends TCP SYN packet
  • If port open: receives SYN/ACK, sends RST
  • If port closed: receives RST
  • Stealthy because connection is never fully established Expected Output:
Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql
8080/tcp open  http-proxy
 
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

TCP Connect Scan

Command:

nmap -sT 192.168.1.1

What it does: Full TCP connection scan. Default when SYN scan isn't available (no root privileges).

How it works:

  • Completes full TCP 3-way handshake
  • More detectable than SYN scan
  • Slower but doesn't require privileges Expected Output:
Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0015s latency).
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
 
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds

UDP Scan

Command:

sudo nmap -sU 192.168.1.1

What it does: Scans UDP ports. Very slow but important for finding DNS, SNMP, DHCP services.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT     STATE         SERVICE
53/udp   open          domain
67/udp   open|filtered dhcps
123/udp  open          ntp
161/udp  open          snmp
 
Nmap done: 1 IP address (1 host up) scanned in 1084.56 seconds

Scan Specific Ports

Command:

nmap -p 22,80,443 192.168.1.1

What it does: Scans only specified ports.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
 
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Scan Port Range

Command:

nmap -p 1-1000 192.168.1.1

What it does: Scans ports 1 through 1000.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
443/tcp open  https
445/tcp open  microsoft-ds
 
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds

Scan All Ports

Command:

nmap -p- 192.168.1.1

What it does: Scans all 65,535 TCP ports.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Not shown: 65530 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
443/tcp   open  https
3306/tcp  open  mysql
8080/tcp  open  http-proxy
 
Nmap done: 1 IP address (1 host up) scanned in 26.78 seconds

Fast Scan (Top 100 Ports)

Command:

nmap -F 192.168.1.1

What it does: Scans the 100 most common ports instead of 1,000.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
3389/tcp open ms-wbt-server
 
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Top Ports Scan

Command:

nmap --top-ports 20 192.168.1.1

What it does: Scans the 20 most common ports.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http
110/tcp  closed pop3
443/tcp  open   https
 
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
 
 
<details>
<summary>🧠 Quiz: Port Scanning</summary>
 
**Question 1:** What does the `-sS` flag do in Nmap?
- A) Service version scan
- B) SYN stealth scan (half-open)
- C) Super speed scan
- D) Safe scan mode
 
**Answer:** B) SYN stealth scan - sends SYN packet but doesn't complete the TCP handshake, making it stealthier
 
---
 
**Question 2:** Why does `-sS` require sudo/root privileges?
- A) It's a dangerous scan
- B) It requires raw packet manipulation
- C) It accesses system files
- D) It modifies firewall rules
 
**Answer:** B) It requires raw packet manipulation to craft custom SYN packets
 
---
 
**Question 3:** Which scan type completes the full TCP 3-way handshake?
- A) `-sS`
- B) `-sT`
- C) `-sU`
- D) `-sF`
 
**Answer:** B) `-sT` (TCP Connect scan)
 
---
 
**Question 4:** What command scans ALL 65,535 TCP ports?
- A) `nmap -p 1-65535 192.168.1.1`
- B) `nmap -p- 192.168.1.1`
- C) `nmap --all-ports 192.168.1.1`
- D) Both A and B
 
**Answer:** D) Both A and B work (but `-p-` is the shorthand)
 
---
 
**Question 5:** UDP scans are very slow because:
- A) UDP is an unreliable protocol
- B) Closed UDP ports often don't respond, requiring timeout
- C) Nmap waits for ICMP port unreachable messages
- D) Both B and C
 
**Answer:** D) Both B and C
 
---
 
**✅ Practical Challenge:**
Compare scan times between these three commands on the same target:

Fast scan (100 ports)

time nmap -F 192.168.1.1

Top 20 ports

time nmap --top-ports 20 192.168.1.1

All ports (will take a while!)

time nmap -p- 192.168.1.1

How much faster is the `-F` scan compared to `-p-`?
</details>

Service and Version Detection

Service Version Detection

Command:

nmap -sV 192.168.1.1

What it does: Probes open ports to determine service and version information.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))
443/tcp  open  ssl/http Apache httpd 2.4.52 ((Ubuntu))
3306/tcp open  mysql   MySQL 8.0.32-0ubuntu0.22.04.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Nmap done: 1 IP address (1 host up) scanned in 12.45 seconds

Aggressive Version Detection

Command:

nmap -sV --version-intensity 9 192.168.1.1

What it does: Most thorough version detection (0-9 scale, default is 7).

