VOOZH about

URL: https://dev.to/excalibra/common-nmap-parameters-1815

⇱ Common Nmap Parameters - DEV Community

The following table lists frequently used Nmap parameters along with their descriptions in an academic context.

Parameter Description
-sT TCP connect() scan. This method records a large number of connection requests and error messages in the target host’s logs.
-sS Half-open scan. Few systems log this activity; however, root privileges are required.
-sF, -sN Stealth FIN packet scan, Xmas Tree scan, and Null scan modes.
-sP Ping scan. Nmap employs a ping scan by default when scanning ports; only if the host is alive will Nmap continue scanning.
-sU UDP scan. UDP scans are inherently unreliable.
-sA This advanced scanning method is typically used to traverse firewall rule sets.
-sV Probe port service versions.
-Pn Ping is not required prior to scanning. Some firewalls block ping commands; this option can be used to bypass that restriction.
-v Display the scanning process. Recommended for verbose output.
-h Help option. Provides the clearest and most comprehensive help documentation.
-p Specify ports, for example: 1-65535, 1433, 135, 22, 80, etc.
-O Enable remote operating system detection. False positives may occur.
-A Comprehensive system detection, enabling script detection and advanced scanning.
-oN / -oX / -oG Write the report to a file in three respective formats: normal, XML, and grepable.
-T4 For TCP ports, disable dynamic scan delays exceeding 10 ms.
-iL Read a list of hosts from a file, for example: -iL C:\ip.txt.

Practical Examples

  • Scan open ports on a specified IP address:

    nmap -sS -p 1-65535 -v XXX.XXX.XXX.XXX

  • Scan live hosts in a /24 subnet:

    nmap -sP XXX.XXX.XXX.XXX/24

  • Scan specific ports:

    nmap -p 80,1433,22,1521 XXX.XXX.XXX.XXX

  • Detect the host operating system:

    nmap -O XXX.XXX.XXX.XXX

  • Comprehensive system detection:

    nmap -v -A XXX.XXX.XXX.XXX

    Note: By default, Nmap scans 1,000 high-risk ports.

  • Scan a specified IP range:

    nmap XXX.XXX.XXX.XXX-XXX

  • Penetrate a firewall for scanning (when ping is blocked):

    nmap -Pn -A XXX.XXX.XXX.XXX

  • Use a script to scan web‑sensitive directories:

    nmap -p 80 --script=http-enum.nse XXX.XXX.XXX.XXX