---
obj: application
website: https://nmap.org
repo: https://github.com/nmap/nmap
---

# nmap
Network exploration tool and security / port scanner

## Usage
Usage: `nmap [Scan Type(s)] [Options] {target specification}`

### Options
#### TARGET SPECIFICATION
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254

| Option                                  | Description                       |
| --------------------------------------- | --------------------------------- |
| `-iL <inputfilename>`                   | Input from list of hosts/networks |
| `--exclude <host1[,host2][,host3],...>` | Exclude hosts/networks            |
| `--excludefile <exclude_file>`          | Exclude list from file            |

#### HOST DISCOVERY
| Option                              | Description                                                                                         |
| ----------------------------------- | --------------------------------------------------------------------------------------------------- |
| `-sL`                               | List Scan - simply list targets to scan                                                             |
| `-sn`                               | Ping Scan - disable port scan                                                                       |
| `-PS/PA/PU/PY[portlist]`            | [TCP](../../../internet/TCP.md) SYN/ACK, [UDP](../../../internet/UDP.md) or SCTP discovery to given ports |
| `-PE/PP/PM`                         | ICMP echo, timestamp, and netmask request discovery probes                                          |
| `-n/-R`                             | Never do [DNS](../../../internet/DNS.md) resolution/Always resolve \[default: sometimes]               |
| `--dns-servers <serv1[,serv2],...>` | Specify custom [DNS](../../../internet/DNS.md) servers                                                 |
| `--traceroute`                      | Trace hop path to each host                                                                         |

#### SCAN TECHNIQUES
| Option                | Description                                                        |
| --------------------- | ------------------------------------------------------------------ |
| `-sS/sT/sA/sW/sM`     | [TCP](../../../internet/TCP.md) SYN/Connect()/ACK/Window/Maimon scans |
| `-sU`                 | [UDP](../../../internet/UDP.md) Scan                                  |
| `-sN/sF/sX`           | [TCP](../../../internet/TCP.md) Null, FIN, and Xmas scans             |
| `--scanflags <flags>` | Customize [TCP](../../../internet/TCP.md) scan flags                  |
| `-sO`                 | IP protocol scan                                                   |

#### PORT SPECIFICATION AND SCAN ORDER
| Option                          | Description                                                                                   |
| ------------------------------- | --------------------------------------------------------------------------------------------- |
| `-p <port ranges>`              | Only scan specified ports. Ex: `-p22`; `-p1-65535`; `-p U:53,111,137,T:21-25,80,139,8080,S:9` |
| `--exclude-ports <port ranges>` | Exclude the specified ports from scanning                                                     |
| `-F`                            | Fast mode - Scan fewer ports than the default scan                                            |
| `-r`                            | Scan ports sequentially - don't randomize                                                     |
| `-top-ports <number>`           | Scan \<number> most common ports                                                              |

#### SERVICE/VERSION DETECTION
| Option                        | Description                                        |
| ----------------------------- | -------------------------------------------------- |
| `-sV`                         | Probe open ports to determine service/version info |
| `--version-intensity <level>` | Set from 0 (light) to 9 (try all probes)           |
| `--version-light`             | Limit to most likely probes (intensity 2)          |
| `--version-all`               | Try every single probe (intensity 9)               |

#### SCRIPT SCAN
| Option                   | Description                                                                                                                                             |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-sC`                    | equivalent to `--script=default`                                                                                                                        |
| `--script=<Lua scripts>` | \<Lua scripts> is a comma separated list of directories, script-files or script-categories. The scripts are commonly found at `/usr/share/nmap/scripts` |
| `--script-updatedb`      | Update the script database.                                                                                                                             |

#### OS DETECTION
| Option           | Description                             |
| ---------------- | --------------------------------------- |
| `-O`             | Enable OS detection                     |
| `--osscan-limit` | Limit OS detection to promising targets |
| `--osscan-guess` | Guess OS more aggressively              |

#### TIMING AND PERFORMANCE
 Options which take \<time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

| Option                                                         | Descriptions                                     |
| -------------------------------------------------------------- | ------------------------------------------------ |
| `-T<0-5>`                                                      | Set timing template (higher is faster)           |
| `--min-hostgroup/max-hostgroup <size>`                         | Parallel host scan group sizes                   |
| `--min-parallelism/max-parallelism <numprobes>`                | Probe parallelization                            |
| `--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>` | Specifies probe round trip time.                 |
| `--max-retries <tries>`                                        | Caps number of port scan probe retransmissions.  |
| `--host-timeout <time>`                                        | Give up on target after this long                |
| `--scan-delay/--max-scan-delay <time>`                         | Adjust delay between probes                      |
| `--min-rate <number>`                                          | Send packets no slower than \<number> per second |
| `--max-rate <number>`                                          | Send packets no faster than \<number> per second                                                |

#### FIREWALL/IDS EVASION AND SPOOFING
| Option                                         | Description                                                                                       |
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------- |
| `-f; --mtu <val>`                              | fragment packets (optionally w/given MTU)                                                         | 
| `-D <decoy1,decoy2[,ME],...>`                  | Cloak a scan with IP decoys                                                                       |
| `-S <IP_Address>`                              | Spoof source address                                                                              |
| `-e <iface>`                                   | Use specified interface                                                                           |
| `-g/--source-port <portnum>`                   | Use given port number                                                                             |
| `--proxies <url1,[url2],...>`                  | Relay connections through [HTTP](../../../internet/HTTP.md)/SOCKS4 proxies                           |
| `--data <hex string>`                          | Append a custom payload to sent packets                                                           |
| `--data-string <string>`                       | Append a custom [ASCII](../../../files/ASCII.md) string to sent packets                              |
| `--data-length <num>`                          | Append random data to sent packets                                                                |
| `--ip-options <options>`                       | Send packets with specified ip options                                                            |
| `--ttl <val>`                                  | Set IP time-to-live field                                                                         |
| `--spoof-mac <mac address/prefix/vendor name>` | Spoof your MAC address                                                                            |
| `--badsum`                                     | Send packets with a bogus [TCP](../../../internet/TCP.md)/[UDP](../../../internet/UDP.md)/SCTP checksum |

#### OUTPUT
| Option                    | Description                                                                                                                |
| ------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
| `-oN/-oX/-oS/-oG <file>`  | Output scan in normal, [XML](../../../files/XML.md), scrIpt kIddi3, and Grepable format, respectively, to the given filename. |
| `-oA <basename>`          | Output in the three major formats at once                                                                                  |
| `-v`                      | Increase verbosity level (use `-vv` or more for greater effect)                                                            |
| `--open`                  | Only show open (or possibly open) ports                                                                                    |
| `--append-output`         | Append to rather than clobber specified output files                                                                       |
| `--resume <filename>`     | Resume an aborted scan                                                                                                     | 
| `--stylesheet <path/URL>` | XSL stylesheet to transform [XML](../../../files/XML.md) output to [HTML](../../../internet/HTML.md)                             |
| `--webxml`                | Reference stylesheet from Nmap.Org for more portable [XML](../../../files/XML.md)                                             |
| `--no-stylesheet`         | Prevent associating of XSL stylesheet w/[XML](../../../files/XML.md) output                                                   |