Linux and Unix nmap command
Quick links
About nmap
Syntax
Examples
Related commands
Linux and Unix main page
Short for network mapper, nmap is a network exploration tool and security port scanner.
nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
| -iL | Input from list of hosts/networks |
| -iR | Choose random targets |
| --exclude <host1[,host2][,host3],...> | Exclude hosts/networks |
| --excludefile <exclude_file> | Exclude list from file |
HOST DISCOVERY:
| -sL | List Scan - list targets to scan |
| -sP | Ping Scan - go no further than determining if host is online |
| -P0 | Treat all hosts as online -- skip host discovery |
| -PS/PA/PU [portlist] | TCP SYN/ACK or UDP discovery to given ports |
| -PE/PP/PM | ICMP echo, timestamp, and netmask request discovery probes |
| -n/-R | Never do DNS resolution/Always resolve [default: sometimes] |
| --dns-servers <serv1[,serv2],...> | Specify custom DNS servers |
| --system-dns | Use OS's DNS resolver |
SCAN TECHNIQUES:
| -sS/sT/sA/sW/sM | TCP SYN/Connect()/ACK/Window/Maimon scans |
| -sN/sF/sX | TCP Null, FIN, and Xmas scans |
| --scanflags <flags> | Customize TCP scan flags |
| -sI <zombie host[:probeport]> | Idlescan |
| -sO | IP protocol scan |
| -b <ftp relay host> | FTP bounce scan |
PORT SPECIFICATION AND SCAN ORDER:
| -p <port ranges> | Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 |
| -F | Fast - Scan only the ports listed in the nmap-services file) |
| -r | Scan ports consecutively - don't randomize |
SERVICE/VERSION DETECTION:
| -sV | Probe open ports to determine service/version info |
| --version-intensity <level> | Set from 0 (light) to 9 (try all probes) |
| --version-light | Limit to most likely probes (intensity 2) |
| --version-all | Try every single probe (intensity 9) |
| --version-trace | Show detailed version scan activity (for debugging) |
OS DETECTION:
| -O | Enable OS detection |
| --osscan-limit | Limit OS detection to promising targets |
| --osscan-guess | Guess OS more aggressively |
TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
| -T[0-5] | Set timing template (higher is faster) |
| --min-hostgroup/max-hostgroup <size> | Parallel host scan group sizes |
| --min-parallelism/max-parallelism <time> | Probe parallelization |
| --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | Specifies probe round trip time. |
| --max-retries <tries> | Caps number of port scan probe retransmissions. |
| --host-timeout <time> | Give up on target after this long |
| --scan-delay/--max-scan-delay <time> | Adjust delay between probes |
FIREWALL/IDS EVASION AND SPOOFING:
| -f; --mtu <val> | fragment packets (optionally w/given MTU) |
| -D <decoy1,decoy2[,ME],...> | Cloak a scan with decoys |
| -S <IP_Address> | Spoof source address |
| -e <iface> | Use specified interface |
| -g/--source-port <portnum> | Use given port number |
| --data-length <num> | Append random data to sent packets |
| --ttl <val> | Set IP time-to-live field |
| --spoof-mac <mac address/prefix/vendor name> | Spoof your MAC address |
| --badsum | Send packets with a bogus TCP/UDP checksum |
OUTPUT:
| -oN/-oX/-oS/-oG <file> | Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. |
| -oA <basename> | Output in the three major formats at once |
| -v | Increase verbosity level (use twice for more effect) |
| -d[level] | Set or increase debugging level (Up to 9 is meaningful) |
| --packet-trace | Show all packets sent and received |
| --iflist | Print host interfaces and routes (for debugging) |
| --log-errors | Log errors/warnings to the normal-format output file |
| --append-output | Append to rather than clobber specified output files |
| --resume <filename> | Resume an aborted scan |
| --stylesheet <path/URL> | XSL stylesheet to transform XML output to HTML |
| --webxml | Reference stylesheet from Insecure.Org for more portable XML |
| --no-stylesheet | Prevent associating of XSL stylesheet w/XML output |
MISC:
| -6 | Enable IPv6 scanning |
| -A | Enables OS detection and Version detection |
| --datadir <dirname> | Specify custom Nmap data file location |
| --send-eth/--send-ip | Send using raw ethernet frames or IP packets |
| --privileged | Assume that the user is fully privileged |
| -V | Print version number |
nmap -P0 204.228.150.3
Running the above port scan on the Computer Hope IP address would give information similar to the below example. Keep in mind that with the above command it's -P<zero> not the letter O.
Interesting ports on www.computerhope.com (204.228.150.3):
Not shown: 1019 filtered ports, 657 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
113/tcp open auth
443/tcp open https