Nmap Scanning Techniques and Algorithms

June 10, 2016 | Views: 15067

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Nmap allows system administrators and individuals to scan networks to determine which hosts are up and what services they’re offering. Nmap supports a large number of scanning techniques including:

  • UDP
  • TCP connect()
  • TCP SYN (half open)
  • FTP proxy (bounce attack)
  • ICMP (ping sweep)
  • FIN
  • ACK sweep
  • Xmas Tree
  • SYN sweep
  • IP Protocol
  • Null scan

Here’s a compiled list of Nmap techniques and algorithms to perform a variety of tasks.


Basic Commands


Scan a single target —> nmap [target]


Scan multiple targets —> nmap [target1,target2,etc]


Scan a list of targets —-> nmap -iL [list.txt]


Scan a range of hosts —-> nmap [range of IP addresses]


Scan an entire subnet —-> nmap [IP address/cdir]


Scan random hosts —-> nmap -iR [number]


Excluding targets from a scan —> nmap [targets] –exclude [targets]


Excluding targets using a list —> nmap [targets] –excludefile [list.txt]


Perform an aggressive scan —> nmap -A [target]


Scan an IPv6 target —> nmap -6 [target]


Discovery Options


Perform a ping scan only —> nmap -sP [target]


Don’t ping —> nmap -PN [target]


TCP SYN Ping —> nmap -PS [target]


TCP ACK ping —-> nmap -PA [target]


UDP ping —-> nmap -PU [target]


SCTP Init Ping —> nmap -PY [target]


ICMP echo ping —-> nmap -PE [target]


ICMP Timestamp ping —> nmap -PP [target]


ICMP address mask ping —> nmap -PM [target]


IP protocol ping —-> nmap -PO [target]


ARP ping —> nmap -PR [target]


Traceroute —> nmap –traceroute [target]


Force reverse DNS resolution —> nmap -R [target]


Disable reverse DNS resolution —> nmap -n [target]


Alternative DNS lookup —> nmap –system-dns [target]


Manually specify DNS servers —> nmap –dns-servers [servers] [target]


Create a host list —-> nmap -sL [targets]


Advanced Scanning Options


TCP SYN scan —> nmap -sS [target]


TCP connect scan —-> nmap -sT [target]


UDP scan —-> nmap -sU [target]


TCP Null scan —-> nmap -sN [target]


TCP Fin scan —> nmap -sF [target]


Xmas scan —-> nmap -sX [target]


TCP ACK scan —> nmap -sA [target]


Custom TCP scan —-> nmap –scanflags [flags] [target]


IP protocol scan —-> nmap -sO [target]


Send raw Ethernet packets —-> nmap –send-eth [target]


Send IP packets —-> nmap –send-ip [target]


Port Scanning Options


Perform a fast scan —> nmap -F [target]


Scan specific ports —-> nmap -p [ports] [target]


Scan ports by name —-> nmap -p [port name] [target]


Scan ports by protocol —-> nmap -sU -sT -p U:[ports],T:[ports] [target]


Scan all ports —-> nmap -p “*” [target]


Scan top ports —–> nmap –top-ports [number] [target]


Perform a sequential port scan —-> nmap -r [target]


Version Detection


Operating system detection —-> nmap -O [target]


Submit TCP/IP Fingerprints —-> http://www.nmap.org/submit/


Attempt to guess an unknown —-> nmap -O –osscan-guess [target]


Service version detection —-> nmap -sV [target]


Troubleshooting version scans —-> nmap -sV –version-trace [target]


Perform a RPC scan —-> nmap -sR [target]


Timing Options


Timing Templates —-> nmap -T [0-5] [target]


Set the packet TTL —-> nmap –ttl [time] [target]


Minimum of parallel connections —-> nmap –min-parallelism [number] [target]


Maximum of parallel connection —-> nmap –max-parallelism [number] [target]


Minimum host group size —–> nmap –min-hostgroup [number] [targets]


Maximum host group size —-> nmap –max-hostgroup [number] [targets]


Maximum RTT timeout —–> nmap –initial-rtt-timeout [time] [target]


