nmap Syntax

This post summarizes common syntax and parameters used with command nmap.
To understand the meaning of each parameter, you may read about network discovery scanning techniques, as in “CISPP Study Guide 9th Edition”, pp. 732-733.

nmap Syntax Parameters

Those scans that start with -sx, means that they are stealth scans.

-sO (IP protocol scan): IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn’t technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers.

-sT (TCP connect scan): TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call.

-sS (TCP SYN scan): Perform a TCP SYN connect scan. This just means that Nmap will send a TCP SYN packet just like any normal application would do. If the port is open, the application must reply with SYN/ACK; however, to prevent half-open connections Nmap will send an RST to tear down the connection again. SYN scan is the default scan option used for scanning thousands of ports per second on a fast network not hampered by restrictive firewalls.

-sU (UDP scans): UDP scan works by sending a UDP packet to every targeted port.

-sn (No port scan): This option tells Nmap not to do a port scan after host discovery and only print out the available hosts that responded to the host discovery probes. This is often called a ping sweep.

-sR Identify the RPC service running on the network.

-sX (Christmas/Xmas scan)

-sA (ARP scan). Attackers send an ACK probe packet with a random sequence number. No response means the port is filtered and an unfiltered response means the port is closed. Arp Ping tool is capable of sending ARP packets to a target IP address and finding the response time to the request sent, even if the device is hidden and doesn’t respond to regular ping. It can also search for multiple devices sharing the same IP address on your LAN.

-sI (Idle scan / Zombie scan). It requires to inform the IP of the zombie machine after -sI.

-sP (ping sweep): Check if a system is alive.

-sN (null scan)

-Pn (also known as No ping): Assume the host is up, thus skipping the host discovery phase.

-P0 (IP Protocol Ping): sends IP packets with the specified protocol number set in their IP header.

-O: enables operating system detection feature.

-A This options makes Nmap make an effort in identifying the target OS, services, and the versions. It also does traceroute and applies NSE scripts to detect additional information. The -O option turns on Nmap’s OS fingerprinting system. Used alongside the -v verbosity options, you can gain information about the remote operating system and about its TCP sequence number generation (useful for planning idle scans).


-D Generates a decoy to confuse about what is the real IP sending the packets.
nmap -D RND:10 [target]: Generates a random number of decoys

nmap -D decoy1,decoy2,decoy3,.. etc.: Manually specify the IP addresses of the decoys

-T3. Timing template “normal”

-T4. Timing template “aggresive”

-p: select a port. It requieres the port number as a parameter.

-f: filtered ports. (display only filtered ports?)

-mtu: define the maximum transmition unit (MTU) size of packets

-v: verbose, i.e., it add additional information on text.

-vv: greater verbose

–packet-trace: sends some packets to the intended machine and receives packets in response to the sent packets.

–scanflags (TCP Flag Scan)

-oN <filename>: Output normal
-oX <filename>: Output like XML
-oS <filename>: output scriptkiddie
-oG <filename>: output as grepable format


nmap Scripts


nmap -sU -p 161 –script=snmp-brute


nmap Scripting Engine (NSE)

nmap Scripting Engine is a nmap functionality that adds script capabilities for automated tasks. These scripts can be shared among users, in a similar way as libraries in software development.

Add –script as an nmap parameters followed by the name of the script to specify the script you want to run.

Chapter 9 of nmap documentation is dedicated to NSE.

More info on this external article.


nmap Syntax Examples

Identify the RPC service running on the network:

nmap -sR

Identify the RPC service running on the network:
nmap -T4 –A <target IP/network>

Scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection:

nmap -PN -A -O -sS


Web Server Hacking

Discover virtual domains with hostmap

$nmap --script hostmap

Detect a vulnerable server that uses the TRACE method

nmap --script http-trace -p80 localhost

Harvest email accounts with http-google-email

$nmap --script http-google-email

Enumerate users with http-userdir-enum

nmap -p80 --script http-userdir -enum localhost


$nmap -p80 --script http-trace

Check if web server is protected by a WAF/IPS

$nmap -p80 --script http-waf-detect --script-args=”http-waf-detect.uri=/testphp.vulnweb.com/artists.php,http-waf-detect.detectBodyChanges” www.modsecurity.org

Enumerate common web applications
$nmap --script http-enum -p80

Obtain robots.txt
$nmap -p80 --script http-robots.txt

Additional Nmap commands used to extract information:
nmap sV –O –p target IP address
nmap -sV --script=http-enum target IP address
nmap target IP address -p 80 --script = http-frontpage-login
nmap --script http-passwd --script-args http-passwd.root =/ target IP address

can every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection: It selects all ports.

nmap -P0 -A -O -p1-65535 192.168.0/24

Attackers use the following Nmap command to scan a particular IP address:

nmap -n -Pn -sS -pT:0-65535 -v -A -oX

To perform complete scan of the IoT device that checks for both TCP and UDP services and ports:

nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX

To identify the IPv6 capabilities of a device:

nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX

A company has five different subnets:,,, and How can NMAP be used to scan these adjacent Class C networks?

nmap -P 192.168.1-5


Scanning Networks Labs

nmap -Pn -sS -A -oX Test


nmap -sT -T3 -A

Here -T switch is used to set the timing template and -A switch is used to enable OS detection, version detection, script scanning, and traceroute.

TCP Connect Scan is the most basic form of TCP scanning. The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn’t reachable. One strong advantage to this technique is that you don’t need any special privileges.

nmap -sX -T4

nmap -sA -v -T4

nmap -Pn -p 80 -sI

Idle scan

External references

  • EC-Council; “CEH v10, module 2: Scanning Networks”
  • EC-Council; “CEH v10, module 13: Hacking web servers”, pp. 1349-1350
  • EC-Council; “CEH v10, module 17: IoT Hacking”, pp. 2048-2049
  • Red Hat; “Six practical uses of nmap
  • Mike Chapple et al.; “CISPP Study Guide 9th Edition”, pp. 732-737

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *