Skip to content

Nmap Enumeration

Nmap¶

General¶

Options	Commands	Description
`--stats-every=5s`	`nmap --stats-every=5s $target`	Show statistics every 5 seconds during the scan
`-oN <output>`	`nmap -Pn -p- -oN alltcp_ports.txt $ip`	DSave results to a file

Port Discovery¶

Options	Commands	Description
`-p-`	`nmap --min-rate=10000 -p- $target`	Scan all ports
`-p22`	`nmap -p22 $target`	Scan a specific port
`-p80,443`	`nmap -p80,443 $target`	Scan multiple ports (80 and 443)
`-p1000-2000`	`nmap -p1000-2000 $target`	Scan a range of ports (1000 to 2000)
`-sU`	`sudo nmap -sU $target`	Scan UDP ports
`--source-port 53`	`sudo nmap --source-port 53 $target`	Set the source port to 53 (bypassing firewall rules)

Host Discovery¶

Options	Commands	Description
`-sn`	`nmap -sn $target`	Host discovery (no port scan)
`-Pn`	`nmap -Pn $target`	Disable host discovery (treat all hosts as online)
`-PS80,443`	`nmap -PS80,443 $target`	TCP SYN Ping on ports 80 and 443
`-PA80,443`	`nmap -PA80,443 $target`	TCP ACK Ping on ports 80 and 443
`-PU53,161`	`nmap -PU53,161 $target`	UDP Ping on ports 53 and 161
`-PR`	`nmap -PR $target`	ARP Ping (local network only)
`-PP`	`nmap -PP $target`	ICMP Echo Ping
`-PM`	`nmap -PM $target`	ICMP Timestamp Ping

Script/Version¶

Options	Commands	Description
`-sC`	`nmap -sC $target`	Scan with default scripts
`-sV`	`nmap -sV $target`	Scan with version discovery
`--script vuln`	`nmap --script vuln $target`	Scan for vulnerabilities using `vuln` script
`--script smb-enum-shares`	`nmap --script smb-enum-shares -p445 $target`	Enumerate SMB shares on a target
`--script http-title`	`nmap --script http-title -p80 $target`	Get the title of a web page
`--script ftp-anon`	`nmap --script ftp-anon $target`	Check for anonymous FTP login

OS Detection¶

Options	Commands	Description
`-O`	`nmap -O $target`	Enable OS detection
`--osscan-guess`	`nmap -O --osscan-guess $target`	Make a guess on the OS when Nmap is not sure