NMAP Quick Reference
Updated: 16th of April 2022
Published: 29th of September 2017
NMAP is a tool for network discovery and auditing. This is not a comprehensive tutorial, only a quick reference source. Consult the man pages and/or documentation for an in-depth explanation of commands.
Scan the top N number of ports
nmap --top-ports 10 target.dummy
TCP SYN Scan
TCP SYN scans do not perform a full TCP 3-way handshake. A RST is sent to the server when a SYN/ACK is received. The flow between the NMAP client and server looks like this:
sudo nmap -sS -p 22,113,139 target.dummy
TCP SYN scans requires raw-packet privileges.
TCP Connect Scan
TCP connect scan utilises the underlying operating system to perform a full TCP 3-way handsake and sets up a connections between the client and the server. This scan is used when the user does not have raw packet privileges or is scanning IPv6 networks. The flow between the NMAP client and the server looks like this:
nmap -sT -p 22,80,443 target.dummy
UDP scans send a UDP packet to the target port and depending on the response, NMAP will guess if the port is open based on the following table.
|NMAP State||Response Type|
|open||Any UDP repsonse (this is unusual)|
|open | filtered||No response received|
|closed||ICMP port unreachable error (type 3, code 3)|
|filtered||Other ICMP unreachable errors (type 3, code 1, 2, 9, 10, or 13)|
sudo nmap -sU -p 53 target.dummy
UDP scans requires raw-packet privileges.
An aggressive scan combines a number of scan types without having to remember a large number of flags. The scans include:
- OS Detection
- Version Scanning
- Script Scanning
nmap -A target.dummy
Aggressive scans are intrusive and should not be used against a target without permission.
Ping sweep a subnet
nmap -sn 10.1.1.0/24
NPing allows you to generate packets.
Target a host with a GARP reply
sudo nping -c 1 --arp-sender-mac 08:00:27:ba:6c:7f \ --arp-sender-ip 10.1.1.1 --arp-type ar \ --arp-target-mac 08:00:27:74:99:3b 10.1.1.11 \ --interface eth1 --dest-mac 08:00:27:74:99:3b