nmap

Scan the top 1000 ports of a remote host with various [v]erbosity levels

$ nmap -v[1|2|3] [ip_or_hostname]

$ nmap -T5 -sn [192.168.0.0/24|ip_or_hostname1,ip_or_hostname2,...]

$ sudo nmap -A -iL [path/to/file.txt]

$ nmap -p [port1,port2,...] [ip_or_host1,ip_or_host2,...]

$ nmap -sC -sV -oA [top-1000-ports] [ip_or_host1,ip_or_host2,...]

$ nmap --script "default and safe" [ip_or_host1,ip_or_host2,...]

$ nmap --script "http-*" [ip_or_host1,ip_or_host2,...] -p 80,443

$ sudo nmap -T0 -D [decoy_ip1,decoy_ip2,...] --source-port [53] -f --data-length [16] -Pn [ip_or_host]

nmap [Scan Type(s)] [Options] {target specification}

Examples of Target Specification:
192.168.1.1 (single IP)
scanme.nmap.org (hostname)
192.168.1.0/24 (CIDR notation)
192.168.1.1-254 (range)
192.168.1.* (wildcard)

-sS
    SYN scan (stealth scan): The default and most popular scan option. It's fast and less likely to be logged by non-full-logging firewalls.

-sT
    TCP connect scan: Establishes a full TCP connection. Slower and more easily detected than SYN scan, but doesn't require root privileges.

-sU
    UDP scan: Used to find open UDP ports. Slower than TCP scans due to the connectionless nature of UDP.

-sV
    Version detection: Determines the service and version number of applications listening on open ports.

-O
    OS detection: Attempts to determine the operating system and device type of the target host.

-sC
    Default script scan: Runs a set of common and safe Nmap Scripting Engine (NSE) scripts.

-sn
    Ping scan (host discovery only): Disables port scanning and only performs host discovery. Useful for quickly listing live hosts on a network. (Previously -sP)

-PN
    No ping (treat all hosts as online): Skips the host discovery phase. Nmap assumes all target hosts are online and attempts to scan them. (Previously -P0)

-p <port_range>
    Port specification: Specifies which ports to scan (e.g., -p 80,443, -p 1-1024, -p- for all ports).

-T<0-5>
    Timing template: Sets the aggression level (0=paranoid, 1=sneaky, 2=polite, 3=normal, 4=aggressive, 5=insane). Default is 3.

-iL <inputfile>
    Input list from file: Reads target specifications from a file, with each target on a new line.

-oN <outputfile>
    Normal output: Writes scan results to the specified file in a human-readable format.

-oX <outputfile>
    XML output: Writes scan results to the specified file in XML format, suitable for programmatic parsing.

-v
    Increase verbosity: Increases the verbosity level to provide more details about the scan progress. Use -vv for even more information.

--script <script_name|category|directory>
    Nmap Scripting Engine: Runs specific Nmap scripts or categories of scripts (e.g., --script http-enum, --script default, --script vuln).

--help
    Displays a summary of Nmap options and usage.

nmap (Network Mapper) is a free and open-source utility for network discovery and security auditing. It was designed to rapidly scan large networks, though it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

It is commonly used by network administrators for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Security auditors use it for vulnerability assessments and penetration testing. Nmap runs on all major operating systems and is highly flexible, supporting various scan types, evasion techniques, and a powerful scripting engine (NSE) for advanced detection and exploitation.

nmap is a powerful tool capable of generating significant network traffic. Many of its advanced scanning capabilities, especially those involving raw packet manipulation (e.g., SYN scans, OS detection), require root privileges (or sudo) to execute. Using nmap without explicit permission from the target network owner is illegal and unethical in most jurisdictions and can lead to legal repercussions or being blocked by network security devices. Its output, especially OS and service version detection, should be taken as an educated guess and not an absolute fact, as some factors can lead to inaccuracies.

A powerful and flexible feature that allows users to write (and share) simple scripts to automate a wide variety of networking tasks. These scripts can perform vulnerability detection, backdoor detection, sophisticated discovery, and more. NSE greatly extends Nmap's capabilities beyond basic port scanning.

Nmap offers versatile ways to define target hosts, including individual IP addresses, hostnames, IP ranges (e.g., 192.168.1.1-254), CIDR notation (e.g., 192.168.1.0/24), and even wildcards (e.g., 192.168.1.*). This flexibility allows for efficient scanning of both small and large networks.

Due to its potent capabilities, nmap should only be used on networks where explicit permission has been granted. Unauthorized scanning can be considered a hostile act and may lead to legal issues or network blocks. Always ensure you have proper authorization before using nmap on any external or production network.

nmap was created by Gordon Lyon (who uses the pseudonym "Fyodor") and first released in September 1997 as a Linux magazine article. Initially developed for Linux, it was quickly ported to other systems including Windows, macOS, Solaris, and BSD variants. Its popularity grew rapidly within the information security community due to its power, flexibility, and the frequent inclusion of its features in popular media (like "The Matrix Reloaded"). Nmap has been continuously developed and maintained for over two decades, evolving from a simple port scanner into a comprehensive network reconnaissance suite with a modular scripting engine (NSE) that significantly extends its capabilities.

arp(8), netstat(8), ss(8), ping(8), traceroute(8)