Technotes for future me


nmap commands

Scan a Single Host or an IP Address

Scan a Single IP Address:


Scan a Host Name:


Increase Verbosity Level:

    nmap -v
    nmap -vv

Scan Multiply IP Addresses

Scan Multiple IP Addresses:


Scan a Subnet:

    nmap 192.168.1.*

Scan a Range of IP Addresses ( –


Scan Network for Active Computers

Scan for Active Hosts on a network:

    nmap -sn

Scan a List of Hosts From Input File

Scan hosts/networks from the Input File:

    nmap -iL input.txt

Format of the input file:

    # Entries can be in any of the formats accepted by Nmap on the command line
    # (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated
    # by one or more spaces, tabs, or newlines.

    $ cat input.txt,2,3

Exclude IP/Hosts/Networks From Nmap Scan

Exclude Targets from Nmap scan:

    nmap --exclude
    nmap --exclude
    nmap --exclude,2,3

Exclude List of hosts from a file:

    nmap --excludefile exclude.txt

Format of the exclude file is the same as format of the input file shown above.

Scan For Specific Ports

Scan for a Single Port:

    nmap -p 80

Scan for Several Ports:

    nmap -p 80,443

Scan for a Port Range:

    nmap -p 80-1000

Scan for All Ports:

    nmap -p "*"

Scan for top most Common Ports:

    nmap --top-ports 5
    nmap --top-ports 10

Determine Supported IP Protocols

Determine which IP Protocols (TCP, UDP, ICMP, etc.) are supported by target host:

    nmap -sO

Scan For TCP/UDP Ports

Scan for All TCP Ports:

    nmap -sT

Scan for Particular TCP Ports:

    nmap -p T:80

Scan for All UDP Ports:

    nmap -sU

Scan for Particular UDP Ports:

    nmap -p U:53

Combine scanning of different ports:

    nmap -p U:53,79,113,T:21-25,80,443,8080

Perform a Fast Scan

Enable Fast Mode:

    nmap -F

Scan fewer ports than the default scan.

Display the Reason a Port is in a Particular State

Display the Reason why Nmap thinks that a port is in a particular state:

    nmap --reason

Show Only Open Ports

Show Only Open Ports (or possibly open):

    nmap --open

OS Detection

One of Nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.

After performing dozens of tests, Nmap compares the results to its database and prints out the OS details if there is a match.

Turn on OS Detection:

    nmap -O

Service Version Detection

Turn on Version Detection:

    nmap -sV

Discover what version of software is running on a remote host.

Firewall Detection

Find out if a host is protected by any Packet Filters or Firewall:

    nmap -sA

MAC Address Spoofing

Spoof your MAC Address:

    nmap --spoof-mac 00:11:22:33:44:55

Spoof your MAC Address with a Random MAC:

    nmap --spoof-mac 0

Scan a Firewall For Security Vulnerabilities

These three scan types exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. When scanning systems compliant with this RFC, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open.

As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK.

TCP Null Scan:

    nmap -sN

Don’t set any bits (TCP flag header is 0).

TCP Fin Scan:

    nmap -sF

Set just the TCP FIN bit.

TCP Xmas Scan:

    nmap -sX

Set the FIN, PSH and URG flags (lighting the packet up like a Christmas tree).

Stealthy Scan


    nmap -sS

Well known as a half-open scanning, as it doesn’t open a full TCP connection.

Disable Host Discovery (No Ping)

Don’t ping host before scanning:

    nmap -Pn

Disable DNS Resolution

Never do reverse DNS Resolution on the active IP addresses it finds:

    nmap -n

Save Output of Nmap Scan to a File

Save output of Nmap scan to a TEXT File:

    nmap > output.txt
    nmap -oN output.txt

Save output of Nmap scan to an XML File:

    nmap -oX output.xml

    # Network scan
    nmap -sP

    # Host scan
    nmap <ip>
    nmap -F <ip>      # fast
    nmap -O <ip>     # detect OS
    nmap -sV <ip>     # detect services and versions
    nmap -sU <ip>     # detect UDP services

    # Alternative host discovery
    nmap -PS <ip>     # TCP SYN scan
    nmap -PA <ip>     # TCP ACK scan
    nmap -PO <ip>     # IP ping
    nmap -PU <ip>     # UDP ping

    # Alternative service discovery
    nmap -sS <ip>      
    nmap -sT <ip>
    nmap -sA <ip>
    nmap -sW <ip>

    # Checking firewalls
    nmap -sN <ip>
    nmap -sF <ip>
    nmap -sX <ip>

Basic syntax

dig Hostname
dig DomaiNameHere
dig @DNS-server-name Hostname
dig @DNS-server-name IPAddress
dig @DNS-server-name Hostname|IPAddress type

List of DNS record types

AIPv4 IP address192.168.1.5 or
AAAAIPv6 IP address2607:f0d0:1002:51::4
CNAMECanonical name record (Alias) is an alias is an alias for nothing
MXEmail server host or
NSName (DNS) server
PTRPointer to a canonical name. Mostly used for implementing reverse DNS
SOAAuthoritative information about a DNS zonesee below
TXTText recordsee below

query a different nameserver

dig @DNS-server-name Hostname
dig @DNS-server-name IPAddress

select the DNS query type

dig Hostname|IPAddress type
dig @ns-server-here Hostname|IPAddress type
dig Hostname|IPAddress type
dig [+options] @ns-server-here Hostname|IPAddress type


dig +short A

Set IPv4 or IPv6 query transport mode

dig -4 query ...
dig -6 query ...

Specify port number for dns query

dig -p {PORT} query
dig -p 53 @


Last updated on 21 May 2021
Published on 24 Apr 2020
Edit on GitHub