Expected Output:

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.52
| ssl-cert: Subject: commonName=example.com
| Not valid before: 2023-01-15T00:00:00
|_Not valid after:  2024-01-15T23:59:59
 
Nmap done: 1 IP address (1 host up) scanned in 18.34 seconds

Light Version Detection

Command:

nmap -sV --version-intensity 0 192.168.1.1

What it does: Fastest version detection, less accurate.

Expected Output:

PORT    STATE SERVICE VERSION
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
 
Nmap done: 1 IP address (1 host up) scanned in 3.21 seconds

OS Detection

Operating System Detection

Command:

sudo nmap -O 192.168.1.1

What it does: Attempts to determine the operating system and version.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: AA:BB:CC:DD:EE:FF (Unknown)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.15
OS details: Linux 5.15 - 6.0
Network Distance: 1 hop
 
Nmap done: 1 IP address (1 host up) scanned in 3.45 seconds

Aggressive OS Detection

Command:

sudo nmap -O --osscan-guess 192.168.1.1

What it does: More aggressive OS detection, guesses if unsure.

Expected Output:

OS details: Linux 5.15 - 6.0, Ubuntu 22.04 (96%)
CPE: cpe:/o:linux:linux_kernel:5.15 cpe:/o:canonical:ubuntu_linux:22.04
 
Nmap done: 1 IP address (1 host up) scanned in 4.67 seconds

Timing and Performance

Nmap has 6 timing templates: T0 (paranoid), T1 (sneaky), T2 (polite), T3 (normal - default), T4 (aggressive), T5 (insane).

Paranoid Timing (IDS Evasion)

Command:

nmap -T0 192.168.1.1

What it does: Extremely slow scan, 5 minutes between probes. For IDS evasion.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up.
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 3600.12 seconds

Aggressive Timing

Command:

nmap -T4 192.168.1.1

What it does: Fast scan, assumes fast and reliable network.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
 
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Insane Timing

Command:

nmap -T5 192.168.1.1

What it does: Extremely fast, may miss ports on slower networks.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Custom Timing

Command:

nmap --min-rate 1000 --max-rate 5000 192.168.1.1

What it does: Sends between 1000-5000 packets per second.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds

Firewall/IDS Evasion

Fragment Packets

Command:

sudo nmap -f 192.168.1.1

What it does: Fragments packets into 8-byte chunks to evade packet filters.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

MTU Fragmentation

Command:

sudo nmap --mtu 16 192.168.1.1

What it does: Custom MTU size for fragmentation (must be multiple of 8).

Expected Output:

Nmap scan report for 192.168.1.1
Host is up.
PORT   STATE SERVICE
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds

Decoy Scan

Command:

sudo nmap -D RND:10 192.168.1.1

What it does: Uses 10 random decoy IPs to hide your real IP.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds

Specific Decoy IPs

Command:

sudo nmap -D 192.168.1.100,192.168.1.101,ME 192.168.1.1

What it does: Uses specific decoy IPs, ME represents your real IP position.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up.
PORT   STATE SERVICE
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds

Spoof Source Port

Command:

sudo nmap --source-port 53 192.168.1.1

What it does: Spoofs source port to 53 (DNS), some firewalls allow DNS traffic.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
 
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds

Append Random Data

Command:

sudo nmap --data-length 25 192.168.1.1

What it does: Appends 25 random bytes to packets to evade signature detection.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up.
PORT   STATE SERVICE
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds

Spoof MAC Address

Command:

sudo nmap --spoof-mac 0 192.168.1.1

What it does: Generates random MAC address (0 = random, or specify vendor/MAC).

