Discover active hosts on a network without scanning their ports. It uses ICMP, TCP SYN/ACK, and ARP depending on your privileges and network location.

nmap -sn 10.129.2.0/24

Skip the initial ping discovery phase. Essential when a target firewall is blocking ICMP echo requests, forcing Nmap to scan the ports anyway.

nmap -Pn 10.129.2.47

Force an ICMP Echo request to see if the host responds. Adding --disable-arp-ping forces Nmap to use Layer 3 routing even on a local network, and --packet-trace lets you see exactly what is sent and received.

nmap -10.129.2.47 -sn -PE --disable-arp-ping --packet-trace

The default scan if running as root.

It performs a “half-open” connection by sending a SYN packet and waiting for a SYN-ACK. It never completes the 3-way handshake, making it faster and slightly stealthier.

sudo nmap -sS 10.129.2.47

The default scan if not running as root.

Completes the full 3-way TCP handshake. It is highly accurate but very noisy and easily logged by target systems.

nmap -sT 10.129.2.47

Scans for open UDP services (like DNS, SNMP, DHCP). UDP is connectionless; if a port is closed, it replies with an ICMP Port Unreachable. If it gets no response, it marks it open|filtered.

sudo nmap -sU 10.129.2.47

Does not find open ports. Instead, it maps firewall rule sets. It sends ACK packets to determine if a port is unfiltered (allowed through the firewall) or filtered (blocked or dropped).

sudo nmap -sA 10.129.2.47

Define exactly which ports to scan. Can be a single port, a comma-separated list, or a range.

nmap -p 22,80,443,8000-8080 10.129.2.47

Scans every possible TCP or UDP port. Crucial for finding hidden services running on non-standard, high-numbered ports.

nmap -p- 10.129.2.47

Scans only the 100 most common ports instead of the default 1000. Great for a quick initial reconnaissance phase.

nmap -F 10.129.2.47

Interrogates open ports with specific probes to determine the exact service and version number running (e.g., Apache 2.4.41 instead of just “http”).

nmap -sV 10.129.2.47

Analyzes TCP/IP stack fingerprints to guess the target operating system. Works best when the target has at least one open and one closed port. Use --osscan-guess to force a guess if unsure.

sudo nmap -O --osscan-guess 10.129.2.47

The “all-in-one” flag. Enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute).

nmap -A 10.129.2.47

Sets the scanning speed from 0 (paranoid/slowest) to 5 (insane/fastest). -T4 is the recommended balance of speed and reliability for standard CTF/Exam networks.

nmap -T4 10.129.2.47

Forces Nmap to send packets at or above a specific rate per second. Excellent for speeding up all-port scans on reliable networks.

nmap -p- --min-rate 5000 10.129.2.47

Prevents Nmap from assuming ports are open|filtered when hitting a rate-limited target. --max-retries 1 limits retransmissions, and --scan-delay slows the scan enough to allow the server to send ICMP rejection messages.

nmap -sU -p 53,161 --max-retries 1 --scan-delay 20ms 10.129.2.47

Forces your scan traffic to originate from a specific port (like 53 for DNS or 80 for HTTP). Highly effective against poorly configured stateless firewalls that blindly trust return traffic from these ports.

sudo nmap -sS -p 50000 --source-port 53 10.129.2.47

Cloaks your real IP address by injecting fake IP addresses into the scan traffic. The target’s IDS will see multiple IPs scanning them simultaneously, making it difficult to pinpoint the real attacker. RND:10 generates 10 random decoy IPs.

sudo nmap -D RND:10 10.129.2.47

Splits the TCP headers over several smaller packets (8 bytes by default). This can bypass older packet filters or IDS systems that do not properly reassemble fragments before inspecting them.

sudo nmap -f 10.129.2.47

Nmap normally sends empty packets for port scanning. Intrusion Detection Systems (IDS) flag empty packets as suspicious. This flag pads the packets with random bytes to simulate legitimate application traffic.

nmap --data-length 25 10.129.2.47

Runs a suite of default, mostly non-intrusive scripts designed to gather basic information (like pulling default web pages, checking FTP anonymous login, or grabbing SSH hostkeys).

nmap -sC 10.129.2.47

Run specific scripts by name, category (safe, vuln, discovery), or wildcard.

--script "*" –doing this uses all the script available and --script "http*" –doing this uses all the script that start with http

Note: Avoid running ‘safe’ or ‘all’ in labs as it loads hundreds of scripts and can cause Nmap to crash (Segfault).

nmap -sV -p 80 --script "http-title,http-enum,vuln" 10.129.2.47

Provide necessary parameters to scripts, such as setting a user-agent, providing a username/password, or supplying an API key.

nmap -p 80 --script http-put --script-args "http-put.url='/uploads/shell.php',http-put.file='./shell.php'" 10.129.2.47

Saves the scan results in all three major formats (Normal .nmap, Grepable .gnmap, and XML .xml) simultaneously. Always do this for record-keeping on engagements.

nmap -p 22,80 10.129.2.47 -oA nmap_initial_scan

Saves the output in a format specifically designed for parsing with tools like grep, awk, or sed. Useful for piping directly into terminal extraction scripts.

nmap -p- 10.129.2.47 -oG grepable_output.txt