The Top Nmap Commands You Need to Know
Nmap is the go-to tool for network reconnaissance. Whether you're doing a pentest, troubleshooting connectivity, or just figuring out what's running on your network, these are the commands you'll reach for most often.
1. Ping Sweep
Before you scan ports, figure out what's alive on the network. A ping sweep sends ICMP requests across a range and tells you which hosts respond.
nmap -sn 192.168.1.0/24Use this as your first step on any internal engagement. It maps out the landscape before you go deeper.
2. Port Range Scan
Once you know what's alive, check which ports are open. You can target specific ranges instead of scanning all 65,535 ports.
nmap -p 80,443,8080-8090 192.168.1.10Useful when you're looking for web services or know the target runs something on non-standard ports.
3. OS Detection
Nmap analyzes TCP/IP stack behavior to fingerprint the operating system. Knowing whether a target runs Linux or Windows changes your entire approach.
nmap -O 192.168.1.10Requires at least one open and one closed port on the target for accurate results. Run with sudo since it needs raw socket access.
4. Service Version Detection
An open port is just a number. What matters is what's behind it. Version detection probes open ports to identify the service and its version.
nmap -sV 192.168.1.10This is how you find out that port 8080 is running Apache Tomcat 9.0.46 instead of just "open." Version numbers lead directly to CVE lookups.
5. NSE Script Scanning
Nmap's scripting engine has hundreds of scripts for vulnerability detection, brute forcing, and service enumeration. You can run individual scripts or entire categories.
nmap --script vuln 192.168.1.10The vuln category checks for known vulnerabilities. Other useful categories: auth, discovery, safe. You can also target specific scripts like --script http-title.
6. Aggressive Scan
Combines OS detection, version detection, script scanning, and traceroute in one command. It's loud and thorough.
nmap -A 192.168.1.10Great for CTFs and lab environments. On a real engagement, this generates a lot of traffic and is easily detected by IDS/IPS.
7. Timing Control
Nmap's timing templates range from T0 (paranoid, one probe at a time) to T5 (insane, as fast as possible). T4 is the sweet spot for most situations.
nmap -T4 192.168.1.0/24Use T1 or T2 when you need to stay under the radar. Use T4 when speed matters more than stealth. Avoid T5 on unreliable networks since it drops packets.
These seven commands cover the majority of what you'll need. Combine them freely: nmap -sV -O -T4 -p- 192.168.1.10 gives you a full version scan with OS detection across all ports at a reasonable speed. Check man nmap for the full reference.