Expected Output:

Spoofed MAC = AA:BB:CC:DD:EE:FF (Unknown)
Nmap scan report for 192.168.1.1
Host is up.
PORT   STATE SERVICE
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds

Output Formats

Normal Output to File

Command:

nmap -oN scan_results.txt 192.168.1.1

What it does: Saves output in normal format (human-readable).

File Content (scan_results.txt):

Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

XML Output

Command:

nmap -oX scan_results.xml 192.168.1.1

What it does: Saves output in XML format (for parsing/importing).

File Content (scan_results.xml):

<?xml version="1.0"?>
<nmaprun scanner="nmap" args="nmap -oX scan_results.xml 192.168.1.1">
  <host>
    <address addr="192.168.1.1" addrtype="ipv4"/>
    <ports>
      <port protocol="tcp" portid="22">
        <state state="open"/>
      </port>
    </ports>
  </host>
</nmaprun>

Grepable Output

Command:

nmap -oG scan_results.gnmap 192.168.1.1

What it does: Saves in grepable format (easy to parse with grep/awk).

File Content (scan_results.gnmap):

Host: 192.168.1.1 ()  Status: Up
Host: 192.168.1.1 ()  Ports: 22/open/tcp//ssh///, 80/open/tcp//http///

All Formats

Command:

nmap -oA scan_results 192.168.1.1

What it does: Saves in all three formats (.nmap, .xml, .gnmap).

Expected Output:

Creates:
- scan_results.nmap
- scan_results.xml
- scan_results.gnmap

Verbose Output

Command:

nmap -v 192.168.1.1

What it does: Shows detailed progress and results in real-time.

Expected Output:

Starting Nmap 7.94
Initiating Ping Scan at 10:30
Scanning 192.168.1.1 [4 ports]
Completed Ping Scan at 10:30, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:30
Scanning 192.168.1.1 [1000 ports]
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 10:30, 0.45s elapsed (1000 total ports)
 
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Very Verbose

Command:

nmap -vv 192.168.1.1

What it does: Even more detailed output than -v.

Expected Output:

Starting Nmap 7.94
Initiating Ping Scan at 10:30:15
Scanning 192.168.1.1 [4 ports]
Packet capture filter (device eth0): dst host 192.168.1.50 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.1.1)))
Completed Ping Scan at 10:30:15, 0.01s elapsed (1 total hosts)
...(extensive details)...

Debug Output

Command:

nmap -d 192.168.1.1

What it does: Shows debugging information (for troubleshooting).

Expected Output:

MASS DNS: Using DNS server 192.168.1.1
MASS DNS: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Initiating SYN Stealth Scan at 10:30
Packet: TCP 192.168.1.50:54321 > 192.168.1.1:22 S ttl=51 id=12345 iplen=44  seq=987654321
...(extensive debugging info)...

NSE Scripts

Nmap Scripting Engine (NSE) extends functionality with Lua scripts.

Default Scripts

Command:

nmap -sC 192.168.1.1

What it does: Runs default safe scripts (equivalent to --script=default).

Expected Output:

PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey: 
|   256 aa:bb:cc:dd:ee:ff (RSA)
|_  256 11:22:33:44:55:66 (ECDSA)
80/tcp  open  http
|_http-title: Welcome Page
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
443/tcp open  https
| ssl-cert: Subject: commonName=example.com
| Subject Alternative Name: DNS:example.com, DNS:www.example.com
|_Not valid after:  2024-12-31T23:59:59

Specific Script

Command:

nmap --script=http-headers 192.168.1.1

What it does: Runs specific NSE script to retrieve HTTP headers.

Expected Output:

PORT   STATE SERVICE
80/tcp open  http
| http-headers: 
|   Date: Sun, 22 Feb 2026 10:30:00 GMT
|   Server: Apache/2.4.52 (Ubuntu)
|   X-Powered-By: PHP/8.1.2
|   Content-Type: text/html; charset=UTF-8
|_  Connection: close

Multiple Scripts

Command:

nmap --script=http-title,http-headers,ssl-cert 192.168.1.1

What it does: Runs multiple specified scripts.

