Nmap is a versatile tool used for network discovery, scanning, and security auditing. It allows you to combine multiple options in a single command to perform various tasks efficiently. Below is a compact guide to the most commonly used Nmap arguments.

Basic Syntax#

Nmap allows you to combine different options in a single command for flexible scanning. The general syntax is:

nmap [options] [target]

For example:

nmap -sSVO -p- target_ip

This performs a SYN scan (-sS), detects service versions (-V), identifies the operating system (-O), and scans all ports (-p-) in one execution.

Scanning Options#

  1. Scan Types:

    • -sS: Perform a SYN scan (stealth scan).
    • -sT: Perform a full TCP connect scan.
    • -sU: Perform a UDP scan.
    • -sA: Perform a TCP ACK scan (useful for firewall rules detection).
    • -sn: Ping scan (discovery without scanning ports).
    • -Pn: Disable ping to scan directly without checking host availability.

  2. Port Specification:

    • -p-: Scan all 65535 ports.
    • -p [port_list]: Scan specific ports or ranges (e.g., -p 22,80,443).
    • -F: Scan the top 100 common ports.
    • --top-ports <num>: Scan the top <num> most commonly used ports.

  3. Service and OS Detection:

    • -sV: Detect service versions on open ports.
    • -O: Perform OS detection to identify the target’s operating system.
    • -A: Aggressive scan (combines OS detection, service version detection, and script scanning).

  4. Timing and Performance:

    • -T<0-5>: Timing template for scan speed (0 is slowest, 5 is fastest).
    • --min-rate <num>: Ensure a minimum packet send rate (e.g., --min-rate 10000 sends 10,000 packets per second).
    • --max-retries <num>: Set the maximum number of retries for scanning specific ports.
    • --stats-every <time>: Show scan progress at regular intervals (e.g., --stats-every=5s).
    • -v / -vv: Increase verbosity (more detailed scan output).

Host Discovery and Obfuscation#

  1. Host Discovery:

    • -PE: Perform a ping scan using ICMP Echo Requests.
    • --disable-arp-ping: Disable ARP Ping Requests for discovering hosts.
    • -n: Disable DNS resolution (speeds up scans by skipping DNS queries).

  2. Obfuscation and Interface:

    • -D RND:<num>: Use random decoys to obfuscate the source IP.
    • -e <interface>: Specify the network interface to use for the scan.
    • -S <source_ip>: Set a specific source IP address for the scan.
    • -g <port>: Specify the source port for the scan.
    • --dns-server <ns>: Use a specified name server for DNS resolution.

Output Options#

  1. Normal Output:

    • -oN <file>: Save the scan results in a human-readable format.

  2. Grepable Output:

    • -oG <file>: Save results in a grepable format (easy to filter with grep).

  3. XML Output:

    • -oX <file>: Save the results in XML format.

  4. Save in All Formats:

    • -oA <file>: Store results in all available formats (normal, XML, grepable).

Example Command#

Here’s an example combining multiple options into one command:

nmap -sSVO -p 22,80,443 -T4 --min-rate 10000 -oN result.txt target_ip
  • -sS: SYN scan (stealth).
  • -V: Detect service versions.
  • -O: OS detection.
  • -p 22,80,443: Scan ports 22, 80, and 443.
  • -T4: Use an aggressive timing template for faster results.
  • --min-rate 10000: Send at least 10,000 packets per second.
  • -oN result.txt: Save the output in a readable file result.txt.

With Nmap, you can easily combine options into a single command for efficient scanning. By understanding how different arguments and options work together, you can optimize network discovery and auditing processes.