βŒ•
Start Here
βŒ‚Overview
Tools
βš™Command Builder
≑Cheat Sheet
Learn
β–ΆTutorials
AGlossary
β—ˆOutput Guide
πŸƒFlashcards
Personal
πŸ”–Bookmarks
✎My Notes
βœ“ Works fully offline
βœ“ Data saved locally

Search Results

Welcome to the NMAP Guide

Your complete all-in-one reference for network scanning β€” from your first command to advanced techniques.

⚠
Legal Notice: Only scan networks and systems you own or have explicit written permission to scan. Unauthorized scanning may be illegal and violates most terms of service. This guide is for educational and authorized security testing only.
65,535
Total Ports
600+
NSE Scripts
10+
Scan Types
6
Tutorials

What is nmap?

Network Mapper (nmap) is a free, open-source tool for network exploration and security auditing, created by Gordon Lyon in 1997. It's one of the most widely used network tools in the world β€” used by sysadmins, penetration testers, and security researchers alike.

Nmap works by sending specially crafted packets to target hosts and analyzing the responses to find open ports, running services, OS fingerprints, and more.

What can nmap do?

πŸ” Host Discovery

Find which devices are live on a network without port scanning.

πŸšͺ Port Scanning

Identify open, closed, or firewalled ports on a target.

πŸ”§ Service Detection

Find exact software name and version on each open port.

πŸ’» OS Fingerprinting

Guess the OS of a remote host from network responses.

πŸ“œ Script Automation

Run 600+ scripts for vuln detection, banners, and more.

πŸ—Ί Network Mapping

Map topology using traceroute and host data.

Basic Syntax

The general format for every nmap command:

nmap [scan type] [options] {target}

Quick examples:

nmap 192.168.1.1
nmap -sV -p 80,443 192.168.1.1
nmap scanme.nmap.org

↑ scanme.nmap.org is Nmap's official legal test server β€” always safe to scan.

Installation

Linux (Debian/Ubuntu)

sudo apt-get install nmap

Linux (RHEL/Fedora)

sudo yum install nmap

macOS (Homebrew)

brew install nmap

Windows

Download from nmap.org/download.html β€” includes the Zenmap GUI app.

Verify installation

nmap --version

Recommended Learning Path

1

Start with Tutorials

Step-by-step beginner walkthroughs

β†’
2

Bookmark the Cheat Sheet

Quick reference for every flag

β†’
3

Use the Command Builder

Build commands visually β€” no memorization

β†’
4

Read the Glossary

Understand all terms and flags

β†’
5

Study the Output Guide

Learn to interpret scan results

β†’

Command Builder

Configure options visually and get the exact nmap command to run.

⚠Options marked ROOT require running with sudo on Linux/macOS, or as Administrator on Windows.

🎯 Target

πŸ”¬ Scan Technique

πŸšͺ Ports

⏱ Timing

πŸ”­ Detection Options

πŸ“œ NSE Scripts

πŸ“ Output & Options

🎚 Version Intensity (with -sV)

β–Ά Generated Command
nmap <enter target above and configure options>

Tip: Combine -sV -sC -O for a thorough scan. Use -T4 on fast local networks.

Cheat Sheet

Quick reference for all nmap flags and options.

Target Specification

CommandDescription
nmap 192.168.1.1Scan a single IP address
nmap 192.168.1.1-254Scan an IP range
nmap 192.168.1.0/24Scan a subnet (CIDR notation)
nmap scanme.nmap.orgScan a hostname
nmap -iL targets.txtRead targets from file (one per line)
nmap --exclude 192.168.1.1Exclude a host from scan
nmap -6 ::1IPv6 scanning

Scan Techniques

FlagNameNotes
-sSSYN / Stealth ScanROOT Fast, stealthy, most popular
-sTTCP Connect ScanNo root needed, more detectable
-sUUDP ScanROOT Slow, finds UDP services
-sAACK ScanROOT Maps firewall rules, not open ports
-sNNULL ScanROOT Stealthy β€” no flags set
-sFFIN ScanROOT Stealthy β€” FIN flag only
-sXXmas ScanROOT Stealthy β€” FIN+PSH+URG flags
-snPing Scan (host discovery)No port scan, just finds live hosts
-PnSkip host discoveryTreats all hosts as up
-PRARP PingLocal network only, very reliable
-PEICMP Echo PingExplicit ICMP echo request β€” the classic "ping"
-PSTCP SYN PingSends SYN to port 80 to find hosts when ICMP is blocked
-PUUDP PingSends UDP probe to find hosts β€” useful when TCP/ICMP are filtered

Port Specification

FlagDescription
-p 22Scan port 22 only
-p 22,80,443Scan specific ports
-p 1-1000Scan port range
-p-Scan all 65,535 ports
-FFast β€” top 100 most common ports
--top-ports 100Top N most common ports
-p U:53,T:80Specify UDP or TCP per port