Expected Output:

PORT    STATE SERVICE
80/tcp  open  http
| http-title: Home Page
|_Requested resource was http://192.168.1.1/index.html
| http-headers: 
|   Server: Apache/2.4.52
|_  X-Frame-Options: SAMEORIGIN
443/tcp open  https
| ssl-cert: Subject: commonName=example.com
|_Issuer: commonName=Let's Encrypt

Script Categories

Command:

nmap --script=vuln 192.168.1.1

What it does: Runs all scripts in the "vuln" category (vulnerability detection).

Categories:

  • auth: Authentication bypass
  • broadcast: Network broadcast discovery
  • brute: Brute force attacks
  • default: Default safe scripts
  • discovery: Network/service discovery
  • dos: Denial of service detection
  • exploit: Active exploitation
  • external: Uses external resources
  • fuzzer: Fuzzing attacks
  • intrusive: May crash services
  • malware: Malware detection
  • safe: Won't crash services
  • version: Service version detection
  • vuln: Vulnerability detection Expected Output:
PORT   STATE SERVICE
80/tcp open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20
|_  Couldn't find any CSRF vulnerabilities
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|_    State: LIKELY VULNERABLE

Vulnerability Scan

Command:

nmap -sV --script=vulners 192.168.1.1

What it does: Detects software versions and checks for known vulnerabilities.

Expected Output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
| vulners: 
|   cpe:/a:openbsd:openssh:7.2p2: 
|     CVE-2016-10012  6.9  https://vulners.com/cve/CVE-2016-10012
|     CVE-2016-10009  5.0  https://vulners.com/cve/CVE-2016-10009
|_    CVE-2016-10010  4.9  https://vulners.com/cve/CVE-2016-10010

Script with Arguments

Command:

nmap --script=http-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.1

What it does: Runs HTTP brute force with custom username and password lists.

Expected Output:

PORT   STATE SERVICE
80/tcp open  http
| http-brute: 
|   Accounts: 
|     admin:password123 - Valid credentials
|   Statistics: 
|_    Performed 250 guesses in 12 seconds

List Available Scripts

Command:

nmap --script-help=http-*

What it does: Lists all HTTP-related scripts and their descriptions.

Expected Output:

http-apache-negotiation
  Checks if Apache mod_negotiation is enabled
 
http-auth
  Retrieves authentication scheme and realm
 
http-backup-finder
  Finds backup files on web servers
...(continues with all http-* scripts)...

Advanced Combinations

Comprehensive Network Audit

Command:

sudo nmap -sS -sV -O -p- --script=default,vuln -T4 -oA full_scan 192.168.1.0/24

What it does:

  • SYN scan (-sS)
  • Service/version detection (-sV)
  • OS detection (-O)
  • All ports (-p-)
  • Default and vulnerability scripts
  • Aggressive timing (-T4)
  • Save all output formats (-oA) Expected Output:
Starting Nmap 7.94
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Not shown: 65530 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu
| ssh-hostkey: 
|   256 aa:bb:cc:dd:ee:ff (RSA)
80/tcp   open  http    Apache httpd 2.4.52
| http-csrf: 
|_  Couldn't find any CSRF vulnerabilities
443/tcp  open  ssl/http Apache httpd 2.4.52
| ssl-cert: Subject: commonName=example.com
3306/tcp open  mysql   MySQL 8.0.32
MAC Address: AA:BB:CC:DD:EE:FF
Device type: general purpose
Running: Linux 5.X
OS details: Linux 5.15 - 6.0
 
Nmap done: 256 IP addresses (15 hosts up) scanned in 3245.67 seconds

Aggressive Scan

Command:

sudo nmap -A 192.168.1.1

What it does: Enables OS detection, version detection, script scanning, and traceroute.

Expected Output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu
| ssh-hostkey: 
|   256 aa:bb:cc:dd:ee:ff (RSA)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Welcome
|_http-server-header: Apache/2.4.52 (Ubuntu)
MAC Address: AA:BB:CC:DD:EE:FF
Device type: general purpose
Running: Linux 5.X
OS details: Linux 5.15 - 6.0
Network Distance: 1 hop
 
TRACEROUTE
HOP RTT     ADDRESS
1   1.00 ms 192.168.1.1
 
Nmap done: 1 IP address (1 host up) scanned in 15.23 seconds

Quick Network Discovery

Command:

nmap -sn --top-ports 10 192.168.1.0/24

What it does: Ping sweep with top 10 port checks for thorough host discovery.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Nmap scan report for 192.168.1.5
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0015s latency).
 
