# Single target scan: nmap [target] # Scan from a list of targets: nmap -iL [list.txt] # Scan port for all available A records # (useful when multiple A records are returned by the DNS server) nmap --script resolveall \ --script-args newtargets,resolveall.hosts=[target] -p [port] # iPv6: nmap -6 [target] # OS detection: nmap -O --osscan_guess [target] # Save output to text file: nmap -oN [output.txt] [target] # Save output to xml file: nmap -oX [output.xml] [target] # Scan a specific port: nmap -p [port] [target] # Do an aggressive scan: nmap -A [target] # Speedup your scan: # -n => disable ReverseDNS # --min-rate=X => min X packets / sec nmap -T5 --min-parallelism=50 -n --min-rate=300 [target] # Traceroute: nmap -traceroute [target] # Ping scan only: -sP # Don't ping: -PN <- Useful if a host doesn't reply to a ping. # TCP SYN ping: -PS # TCP ACK ping: -PA # UDP ping: -PU # ARP ping: -PR # Example: Ping scan all machines on a class C network nmap -sP 192.168.0.0/24 # Force TCP scan: -sT # Force UDP scan: -sU # Use some script: nmap --script default,safe # Loads the script in the default category, the banner script, # and all .nse files in the directory /home/user/customscripts. nmap --script default,banner,/home/user/customscripts # Loads all scripts whose name starts with http-, # such as http-auth and http-open-proxy. nmap --script 'http-*' # Loads every script except for those in the intrusive category. nmap --script "not intrusive" # Loads those scripts that are in both the default and safe categories. nmap --script "default and safe" # Loads scripts in the default, safe, or intrusive categories, # except for those whose names start with http-. nmap --script "(default or safe or intrusive) and not http-*" # Scan for the heartbleed # -pT:443 => Scan only port 443 with TCP (T:) nmap -T5 --min-parallelism=50 -n --script "ssl-heartbleed" -pT:443 127.0.0.1 # Show all information (debug mode) nmap -d ... # Discover DHCP information on an interface nmap --script broadcast-dhcp-discover -e eth0