nmap one liners and tricks
port scan against a target to discover open ports
nmap 192.168.1.1
scan multiple target hosts
nmap 192.168.1.1 192.168.1.2
scan a range of IP addresses (1 to .10)
nmap 192.168.1.1-10
scan an entire subnet
nmap 192.168.1.0/24
scan specific ports
nmap -p 22,80,443 192.168.1.1
detect operating system and version
nmap -0 192.168.1.1
detect service type/version for each open port
nmap -sV 192.168.1.1
aggressive scan (incl OS and service detection)
nmap -A 192.168.11
check if the target is online without port scan
nmap -sn 192.168.1.1
scan without ping (useful if ICMP is blocked)
nmap -Pn 192.168.1.1
scan with UDP probes
nmap -sU -p 53 192.168.1.1
increase debug level (-dd for greater effect)
nmap -d 192.168.1.1
output to a file in XML format
nmap -oX output.xml 192.168.1.1
run specific NSE scripts
nmap --script=<nse-script> 192.168.1.1
find a list of NSE scripts to use with nmap
ls /usr/share/nmap/scripts
scan with spoofed source IP address
nmap -D <decoy-IP> 192.168.1.1
scan with fragmented packets to evade IDS/IPS
nmap -f 192.168.1.1
exclude specific targets
nmap 192.168.1.0/24 --exclude 192.168.1.10
scan using a specific network interface
nmap -e etho 192.168.1.1
show all packets sent/received
nmap -p 80-d -packet-trace 192.168.1.1
set timing for scanning (0 slowest; 5 fastest)
nmap 192.168.1.1-T<0-5>
scan using a list of hosts/networks found in a file
nmap -iL targets.txt
enable IPv6 scanning
nmap -6 2605:0d0:1005:51:4