Initial RTT timeout —-> nmap –max-rtt-timeout [TTL] [target]


Maximum retries —-> nmap –max-retries [number] [target]


Host timeout —-> nmap –host-timeout [time] [target]


Minimum scan delay —-> nmap –scan-delay [time] [target]


Maximum scan delay —-> nmap –max-scan-delay [time] [target]


Minimum packet rate —-> nmap –min-rate [number] [target]


Maximum packet rate —-> nmap –max-rate [number] [target]


Defeat reset rate limits —-> nmap –defeat-rst-ratelimit [target]


Firewall Evasion Techniques


Fragment packets —-> nmap -f [target]


Specify a specific MTU —-> nmap –mtu [MTU] [target]


Use a decoy —-> nmap -D RND: [number] [target]


Idle zombie scan —> nmap -sI [zombie] [target]


Manually specify a source port —-> nmap –source-port [port] [target]


Append random data —-> nmap –data-length [size] [target]


Randomize target scan order —-> nmap –randomize-hosts [target]


Spoof MAC address —-> nmap –spoof-mac [MAC|0|vendor] [target]


Send bad checksums —-> nmap –badsum [target]


Output Options


Save output to a text file —-> nmap -oN [scan.txt] [target]


Save output to a xml file —> nmap -oX [scan.xml] [target]


Grepable output —-> nmap -oG [scan.txt] [target]


Output all supported file types —-> nmap -oA [path/filename] [target]


Periodically display statistics —-> nmap –stats-every [time] [target]


133t output —-> nmap -oS [scan.txt] [target]


Troubleshooting and Debugging


Help —> nmap -h


Display Nmap version —-> nmap -V


Verbose output —-> nmap -v [target]


Debugging —-> nmap -d [target]


Display port state reason —-> nmap –reason [target]


Only display open ports —-> nmap –open [target]


Trace packets —> nmap –packet-trace [target]


Display host networking —> nmap –iflist


Specify a network interface —> nmap -e [interface] [target]


Nmap Scripting Engine


Execute individual scripts —> nmap –script [script.nse] [target]


Execute multiple scripts —-> nmap –script [expression] [target]


Script categories —-> all, auth, default, discovery, external, intrusive, malware, safe, vuln


Execute scripts by category —-> nmap –script [category] [target]


Execute multiple scripts categories —-> nmap –script [category1,category2, etc]


Troubleshoot scripts —-> nmap –script [script] –script-trace [target]


Update the script database —-> nmap –script-updatedb




Comparison using Ndiff —-> ndiff [scan1.xml] [scan2.xml]


Ndiff verbose mode —-> ndiff -v [scan1.xml] [scan2.xml]


XML output mode —-> ndiff –xml [scan1.xm] [scan2.xml]


Thanks and I hope these are helpful to you.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Excellent post. Thanks

  2. you the best…thanks

  3. Awesome post. 🙂 I may have over looked it, however did you have an Nmap command that scanned a subnet range cidr and then outputted the results into a txt file? This would be ideal to find out what is on the network that responds at first and then go through one by one (hopefully groups) and get the rest of the IPs that didn’t respond to the initial scan maybe by using other nmap scans of UDP, ARP, and even the unknown scan mentioned to get an idea of every IP on the Network.

  4. nmap is excellent for internal discovery scan. However, for external discovery scan I tired different ways and got different results (just want to determine the number of live hosts in an IP range, nothing more, no OS detection, etc)

    I think this is due to the firewall settings. Some hosts found live but all ports were closed.
    The main problem is number of live hosts were different in each scan. Does anyone has any idea?

    Also one subnet (10.x.x.0/24, 256 IP) is using ACL to control access. My Nessus scanners are on the access list so able to run any scans, but nmap is not running properly. Ping scan returned all IP were up.
    Right now I use an alternative way (-P, ping the ports) to determine if a host is live or not because there are only Linux and Windows in this subnet. The problem is I have to review the result manually (because all IP were listed, if namp is working then only live IP will be listed).

    Thank you for your help in advance.

  5. thanks so much for sharing

Page 3 of 4«1234»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?