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.45 seconds

Stealth Vulnerability Scan

Command:

sudo nmap -sS -sV -p 80,443 --script=http-vuln-* -T2 -f --data-length 25 192.168.1.1

What it does:

  • SYN scan
  • Version detection
  • Only web ports
  • HTTP vulnerability scripts
  • Polite timing
  • Fragmented packets
  • Random data padding Expected Output:
PORT    STATE SERVICE VERSION
80/tcp  open  http    Apache httpd 2.4.29
| http-vuln-cve2017-5638: 
|   VULNERABLE:
|   Apache Struts2 S2-045 RCE
|_    State: VULNERABLE
443/tcp open  ssl/http Apache httpd 2.4.29
| ssl-poodle: 
|   VULNERABLE:
|_  SSL POODLE information leak
 
Nmap done: 1 IP address (1 host up) scanned in 145.67 seconds

Practical Examples

Web Server Assessment

Command:

nmap -p 80,443,8080,8443 -sV --script=http-enum,http-headers,http-methods,ssl-cert 192.168.1.1

What it does: Comprehensive web server analysis.

Expected Output:

PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.18.0
| http-enum: 
|   /admin/: Possible admin folder
|   /backup/: Backup folder
|_  /wp-login.php: Wordpress login page
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
443/tcp  open  ssl/http nginx 1.18.0
| ssl-cert: Subject: commonName=*.example.com
| Issuer: commonName=Let's Encrypt
|_Not valid after:  2024-06-15T23:59:59
8080/tcp open  http    Apache Tomcat 9.0.45
 
Nmap done: 1 IP address (1 host up) scanned in 23.45 seconds

Database Server Scan

Command:

nmap -p 3306,5432,1433,27017 -sV --script=*-brute 192.168.1.1

What it does: Scans common database ports with brute force detection.

Expected Output:

PORT      STATE SERVICE  VERSION
3306/tcp  open  mysql    MySQL 8.0.32
| mysql-brute: 
|   Accounts: 
|     root:password - Valid credentials
|   Statistics: 
|_    Performed 150 guesses in 8 seconds
5432/tcp  open  postgresql PostgreSQL 14.5
27017/tcp open  mongodb  MongoDB 5.0.14
 
Nmap done: 1 IP address (1 host up) scanned in 45.23 seconds

Finding Live Hosts on Large Network

Command:

sudo nmap -sn -PE -PP -PS21,22,23,25,80,113,443,31337 --source-port 53 10.0.0.0/8

What it does:

  • Ping sweep only
  • ICMP echo
  • ICMP timestamp
  • TCP SYN to multiple ports
  • Spoof source port 53 Expected Output:
Nmap scan report for 10.1.1.1
Host is up (0.010s latency).
Nmap scan report for 10.1.5.23
Host is up (0.015s latency).
...(continues for all live hosts)...
 
Nmap done: 16777216 IP addresses (2547 hosts up) scanned in 3600.45 seconds

SMB/Windows Share Enumeration

Command:

nmap -p 445 --script=smb-enum-shares,smb-enum-users,smb-os-discovery 192.168.1.1

What it does: Enumerates Windows shares, users, and OS information.

Expected Output:

PORT    STATE SERVICE
445/tcp open  microsoft-ds
| smb-enum-shares: 
|   account_used: guest
|   \\192.168.1.1\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Anonymous access: <none>
|   \\192.168.1.1\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Anonymous access: <none>
| smb-os-discovery: 
|   OS: Windows Server 2019 (Build 17763)
|   Computer name: WIN-SERVER01
|_  Domain name: example.local

IPv6 Scanning

Command:

nmap -6 2001:db8::1

What it does: Scans IPv6 address.

