Introduction
Nmap is hands-down one of the most versatile tools in a pentester’s toolkit. Whether you’re doing basic host discovery or detailed OS detection, knowing your way around Nmap’s options can make a huge difference. This guide breaks down the essential flags and usage examples that I’ve relied on while studying for CPTS and during CTF challenges.
Network Enumeration with Nmap
Scanning Options
| Option |
Description |
10.10.10.0/24 |
Target network range. |
-sn |
Host discovery only, no port scan. |
-Pn |
Treat all hosts as online (skip ping). |
-n |
Disable DNS resolution. |
-PE |
Use ICMP Echo Request ping. |
--packet-trace |
Print all sent/received packets. Useful for debugging. |
--reason |
Show reasons why ports are in a certain state. |
--disable-arp-ping |
Prevent ARP ping, useful on non-Ethernet targets. |
--top-ports <num> |
Scan top N most common ports (e.g. --top-ports 100). |
-p- |
Scan all 65535 TCP ports. |
-p22-110 |
Scan specific port ranges. |
-p22,25 |
Scan specific ports only. |
-F |
Fast scan using the top 100 ports. |
-sS |
TCP SYN scan (stealthy and fast). |
-sA |
TCP ACK scan (for firewall rule testing). |
-sU |
UDP scan. Slow but necessary sometimes. |
-sV |
Detect service versions. |
-sC |
Use default scripts for common checks. |
--script <script> |
Run a specific script (e.g. --script http-title). |
-O |
OS detection. |
-A |
Aggressive scan: OS, version, script, and traceroute. |
-D RND:5 |
Use 5 random decoys to obfuscate source. |
-e <iface> |
Specify interface for scan (e.g. tun0). |
-S 10.10.10.200 |
Spoof source IP address. |
-g <port> |
Use specific source port (sometimes bypasses firewalls). |
--dns-server <ns> |
Use a specific DNS server. |
Output Options
| Option |
Description |
-oA filename |
Output in all formats (.nmap, .gnmap, .xml) with base name. |
-oN filename |
Normal output. Easy to read manually. |
-oG filename |
Grepable output. Helpful for scripts or quick parsing. |
-oX filename |
XML output. Used in automated tools or import into other apps. |
| Option |
Description |
--max-retries <num> |
Limit number of retries per port. |
--stats-every=5s |
Show progress updates every 5 seconds. |
-v, -vv |
Verbose output. Double v = more detail. |
--initial-rtt-timeout 50ms |
Set lower bound for round trip time. |
--max-rtt-timeout 100ms |
Set upper bound for round trip time. |
--min-rate 300 |
Send at least 300 packets/sec. Speeds things up. |
-T <0-5> |
Timing template (0 = paranoid, 5 = insane). 4 is usually a good balance. |
Practical Examples
Quick ping sweep on subnet:
Aggressive scan on a single host:
Full port scan with version detection:
1
| nmap -sS -sV -p- 10.10.10.10
|
UDP scan of top 10 ports:
1
| nmap -sU --top-ports 10 10.10.10.10
|
Firewall evasion with decoys and spoofed source:
1
| nmap -sS -D RND:5 -S 10.10.14.99 -g 53 10.10.10.10
|
Output in all formats:
1
| nmap -sC -sV -oA scan_result 10.10.10.10
|
Scan a webserver with custom script:
1
| nmap -p80 --script http-title 10.10.10.10
|
Conclusion
Nmap isn’t just a scanner, it’s an intel-gathering beast if you know how to use it right. This reference should help you pick the right options without second-guessing your syntax during CPTS labs or exams. Keep practicing different scans and understand what each flag does. The more you play with it, the more second nature it becomes.
