There are probably many places containing lists of useful nmap commands. I have found these two large lists quite useful:
- [1] Linux / UNIX: Scanning network for open ports with nmap command (NixCraft) – http://www.cyberciti.biz/tips/linux-scanning-network-for-open-ports.html
- [2] Nmap Cheat Sheet – http://nmapcookbook.blogspot.com/2010/02/nmap-cheat-sheet.html
Please use these sites directly, and this blog post only as a backup/blended copy.
Basic techniques
- Scan a Single Target:
nmap [target]
# nmap [target1, target2, etc]
# nmap -iL [list.txt]
# nmap [range of ip addresses]
# nmap [ip address/cdir]
# nmap -iR [number]
# nmap [targets] --exclude [targets]
# nmap [targets] --excludefile [list.txt]
# nmap -A [target]
# nmap -6 [target]
Discovery Options
- Perform a Ping Only Scan
# nmap -sP [target]
# nmap -PN [target]
# nmap -PS [target]
# nmap -PA [target]
# nmap -PU [target]
# nmap -PY [target]
# nmap -PE [target]
# nmap -PP [target]
# nmap -PM [target]
# nmap -PO [target]
# nmap -PR [target]
# nmap --traceroute [target]
# nmap -R [target]
# nmap -n [target]
# nmap --system-dns [target]
# nmap --dns-servers [servers] [target]
# nmap -sL [targets
Advanced Scanning Functions
- TCP SYN Scan
# nmap -sS [target]
# nmap -sT [target]
# nmap -sU [target]
# nmap -sN [target]
# nmap -sF [target]
# nmap -sX [target]
# nmap -sA [target]
# nmap --scanflags [flags] [target]
# nmap -sO [target]
# nmap --send-eth [target]
# nmap --send-ip [target]
# nmap -v -sT localhost # nmap -v -sT 192.168.0.0/24
# nmap -v -sS localhost # nmap -v -sS 192.168.0.0/24
# nmap -v -sF localhost # nmap -v -sF 192.168.0.0/24
# nmap -v -sX localhost # nmap -v -sX 192.168.0.0/24
Useful to see if firewall protecting against this kind of attack or not.
# nmap -v -sN localhost # nmap -v -sN 192.168.0.0/24
Useful to see if firewall protecting against this kind attack or not.
# nmap -v -sW localhost # nmap -v -sW 192.168.0.0/24
# nmap -v -sR localhost # nmap -v -sR 192.168.0.0/24
Useful to find out RPC (such as portmap) services.
# nmap -v -O localhost # nmap -v -O 192.168.0.0/24
Useful to find out UDP ports.
# nmap -v -sV localhost # nmap -v -sV 192.168.0.0/24
You can also find out what software version opening the port.
Port Scanning Options
- Perform a Fast Scan
# nmap -F [target]
# nmap -p [port(s)] [target]
# nmap -p [port name(s)] [target]
# nmap -sU -sT -p U:[ports],T:[ports] [target]
# nmap -p "*" [target]
# nmap --top-ports [number] [target]
# nmap -r [target]
Version Detection
- Operating System Detection
# nmap -O [target]
# www.nmap.org/submit/
# nmap -O --osscan-guess [target]
# nmap -sV [target]
# nmap -sV --version-trace [target]
# nmap -sR [target]
Timing Options
- Timing Templates
# nmap -T[0-5] [target]
# nmap --ttl [time] [target]
# nmap --min-parallelism [number] [target]
# nmap --max-parallelism [number] [target]
# nmap --min-hostgroup [number] [targets
# nmap --max-hostgroup [number] [targets
# nmap --initial-rtt-timeout [time] [target]
# nmap --max-rtt-timeout [TTL] [target]
# nmap --max-retries [number] [target]
# nmap --host-timeout [time] [target]
# nmap --scan-delay [time] [target]
# nmap --max-scan-delay [time] [target]
# nmap --min-rate [number] [target]
# nmap --max-rate [number] [target]
# nmap --defeat-rst-ratelimit [target]
Firewall Evasion Techniques
- Fragment Packets
# nmap -f [target]
# nmap --mtu [MTU] [target]
# nmap -D RND:[number] [target]
# nmap -sI [zombie] [target]
# nmap --source-port [port] [target]
# nmap --data-length [size] [target]
# nmap --randomize-hosts [target]
# nmap --spoof-mac [MAC|0|vendor] [target]
# nmap --badsum [target]
Output Options
- Save Output to a Text File
# nmap -oN [scan.txt] [target]
# nmap -oX [scan.xml] [target]
# nmap -oG [scan.txt] [targets
# nmap -oA [path/filename] [target]
# nmap --stats-every [time] [target]
# nmap -oS [scan.txt] [target]
Troubleshooting and Debugging
- Getting Help
# nmap -h
# nmap -V
# nmap -v [target]
# nmap -d [target]
# nmap --reason [target]
# nmap --open [target]
# nmap --packet-trace [target]
# nmap --iflist
# nmap -e [interface] [target]
Nmap Scripting Engine
- Execute Individual Scripts
# nmap --script [script.nse] [target]
# nmap --script [expression] [target]
# all, auth, default, discovery, external, intrusive, malware, safe, vuln
# nmap --script [category] [target]
# nmap --script [category1,category2,etc
# nmap --script [script] --script-trace [target]
# nmap --script-updatedb
Ndiff
- Comparison Using Ndiff
# ndiff [scan1.xml] [scan2.xml
# ndiff -v [scan1.xml] [scan2.xml
# ndiff --xml [scan1.xml] [scan2.xml
See also: https://eikonal.wordpress.com/2010/01/29/vulnerability-assessment-tools/ at this blog.