---
obj: application
website: https://nmap.org
repo: https://github.com/nmap/nmap
---
# nmap
Network exploration tool and security / port scanner
## Usage
Usage: `nmap [Scan Type(s)] [Options] {target specification}`
### Options
#### TARGET SPECIFICATION
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254
| Option | Description |
| --------------------------------------- | --------------------------------- |
| `-iL <inputfilename>` | Input from list of hosts/networks |
| `--exclude <host1[,host2][,host3],...>` | Exclude hosts/networks |
| `--excludefile <exclude_file>` | Exclude list from file |
#### HOST DISCOVERY
| Option | Description |
| ----------------------------------- | --------------------------------------------------------------------------------------------------- |
| `-sL` | List Scan - simply list targets to scan |
| `-sn` | Ping Scan - disable port scan |
| `-PS/PA/PU/PY[portlist]` | [TCP](../../../internet/TCP.md) SYN/ACK, [UDP](../../../internet/UDP.md) or SCTP discovery to given ports |
| `-PE/PP/PM` | ICMP echo, timestamp, and netmask request discovery probes |
| `-n/-R` | Never do [DNS](../../../internet/DNS.md) resolution/Always resolve \[default: sometimes] |
| `--dns-servers <serv1[,serv2],...>` | Specify custom [DNS](../../../internet/DNS.md) servers |
| `--traceroute` | Trace hop path to each host |
#### SCAN TECHNIQUES
| Option | Description |
| --------------------- | ------------------------------------------------------------------ |
| `-sS/sT/sA/sW/sM` | [TCP](../../../internet/TCP.md) SYN/Connect()/ACK/Window/Maimon scans |
| `-sU` | [UDP](../../../internet/UDP.md) Scan |
| `-sN/sF/sX` | [TCP](../../../internet/TCP.md) Null, FIN, and Xmas scans |
| `--scanflags <flags>` | Customize [TCP](../../../internet/TCP.md) scan flags |
| `-sO` | IP protocol scan |
#### PORT SPECIFICATION AND SCAN ORDER
| Option | Description |
| ------------------------------- | --------------------------------------------------------------------------------------------- |
| `-p <port ranges>` | Only scan specified ports. Ex: `-p22`; `-p1-65535`; `-p U:53,111,137,T:21-25,80,139,8080,S:9` |
| `--exclude-ports <port ranges>` | Exclude the specified ports from scanning |
| `-F` | Fast mode - Scan fewer ports than the default scan |
| `-r` | Scan ports sequentially - don't randomize |
| `-top-ports <number>` | Scan \<number> most common ports |
#### SERVICE/VERSION DETECTION
| Option | Description |
| ----------------------------- | -------------------------------------------------- |
| `-sV` | Probe open ports to determine service/version info |
| `--version-intensity <level>` | Set from 0 (light) to 9 (try all probes) |
| `--version-light` | Limit to most likely probes (intensity 2) |
| `--version-all` | Try every single probe (intensity 9) |
#### SCRIPT SCAN
| Option | Description |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-sC` | equivalent to `--script=default` |
| `--script=<Lua scripts>` | \<Lua scripts> is a comma separated list of directories, script-files or script-categories. The scripts are commonly found at `/usr/share/nmap/scripts` |
| `--script-updatedb` | Update the script database. |
#### OS DETECTION
| Option | Description |
| ---------------- | --------------------------------------- |
| `-O` | Enable OS detection |
| `--osscan-limit` | Limit OS detection to promising targets |
| `--osscan-guess` | Guess OS more aggressively |
#### TIMING AND PERFORMANCE
Options which take \<time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
| Option | Descriptions |
| -------------------------------------------------------------- | ------------------------------------------------ |
| `-T<0-5>` | Set timing template (higher is faster) |
| `--min-hostgroup/max-hostgroup <size>` | Parallel host scan group sizes |
| `--min-parallelism/max-parallelism <numprobes>` | Probe parallelization |
| `--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>` | Specifies probe round trip time. |
| `--max-retries <tries>` | Caps number of port scan probe retransmissions. |
| `--host-timeout <time>` | Give up on target after this long |
| `--scan-delay/--max-scan-delay <time>` | Adjust delay between probes |
| `--min-rate <number>` | Send packets no slower than \<number> per second |
| `--max-rate <number>` | Send packets no faster than \<number> per second |
#### FIREWALL/IDS EVASION AND SPOOFING
| Option | Description |
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------- |
| `-f; --mtu <val>` | fragment packets (optionally w/given MTU) |
| `-D <decoy1,decoy2[,ME],...>` | Cloak a scan with IP decoys |
| `-S <IP_Address>` | Spoof source address |
| `-e <iface>` | Use specified interface |
| `-g/--source-port <portnum>` | Use given port number |
| `--proxies <url1,[url2],...>` | Relay connections through [HTTP](../../../internet/HTTP.md)/SOCKS4 proxies |
| `--data <hex string>` | Append a custom payload to sent packets |
| `--data-string <string>` | Append a custom [ASCII](../../../files/ASCII.md) string to sent packets |
| `--data-length <num>` | Append random data to sent packets |
| `--ip-options <options>` | Send packets with specified ip options |
| `--ttl <val>` | Set IP time-to-live field |
| `--spoof-mac <mac address/prefix/vendor name>` | Spoof your MAC address |
| `--badsum` | Send packets with a bogus [TCP](../../../internet/TCP.md)/[UDP](../../../internet/UDP.md)/SCTP checksum |
#### OUTPUT
| Option | Description |
| ------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
| `-oN/-oX/-oS/-oG <file>` | Output scan in normal, [XML](../../../files/XML.md), scrIpt kIddi3, and Grepable format, respectively, to the given filename. |
| `-oA <basename>` | Output in the three major formats at once |
| `-v` | Increase verbosity level (use `-vv` or more for greater effect) |
| `--open` | Only show open (or possibly open) ports |
| `--append-output` | Append to rather than clobber specified output files |
| `--resume <filename>` | Resume an aborted scan |
| `--stylesheet <path/URL>` | XSL stylesheet to transform [XML](../../../files/XML.md) output to [HTML](../../../internet/HTML.md) |
| `--webxml` | Reference stylesheet from Nmap.Org for more portable [XML](../../../files/XML.md) |
| `--no-stylesheet` | Prevent associating of XSL stylesheet w/[XML](../../../files/XML.md) output |