Detection & Fingerprinting

FlagDescription
-sVService and version detection
--version-intensity 0-9Version probe intensity (0=light, 9=max)
-OOS detection β€” requires root
--osscan-guessGuess OS aggressively when uncertain
-AAggressive: enables -O, -sV, -sC, --traceroute
--tracerouteTrace hop path from host to target

NSE Scripting Engine

CommandDescription
-sCRun default scripts (= --script=default)
--script=vulnVulnerability detection scripts
--script=authAuthentication bypass and default creds
--script=bannerGrab service banners
--script=discoveryNetwork discovery scripts
--script=safeNon-intrusive scripts only
--script=http-titleGet HTTP page titles from web servers
--script=ssl-certRetrieve SSL/TLS certificate details
--script=ftp-anonCheck for anonymous FTP access
--script=smb-vuln-ms17-010Check for EternalBlue vulnerability
--script-help <name>Get docs for a specific script

Timing Templates

FlagNameUse When
-T0ParanoidIDS evasion, extremely slow
-T1SneakySlow and evasive
-T2PoliteMinimal bandwidth usage
-T3NormalDefault β€” good balance
-T4AggressiveBest on fast local networks
-T5InsaneFastest β€” may miss ports

Output Options

FlagDescription
-v / -vvVerbose / very verbose output
-oN file.txtSave to human-readable text file
-oX file.xmlSave to XML (Metasploit-compatible)
-oG file.gnmapSave in grepable format
-oA basenameSave all three formats at once
--openOnly show open ports in output
--reasonShow reason for each port's state
--packet-traceShow all packets sent and received
-nNo DNS resolution β€” speeds up scans
--resume file.nmapResume interrupted scan (requires normal or grepable output, not XML)

Firewall / IDS Evasion

FlagDescription
-fFragment packets into 8-byte chunks
--mtu 24Custom MTU size (multiple of 8)
-D RND:10Use 10 random decoy IPs to mask scan
-S 1.2.3.4Spoof source IP address [ROOT]
--source-port 53Spoof source port (DNS often allowed)
--data-length 25Append random data to packets
--randomize-hostsScan targets in random order
--badsumSend packets with bad checksums

Common Example Commands

CommandUse Case
nmap -sn 192.168.1.0/24Find all live hosts on LAN
nmap -sV 192.168.1.1Detect services and versions
sudo nmap -A -T4 192.168.1.1Full aggressive scan + OS detect
nmap -p- -T4 192.168.1.1Scan all 65535 ports
nmap --script=vuln 192.168.1.1Vulnerability scan
nmap -sU -p 53,161,123 192.168.1.1UDP scan DNS, SNMP, NTP
sudo nmap -sS -O -T4 192.168.1.0/24Stealth scan + OS detect on subnet
nmap -oA results 192.168.1.1Scan and save all output formats
nmap -v --reason --open 192.168.1.0/24Verbose, open ports with reasons

Tutorials

Hands-on beginner-friendly walkthroughs.

1
Your Very First Nmap Scan
β–Ό Expand
Start here. Run nmap for the first time and understand the output.
1

Open your terminal

Linux/macOS: open Terminal. Windows: open Command Prompt or PowerShell as Administrator.

2

Verify nmap is installed

nmap --version

Should show: Nmap 7.x ( https://nmap.org )

3

Scan the official test server

nmap scanme.nmap.org
4

Read the output

Starting Nmap 7.93 at 2024-01-15 10:23 EST Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.12s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 31337/tcp open Elite Nmap done: 1 IP address (1 host up) scanned in 3.42 seconds

The host is alive, 3 ports are open, and what service runs on each.

5

Scan yourself β€” always safe

nmap 127.0.0.1
βœ“ Done! You ran your first nmap scan. Continue to Tutorial 2 to scan a whole network.
2
Scanning a Network Range
β–Ό Expand
Find all live hosts on your local network using different targeting methods.
1

Find your network IP range

Linux/macOS: ip addr or ifconfig. Windows: ipconfig. Look for your IP like 192.168.1.x β€” your subnet is usually 192.168.1.0/24.

2

Ping sweep β€” find live hosts without port scanning

nmap -sn 192.168.1.0/24

The -sn flag skips port scanning entirely β€” just checks which hosts are alive.

3

Scan an IP range

nmap 192.168.1.1-50
4

Scan from a target file

Put IPs in targets.txt (one per line):

nmap -iL targets.txt
3
Detecting Services and Versions
β–Ό Expand
Find out exactly what software is running on each open port.
1

Run a service version scan

nmap -sV 192.168.1.1
2

Example output with -sV

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 80/tcp open http Apache httpd 2.4.54 3306/tcp open mysql MySQL 8.0.32

Now you know exact software versions β€” critical for identifying vulnerabilities.

3

Combine with specific ports

nmap -sV -p 80,443,8080,8443 192.168.1.1
4

Control version detection intensity

0 = light/fast, 9 = maximum/thorough but slow:

nmap -sV --version-intensity 9 192.168.1.1
4
OS Detection
β–Ό Expand
Discover what operating system is running on a remote host.
1

Run OS detection (requires root/sudo)

sudo nmap -O 192.168.1.1
2

If OS can't be determined, try --osscan-guess

sudo nmap -O --osscan-guess 192.168.1.1
3

Use -A for everything at once

Combines OS detect, version detect, default scripts, and traceroute:

sudo nmap -A -T4 192.168.1.1
5
Using NSE Scripts
β–Ό Expand
Automate advanced tasks with nmap's 600+ built-in scripting library.
1

What is NSE?

