Top 15 Nmap Commands for Hackers
Introduction
Nmap (Network Mapper) is a fundamental reconnaissance tool used to discover hosts, open ports, services, and operating systems on a network. This blog presents the 15 most useful Nmap commands for beginners, each explained in plain language with practical examples. Run scans only on systems you own or have explicit permission to test.
1. Ping scan (host discovery): nmap -sn <target>
What it does: Performs host discovery (also called a ping sweep). Nmap sends probes to find which IPs are online without scanning ports.
Why it matters: Before scanning ports, you often want to know which addresses are active. This saves time and avoids unnecessary scans.
When to use: Map live hosts in a subnet quickly.
Example:
nmap -sn 161.248.122.70/242. Basic TCP scan: nmap <target>
What it does: Scans the most common 1,000 TCP ports on a target host and reports which ports are open, closed, or filtered.
Why it matters: This is the simplest and most common starting point. It shows you the 'surface' of a host and is a good first step before deeper scans.
When to use: Use it to quickly see what services might be running on a host. Always confirm you have permission to scan.
Example:
nmap 161.248.122.703. Service & version detection: nmap -sV <target>
What it does: After finding open ports, Nmap probes those ports to determine the service name and often the service version.
Why it matters: Knowing the exact service and version helps you identify vulnerable software versions and pick the right follow-up tests.
When to use: Use this when you need more detail about a discovered service.
Example:
nmap -sV 161.248.122.704. Stealthy SYN scan: nmap -sS <target>
What it does: Sends TCP SYN packets (the first step of the TCP handshake) and examines replies; then resets the connection. It's faster and quieter than a full connect.
Why it matters: SYN scans are less noisy in logs and preferred during penetration testing to avoid filling server logs with full connections.
When to use: Use when you need a faster scan that draws less attention than a full connect scan.
Example:
nmap -sS 161.248.122.705. Operating system detection: nmap -O <target>
What it does: Uses TCP/IP stack fingerprinting and other signals to guess the target's operating system (e.g., Linux, Windows, device type).
Why it matters: OS information narrows down possible vulnerabilities and helps you choose the right tools/techniques.
When to use: Run on hosts where you need context about platform or when triaging a larger network.
Example:
nmap -O 161.248.122.706. Aggressive scan (combined): nmap -A <target>
What it does: Enables OS detection, version detection, default scripts, and traceroute all at once.
Why it matters: Provides a comprehensive view in one command; useful for learning and quick assessments, but it is noisy.
When to use: Good for a one-shot deep look in a lab or on systems you control.
Example:
nmap -A 161.248.122.707. Default script scan: nmap -sC <target>
What it does: Runs Nmap's default script set (NSE) which gathers additional service-level information such as banner grabs and simple vulnerability checks.
Why it matters: Scripts can reveal useful details beyond port and version, like HTTP titles, SSL cert info, or trivial vulnerabilities.
When to use: Combine with -sV to get richer output.
Example:
nmap -sC 161.248.122.708. Run a specific Nmap script: nmap --script=<script> <target>
What it does: Executes one or more NSE scripts by name, for targeted checks (for example, http-title or ssl-cert).
Why it matters: Scripts let you tailor scans - run only the checks you trust or need.
When to use: When a specific script matches your goal (e.g., check for Heartbleed with a vain script).
Examples:
nmap --script=http-title 161.248.122.70nmap --script=ssl-cert 161.248.122.709. Save output to readable text: nmap -oN <file> <target>
What it does: Writes the scan output to a plain text file using Nmap's normal output format.
Why it matters: Keeping records is essential - saves results for reports, sharing, or later analysis.
When to use: Always save important scans; it's easier to compare and document findings.
Example:
nmap -oN results.txt 161.248.122.7010. Save output in XML (machine-readable): nmap -oX <file> <target>
What it does: Writes results in XML that other tools can parse.
Why it matters: XML output integrates with reporting tools, parsers, and dashboards.
When to use: Use when exporting scan data to analysis tools or scripts.
Example:
nmap -oX results.xml 161.248.122.7011. Scan multiple targets from a list: nmap -iL <file> -oN <out>
What it does: Nmap reads targets from a file (hosts or IPs) and scans them sequentially.
Why it matters: Essential for scanning labs, subnets, or many hosts without typing each address.
When to use: Prepare a hosts file and scan an entire set in one command.
Example:
nmap -iL hosts.txt -oN combined-results.txt12. Scan a specific port or range: nmap -p <port(s)> <target>
What it does: Restricts the scan to specific ports (single, comma-separated list, or ranges like 1-100).
Why it matters: Faster and focused scanning when you know which services matter.
When to use: Check a single service (ssh=22) or a small range rapidly.
Examples:
nmap -p 22 161.248.122.70nmap -p 1-100 161.248.122.7013. Fast scan (top ports): nmap -F <target>
What it does: Scans the top 100 most commonly used ports instead of the default 1,000.
Why it matters: Faster snapshot when you need quick reconnaissance.
When to use: Speed-first checks or when time is limited.
Example:
nmap -F 161.248.122.7014. Show reason for each port state: nmap --reason <target>
What it does: Adds explanation codes to output, indicating why Nmap labeled a port as open, closed, or filtered.
Why it matters: Helpful for beginners to learn how Nmap interprets responses and for troubleshooting.
Example:
nmap --reason 161.248.122.7015. Packet trace (show raw packets): sudo nmap --packet-trace <target>
What it does: Prints the actual packets Nmap sends and receives during the scan.
Why it matters: Great for learning and debugging; see lower-level behavior and understand how probes work.
When to use: Study mode, debugging, or advanced learning.
Example:
sudo nmap --packet-trace 161.248.122.70Safety & Ethics
Nmap is a powerful tool. Always scan only systems you own or have explicit permission to test. Unauthorized scanning may be illegal or get you blocked. Use --reason and --packet-trace to learn, but do not use intrusive scripts on production systems without approval. Document your scans and keep scan logs for any authorized engagement.