The following table lists frequently used Nmap parameters along with their descriptions in an academic context.
| Parameter | Description |
|---|---|
-sT |
TCP connect() scan. This method records a large number of connection requests and error messages in the target host’s logs. |
-sS |
Half-open scan. Few systems log this activity; however, root privileges are required. |
-sF, -sN
|
Stealth FIN packet scan, Xmas Tree scan, and Null scan modes. |
-sP |
Ping scan. Nmap employs a ping scan by default when scanning ports; only if the host is alive will Nmap continue scanning. |
-sU |
UDP scan. UDP scans are inherently unreliable. |
-sA |
This advanced scanning method is typically used to traverse firewall rule sets. |
-sV |
Probe port service versions. |
-Pn |
Ping is not required prior to scanning. Some firewalls block ping commands; this option can be used to bypass that restriction. |
-v |
Display the scanning process. Recommended for verbose output. |
-h |
Help option. Provides the clearest and most comprehensive help documentation. |
-p |
Specify ports, for example: 1-65535, 1433, 135, 22, 80, etc. |
-O |
Enable remote operating system detection. False positives may occur. |
-A |
Comprehensive system detection, enabling script detection and advanced scanning. |
-oN / -oX / -oG
|
Write the report to a file in three respective formats: normal, XML, and grepable. |
-T4 |
For TCP ports, disable dynamic scan delays exceeding 10 ms. |
-iL |
Read a list of hosts from a file, for example: -iL C:\ip.txt. |
Practical Examples
Scan open ports on a specified IP address:
nmap -sS -p 1-65535 -v XXX.XXX.XXX.XXXScan live hosts in a /24 subnet:
nmap -sP XXX.XXX.XXX.XXX/24Scan specific ports:
nmap -p 80,1433,22,1521 XXX.XXX.XXX.XXXDetect the host operating system:
nmap -O XXX.XXX.XXX.XXXComprehensive system detection:
nmap -v -A XXX.XXX.XXX.XXX
Note: By default, Nmap scans 1,000 high-risk ports.Scan a specified IP range:
nmap XXX.XXX.XXX.XXX-XXXPenetrate a firewall for scanning (when ping is blocked):
nmap -Pn -A XXX.XXX.XXX.XXXUse a script to scan web‑sensitive directories:
nmap -p 80 --script=http-enum.nse XXX.XXX.XXX.XXX
Top comments (0)