NMap is one of the core tools of a penetration tester. It is a program designed to figure out what’s listening on each of a machine’s TCP or UDP ports. This kind of program is known as a ‘port scanner”

NMap is typically the first stage of Reconnaisance against a host or network, and will often provide a lot of useful information about a machine or network, provided the right arguments are given to it.

(Very) Basic Usage

In order to use NMap with all-default settings, simply put the command and the target in:

nmap [options] [target]

Where [target] can be either an IP address, a hostname or an IP range in either CIDR format or, for example, to include,, and

If [options] is blank, NMap will perform the scan with the following configurations for all hosts:

  • A full-connection TCP scan for each port
  • Only covers the 1000 most popular ports
  • Minimal analysis on what’s running on those ports

This is frequently less-than-ideal for most penetration testing and CTF use cases, so lets look at the options we have.

Scan Types

Nmap provides 3 basic scan types:

  • -sS – SYN Stealth Scan. Instead of completing a TCP Three-way handshake, aborts after step 2, by which point it has already confirmed whether or not something is there. This is typically the faster way to do TCP scans and as such is typically recommended in most cases.
  • -sT – TCP Full-Connect Scan. Performs a full TCP threeway handshake. This should be used only in situations where you do not have root/administrative access (and therefore do not have raw TCP access), or if you are scanning against an IPv6 target, which does not Stealth scanning
  • -sU – UDP Scanning. Performs a UDP scan, waiting for a response back for a given amount of time.

Other Useful Flags

  • -p[port number or range] – Scans the given port(s). To scan all ports, use -p0-.
  • -Pn – Assume the target system is up but isn’t responding to ICMP Pings, thereby forcing NMap to scan each and every port regardless of if it ever gets a response back from the host.
  • -Ps – Scans the network to see if the given host(s) are up. Does not scan ports.
  • -sC – Runs the default category of scripts.
  • -sV – Turnso on service version detection.
  • -A – Turns on service version/OS detection and runs the default category of scripts.
  • -O – Turns on OS detection.
  • -oX <filename> – Outputs the findings in XML format.
  • -oG <filename> – Outputs the findings in an easily-greppable text file.
  • -T[1-5] – Adjusts the speed of the scan. T3 is default, T1 is quiet but very, very slow, and T5 is all speed and no subtlety.

Nmap Scripts

Nmap can optionally run a wide array of scripts to enhance the information gathered. You can find these scripts in /usr/share/nmap/scripts and refer to individual ones with the following argument: --script=[script name]. No need to reference the folder path. You can also load more than one script at a time by separating the script names with commas.

Alternatively you might want to run an entire category of scripts rather than individual ones. You can do this by simply using the category name rather than the name of an individual script as an argument for --script. The available categories are:

  • auth – These scripts deal with authentication credentials and potential bypasses
  • broadcast – These scripts try to discover hosts on the network.
  • brute – These scripts try to brute-force guess their way into services that require authentication.
  • default – These scripts are the default set of scripts, and are also executed when the -A or -sC flags are used.
  • discovery – These scripts try to find out more about the network itself by performing tasks such as querying public DNS registrars and SNMP services.
  • dos – Scripts that test for denial-of-service vulnerabilities. Can cause a denial of service in and of itself!
  • exploit – Scripts that actively exploit a given vulnerability.
  • external – Scripts that, as part of their function, send data to third parties. Examples include the whois-ip plugin.
  • fuzzer – Scripts that send random garbage to servers in order to test server reactions.
  • intrusive – Scripts that have a good chance of either crashing the server or otherwise performing a denial of service
  • malware – Scripts that perform tests looking for tell-tale signs of malware infection.
  • safe – Scripts that aren’t known to crash servers or cause denial of service. The polar opposite of intrusive.
  • vuln – Scripts that check for certain vulnerbilities