Search for connected devices in the network or all the open ports on the device:

nmap -sV -sC -oN scan.output


  • nmap -sP
    • Ping scan
  • nmap -sT,
    • scan most common TCP ports
  • nmap -sU
    • scan most common UDP ports
  • nmap -sS
    • scan ports Stealth mode
  • nmap -sA
    • ACK scan
  • nmap -sF
    • FIN scan
  • nmap -sI
    • IDLE scan
  • nmap -sL
    • DNS scan
  • nmap -sN
    • NULL scan
  • nmap -sO
    • Protocol scan
  • nmap -sR
    • RPC scan
  • nmap -sW
    • Windows scan
  • nmap -sX
    • XMAS scan
  • nmap -p-
    • scan all 65535 ports (takes some time)
  • nmap -p2000-3000
    • scan range of ports
  • nmap -O
    • guess the Operating System
  • nmap -A
    • series (All) of tests (takes a lot of time)
  • nmap -F
    • Fast scan
  • nmap -sV
    • service Version detection
  • nmap -sn
    • Ping only scan
  • nmap -pn
    • Do not ping.
  • nmap –traceroute
    • Traceroute
  • nmap -R
    • force Reverse DNS
  • nmap -sL
    • create a host List
  • nmap -R
  • nmap -R
  • nmap -R
  • nmap -R
  • nmap -T4
    • fast parallel speed (0 to 4)
  • nmap -oA
    • All outputs
  • nmap -oX
    • XML output format
  • nmap -oN
    • Normal output
  • nmap -oN outputFile
    • Saves the output to a file using normal output.
    • Alternatively -oX for XML, -oS for script-kiddie type, -oS for grepable output, and -oA for all types.
  • nmap -sC
    • Script scan using default, equivalent to –script=default.

Nmap Script Engine (NSE)

  • safe:- Won’t affect the target
  • intrusive:- Not safe: likely to affect the target
  • vuln:- Scan for vulnerabilities
  • exploit:- Attempt to exploit a vulnerability
  • auth:- Attempt to bypass authentication for running services (e.g. Log in to an FTP server anonymously)
  • brute:- Attempt to brute force credentials for running services
  • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).


  • ndiff -v scan2.xml scan1.xml
    • verbosely compares output files
  • ndiff –xml scan2.xml scan1.xml
    • output the comparison to XML

Take a list of networks from a file and Nmap them all using 10 parallel threads:

cat networks_list.txt | xargs -I CMD -P 10 nmap -sT -sV -sC -n -vvv -Pn -oX - CMD

Check for vulnerabilities using Nmap Scripting Engine:

sudo nmap --script vuln

ZenMap is the official GUI for NMAP. See at [Link]