Expected Output:

Starting Nmap 7.94
Nmap scan report for 2001:db8::1
Host is up (0.0010s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds

Detect Heartbleed Vulnerability

Command:

nmap -p 443 --script=ssl-heartbleed 192.168.1.1

What it does: Tests for Heartbleed SSL vulnerability (CVE-2014-0160).

Expected Output:

PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in OpenSSL
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL 1.0.1 through 1.0.1f contains a flaw that allows
|       remote attackers to read portions of memory.
|_    References:
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Scan Through Proxy

Command:

nmap --proxies socks4://proxy.example.com:1080 192.168.1.1

What it does: Routes scan through SOCKS4 proxy.

Expected Output:

Nmap scan report for 192.168.1.1
Host is up (0.150s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds

Continuous Monitoring

Command:

watch -n 300 'nmap -sn 192.168.1.0/24 | grep "Host is up"'

What it does: Runs ping sweep every 5 minutes, shows only live hosts.

Expected Output:

Every 300.0s: nmap -sn 192.168.1.0/24 | grep "Host is up"
 
Nmap scan report for 192.168.1.1 - Host is up (0.0010s latency).
Nmap scan report for 192.168.1.5 - Host is up (0.0012s latency).
Nmap scan report for 192.168.1.10 - Host is up (0.0015s latency).

Quick Reference Table

Common Port Numbers Reference

Best Practices

Legal and Ethical Considerations

  • Always get written permission before scanning networks you don't own
  • Scanning without authorization is illegal in most jurisdictions
  • Even with permission, notify network administrators
  • Document your scanning activities and scope
  • Be aware of local laws and regulations

Performance Tips

  1. Start with host discovery before port scanning to save time
  2. Use -F for quick scans when doing initial reconnaissance
  3. Increase timing with -T4 on reliable networks
  4. Scan specific ports when you know what you're looking for
  5. Use --top-ports for faster comprehensive scans
  6. Save results regularly with -oA to avoid losing data

Stealth Considerations

  1. Use SYN scans (-sS) when possible for stealth
  2. Fragment packets (-f) to evade basic filters
  3. Add decoys (-D) to hide your source IP
  4. Slow down timing (-T0/-T1) to avoid detection
  5. Randomize scan order (--randomize-hosts) to avoid patterns
  6. Use proxies when additional anonymity is needed

Common Mistakes to Avoid

  • Don't scan all ports (-p-) unless necessary (very slow)
  • Don't use -T5 on unreliable networks (misses results)
  • Don't forget sudo for SYN scans, OS detection, etc.
  • Don't scan production systems during business hours
  • Don't ignore firewall rules that may block your scans
  • Don't forget to save your results with -oA

Troubleshooting

No Results / All Ports Filtered

Problem: Scan shows no open ports or all filtered

Solutions:

# Try skipping ping
nmap -Pn 192.168.1.1
 
# Try different scan type
nmap -sT 192.168.1.1
 
# Check if host is up with aggressive ping
nmap -PE -PP -PS80,443 -PA3389 192.168.1.1

Scan Too Slow

Problem: Scan taking too long

Solutions:

# Increase timing
nmap -T4 192.168.1.1
 
# Scan fewer ports
nmap -F 192.168.1.1
 
# Use --top-ports
nmap --top-ports 100 192.168.1.1
 
# Set minimum rate
nmap --min-rate 1000 192.168.1.1

Permission Denied Errors

Problem: "You do not have permission to perform this scan type"

Solutions:

# Use sudo for privileged scans
sudo nmap -sS 192.168.1.1
 
# Or use unprivileged TCP connect scan
nmap -sT 192.168.1.1

Host Seems Down

Problem: "Host seems down" but you know it's online

Solutions:

# Skip host discovery
nmap -Pn 192.168.1.1
 
# Try ARP ping (local network)
sudo nmap -PR 192.168.1.1
 
# Aggressive host discovery
nmap -PE -PP -PS21,22,23,25,80,443 192.168.1.1

Additional Resources

Official Documentation:

Last Updated: February 2026

This guide is for educational and authorized security testing purposes only. Always obtain proper authorization before scanning any network.