 Home

 Free help
 Tips
 Dictionary
 Forums
 Links
 Contact

Linux / Unix nmap command

Quick links

About nmap
Syntax
Examples
Related commands
Linux / Unix main page

About nmap

Short for network mapper, nmap is a network exploration tool and security /
port scanner.

Syntax

nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

-iL Input from list of hosts/networks

-iR Choose random targets
--exclude <host1[,host2] Exclude hosts/networks
[,host3],...>
--excludefile Exclude list from file
<exclude_file>
HOST DISCOVERY:

-sL List Scan - list targets to scan

-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist] TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
-n/-R Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers Specify custom DNS servers
<serv1[,serv2],...>
--system-dns Use OS's DNS resolver

SCAN TECHNIQUES:

-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans

-sN/sF/sX TCP Null, FIN, and Xmas scans
--scanflags <flags> Customize TCP scan flags
-sI <zombie Idlescan
host[:probeport]>
-sO IP protocol scan
-b <ftp relay host> FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

-p <port ranges> Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F Fast - Scan only the ports listed in the nmap-services file)
-r Scan ports consecutively - don't randomize

SERVICE/VERSION DETECTION:

-sV Probe open ports to determine service/version info

--version-intensity Set from 0 (light) to 9 (try all probes)
<level>
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)

OS DETECTION:

-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively

TIMING AND PERFORMANCE:

Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm'
(minutes), or 'h' (hours) to the value (e.g. 30m).

-T[0-5] Set timing template (higher is faster)

--min- Parallel host scan group sizes
hostgroup/max-
hostgroup <size>
--min- Probe parallelization
parallelism/max-
parallelism <time>
--min-rtt- Specifies probe round trip time.
timeout/max-rtt-
timeout/initial-rtt-
timeout <time>
--max-retries Caps number of port scan probe retransmissions.
<tries>
--host-timeout Give up on target after this long
<time>
--scan-delay/--max- Adjust delay between probes
scan-delay <time>

FIREWALL/IDS EVASION AND SPOOFING:

-f; --mtu <val> fragment packets (optionally w/given MTU)

-D Cloak a scan with decoys
<decoy1,decoy2[,ME],...
>
-S <IP_Address> Spoof source address
-e <iface> Use specified interface
-g/--source-port Use given port number
<portnum>
--data-length <num> Append random data to sent packets
--ttl <val> Set IP time-to-live field
--spoof-mac <mac Spoof your MAC address
address/prefix/vendor
name>
--badsum Send packets with a bogus TCP/UDP checksum

OUTPUT:

-oN/-oX/-oS/-oG Output scan in normal, XML, s|<rIpt kIddi3, and Grepable

<file> format, respectively, to the given filename.
-oA <basename> Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errors/warnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume Resume an aborted scan
<filename>
--stylesheet XSL stylesheet to transform XML output to HTML
<path/URL>
--webxml Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet w/XML output

MISC:

-6 Enable IPv6 scanning

-A Enables OS detection and Version detection
--datadir <dirname> Specify custom Nmap data file location
 --send-eth/--send- Send using raw ethernet frames or IP packets
ip
--privileged Assume that the user is fully privileged
-V Print version number

Examples

nmap -P0 204.228.150.3

Running the above port scan on the Computer Hope IP address would give
information similar to the below example. Keep in mind that with the above
command it's -P<zero> not the letter O.

Interesting ports on www.computerhope.com (204.228.150.3):

Not shown: 1019 filtered ports, 657 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
113/tcp open auth
443/tcp open https

Related commands

nice

00341166830761 FORID:11;NB:1 Search

 Useful links

 Home
 Site map
 Computer help
 News
 Q&A
 What's new

 Tools

 Print page
 E-mail page
 Edit page
 Share page
 Category
 Linux / Unix

 Companies
 Click here

 Solved?
 Were you able to locate the answer to your question?

 Yes
 No

00341166830761 FORID:11;NB:1 Search

 Recently added
o Computer questions 1,300 - 1,400
o My CD-KEY or unique identification doesn't work
o How do I edit a PDF file?
o How do I clear a laptop CMOS password?
o AdSense
o AdWords
o CamelCase
o Apple Touch Icon
o Computer Hope 2010 quizzes
o Facebook keyboard shortcuts

 Useful links
o About Us
o Contact
o Site Map
o Computer help
o Link to Computer Hope
o Top 10 pages
o Forums

© 2011 Computer Hope

Legal Disclaimer - Privacy Statement