nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. It can be used to identify live hosts on a network, discover open ports, and detect services running on those ports.
# Ping scan to discover live hosts (#fast)
nmap -sn <host>
nmap -sn 192.168.0.1/24
# List scan to enumerate hosts without sending packets to them (#safe)
nmap -sL <host>
# Scan a single host
nmap 192.168.1.100-110
nmap 192.168.1.100/24
# Scan with timing and performance options
nmap --stats-every 5s <host>
# TCP SYN scan
# https://nmap.org/book/synscan.html
nmap -sS <host>
# Service version detection
nmap -sV <host>
# TCP connect scan (less stealthy than SYN scan)
nmap -sT <host>
# Spoof source port 53 (useful for bypassing firewalls that trust DNS traffic)
nmap -g 53 <host>
nmap --source-port 53 <host>
# Disable ARP ping (useful for scanning hosts on the same local network)
nmap --disable-arp-ping <host>
# Null scan
# https://nmap.org/book/scan-methods-null-fin-xmas-scan.html
nmap -sN <host>
# FIN scan
# https://nmap.org/book/scan-methods-null-fin-xmas-scan.html
nmap -sF <host>
# Xmas scan
# https://nmap.org/book/scan-methods-null-fin-xmas-scan.html
nmap -sX <host>
# Scan all ports
nmap -p 1-65535 <host>
nmap -p ssh <host>
nmap -p 25,http <host>
# Faster scan (Aggressive timing template)
# https://nmap.org/book/performance-timing-templates.html
nmap -T1 <host> # (Very slow, but stealthy)
nmap -T2 <host> # (Slow, but more stealthy than default)
nmap -T3 <host> # (Default)
nmap -T4 <host> # (Faster than default, but may be more detectable)
nmap -T5 <host> # (Insanely fast, but very detectable)
# Aggressive scan with OS and version detection
nmap -A <host>
# Verbose output
nmap -v <host>
nmap --verbose <host>
# OS detection (big "O", not zero)
nmap -O <host>
# Run vulnerability scripts against the target
## on macOS: (brew --prefix nmap)/share/nmap/scripts
## on Linux: /usr/share/nmap/scripts
nmap -sC <host> # Equivalent to --script default
nmap --script <script_name> <host> # Run a specific script
nmap --script "http-*" <host> # Run all HTTP-related scripts
nmap --script-help all # List all available scripts with descriptions
nmap --script vuln <host> # (Run all vulnerability scripts, can be very noisy and time-consuming)
nmap --script safe <host> # Run only scripts that are considered safe (non-intrusive)
nmap --script all <host> # (Use with caution, can be very noisy and time-consuming)
# Scan multiple hosts from a file
nmap -iL /path/to/hosts.txt
# Save output to a file
nmap -oN report.txt
# Save output in XML format
nmap -oX report.xml
sudo nmap -sS -sV <host> --stats-every 5s
# Scan all ports with a fast timing template
nmap -p 1-65535 -T4 <host> --stats-every 5s