Flags

  • -p: specify port (-p- all ports, -p1-100 ports 1 through 100, -p1,6,7 ports 1, 6, and 7, -p1-100,102 ports 1 through 100 and 102)
  • -Pn: skip host discovery
  • -sV: probe open port for service discovery
  • -sL: list targets to scan (don’t send any packets)
  • -sn: ping sweep
  • -A: OS and version detection, script scanning, and traceroute
  • -sU: UDP scan

Syntax tips

  • -p-: scan all ports (1-65535)
  • 192.168.1.0/24: scan subnet
  • 192.168.1.*: scan with wildcard (similar to subnet)

Todo

Commands I’ve run in the past (pulled from my zsh_history) that I have not yet documented.

nmap -sX 192.168.1.*
nmap -p 1-65535 -T4 -A -v 10.0.0.107