The Nmap Scripting Engine runs Lua scripts against targets. 600+ scripts are included for banner grabbing, vulnerability detection, auth testing, and more.

2

Run default scripts with -sC

nmap -sC 192.168.1.1
3

Run scripts by category

nmap --script=vuln 192.168.1.1
nmap --script=http-title -p 80,443,8080 192.168.1.1
4

The power combo: -sV + -sC

nmap -sV -sC 192.168.1.1
6
Saving Scan Results
β–Ό Expand
Save output in various formats for documentation and future analysis.
1

Save to a plain text file

nmap -oN scan.txt 192.168.1.1
2

Save as XML (for Metasploit etc.)

nmap -oX scan.xml 192.168.1.1
3

Save all formats at once β€” best practice

nmap -oA scan_results 192.168.1.1
4

Resume an interrupted scan

nmap --resume scan_results.nmap

Note: --resume requires a normal (-oN) or grepable (-oG) output file β€” not XML.

Glossary

Definitions for every nmap flag, networking term, and security concept.

Output Guide

Learn what every line of nmap output means.

Standard Scan Output β€” Annotated

Starting Nmap 7.93 at 2024-01-15 10:23 EST ← [1] Header Nmap scan report for 192.168.1.1 ← [2] Target Host is up (0.0012s latency). ← [3] Host alive + ping time Not shown: 990 closed tcp ports (reset) ← [4] Hidden ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 ← [5] Open port 23/tcp filtered telnet ← [6] Filtered by firewall 25/tcp closed smtp ← [7] Closed port 80/tcp open http Apache httpd 2.4.54 MAC Address: AA:BB:CC:DD:EE:FF (Vendor) ← [8] LAN only OS details: Linux 5.4 - 5.15 ← [9] OS fingerprint (-O) Nmap done: 1 IP scanned in 12.43 seconds ← [10] Summary
[1] HeaderNmap version and scan start timestamp. Essential for logging.
[2] Report forThe target being reported. Each host gets its own block.
[3] Host is upThe target responded to probes β€” it's online. Latency shows round-trip time.
[4] Not shown990 ports are closed and hidden to keep output readable. Only interesting states are shown.
[5] openAn application is accepting connections. SERVICE is nmap's guess; VERSION (with -sV) is the actual detected version.
[6] filteredA firewall is blocking probe packets. Nmap can't tell if anything is listening.
[7] closedPort is reachable but nothing is listening. Target replied with TCP RST (reset).
[8] MAC AddressHardware address of the network card β€” only visible on local LAN. First 3 pairs identify the vendor/manufacturer.
[9] OS detailsOS guess via TCP/IP fingerprinting. Only shown with -O or -A flag.
[10] SummaryTotal hosts scanned, how many were up, and total time taken.

Port States Explained

● open
An application is actively accepting connections. This is what you're looking for.
● closed
Reachable but nothing is listening. Responded with TCP RST. Useful for OS detection.
● filtered
A firewall is dropping probe packets. Nmap cannot determine if it's open or closed.
● unfiltered
Reachable but open/closed state undetermined. Only seen with ACK scan (-sA).
● open|filtered
Can't distinguish between open or filtered. Common with UDP, NULL, FIN, Xmas scans.
● closed|filtered
Can't distinguish closed from filtered. Seen only with IP ID Idle scan.

Common Ports Quick Reference

PortProtocolServiceWhat It Is
21TCPFTPFile Transfer Protocol
22TCPSSHEncrypted remote terminal access
23TCPTelnetUnencrypted remote access (insecure, legacy)
25TCPSMTPEmail sending
53TCP/UDPDNSDomain name resolution
80TCPHTTPUnencrypted web traffic
443TCPHTTPSEncrypted web traffic
445TCPSMBWindows file sharing
3306TCPMySQLMySQL database
3389TCPRDPWindows Remote Desktop
5432TCPPostgreSQLPostgreSQL database
8080TCPHTTP-AltAlternative web / proxy port
27017TCPMongoDBMongoDB database

Flashcards

Study nmap flags, scan types, port states, and networking concepts. Click a card to flip it.

What does this flag do?
Loading...
Click to reveal answer
Answer
Mark your result below

Correct / Incorrect keeps the card in deck until right  Β·  Mark Learned removes it permanently  Β·  Skip moves on

Progress0%
β€”
Remaining
0
Correct
0
Incorrect
0
Learned βœ“

Bookmarks

Your saved commands β€” stored in your browser's local storage (offline, private).

My Notes

Personal notes β€” auto-saved to your browser's local storage.

Auto-saved locally

Notes only exist in this browser β€” copy them somewhere safe if you need to transfer them.