# Port Scanning with Nmap Nmap is easily one of the most popular penetration testing tools. While it started as a simple port scanner, the tool has grown immensely and is now performs multiple functions. Knowing how to utilize Nmap's options to produce the desired level of detail in your scans is incredibly useful. Below are some example scan commands, as well as a list of the most commonly used options. #### My preferred scans ``` Quick/standard scan: nmap -sC -sV 10.11.1.5 Deep scan: nmap -p- -sC -sV 10.11.1.5 UDP scan: nmap -sU -F 10.11.1.5 ``` #### Scan types ``` -sT = TCP connect scan -sS = TCP SYN (stealth) scan -sU = UDP scan -sn = host discovery only (no port scan) -sN = null scann (no flags set, may help on firewalled systems) -sX = Xmas tree scan (FIN, PSH, URG flags) ``` #### Other important flags ``` -sC = runs default scripts -sV = attempts to identify the version of the service running on a port -O = attempts OS detection using TCP/IP fingerprinting -A = includes -sC, -sV, -O -p = used to specify ports -p- = scans all ports, not just top 1,000 default ports --top-ports=20 = will scan the top 20 ports, number can be specified -Pn = skip host discovery and scan all addresses -T = enables timing options (0-5, default:3) -v = increases the verbosity, nmap will print results while scan is in progress ``` #### Input list of hosts from file ``` -iL = scans list of IP addresses contained in a txt file ``` #### Outputting scan results ``` -oN = outputs results in normal txt format -oG = outputs results in greppable format -oX = outputs results in XML format -oS = outputs results in script kiddie format -oA = outputs results in all formats ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.oncyberwar.com/2.-scanning/port-scanning-with-nmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.