top of page


1. Getting started with Nmap

2. Nmap scripting engine (NSE)

3. GUI interface for Nmap: ZenMap


1. Getting started with Nmap


>default scan 1000 ports

nmap -sP 10.1.1.*

>ping scan (this is a ping only scan)

nmap -sS -p0 -sV -O

>sS: tcp sync scan (looking for tcp devices)

>p0: protocol scan (protocol 0 means all protocols)

>sV: show version of OS

>O: discover os system

nmap -T5

>T5 is faster than T1, time5 is faster than time1

nmap --top-ports 20

>only scan top 20 most likely opening ports

nmap -sT -p80

>Let's find out who's running web services 

>sT: scan for tcp connection type of traffic

>p80: only look at port 80

nmap -sS -D,

>sS: tcp sin scan 

>D: decoy, so that victim also thinks you are coming from two additional source IPs or


nmap -v

>to see verbose

nmap -F --exclude,

>F: only scan top 100 ports

nmap -Pn

>skip ping scan


nmap -6 2001:db8:6783:1::1

>scan IPv6 address; you need to enable an IPv6 interface on your box

>To add an IPv6 address: “ifconfig eth0 inet6 add 2001:db8:6783:1::2/64”


nmap --iflist

>show your own interfaces and network information so that you know which IPs you can scan against

2. NSE: a collection of scripts to get even more detailed information of the hosts

2.1 Default script 


nmap --script=default same as nmap -sC run default script

2.2 Try script help option

nmap --script-help discovery

>man help for group discovery

2.3 Combine script groups 


nmap --script “safe or default”

>combine group of script

>safe: meaning it’s not likely to bring down the target’s system

nmap --script “discovery and version”

nmap -A -T4

>A means a bunch of groups for all

>timing 4 quickness

3. ZenMap

Scan a single host

Scan a network

You can create your own profile: 

bottom of page