Nmap Tips and Tricks

Peter Kacherginsky
24 min readDec 15, 2008

Nmap (Network MAPper) is a network port scanner with service version and operating system detection engines. The tool was originally developed by Fyodor and published in Phrack Issue 51 in 1997. The tool is command line although a number of GUIs exist. Nmap runs on a variety of platforms including Linux, *BSD, Windows, and others.

Port Scanning

Nmap uses several port scanning approaches. Table below summarizes “canned” scan types and corresponding command line flags:

  • -sT: TCP Connect() Scan
  • -sS: SYN Scan
  • -sA: ACK Scan
  • -sW: Window
  • -sN: Null Scan
  • -sF: FIN Scan
  • -sX: XMas Scan
  • -sU: UDP Scan
  • -sM: Maimon Scan
  • -sO: IP Protocol Scan
  • -sI: host:port Idle Scan
  • -b: FTP Bounce Scan

Using the above table, we can quickly generate a simple SYN scan on a Windows box:

nmap -sS ports on 
Not shown: 1692 closed ports
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open UPnP
MAC Address: 00:11:22:33:44:55
Nmap finished: 1 IP address (1 host up) scanned in 1.347 seconds

It is often useful to know the reason for nmap’s decision on port’s state. Use option --reason to get detailed explanation:

nmap -sS -p22,80 --reason 
Interesting ports on eh-in-f99.google.com (
22/tcp filtered ssh no-response
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 2.028 seconds

With the command line above, only default set of ports will be scanned. To scan all ports on the machine use -p flag:

nmap -sS -p1-65535

To scan a large number of machines, you may use ranges and wildcards:

nmap -sA 192.168.*.1-10,250-254

The above will scan everything beginning with 192.168 and ending with either 1–10 or 250–254. The less flexible CIDR notation may also be used. Below is an example on how to perform a UDP scan on a Class C subnet:



Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net