Ahmet Göker
4 min readMar 26, 2022


Hey people,

welcome back to my blog-post today I will be covering NMAP in depth with more examples and commands/parameters and so on. Lets kick off.


NMAP also known as (network mapper) is a free and open source and has utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing services upgrade schedules and monitoring hst or sevice running uptime. Please visit to this website for more information.

I want to cover about NMAP scan types:

stealth scan:

Half-open scan or SYN scan — only SYN packets sent. Responses same as full. If you did not catch what SYN scan is or about that packet please consider to search for more information about this specific issue in your mind.

It is very useful for hiding efforts and evading firewalls

nmap -sS <target-ip>

full connect:

TCP connect or full open scan. The first two steps ( SYN and SYN/ACK) are exactly the same as with a SYN scan. Then, instead of aborting the half-open connection with a RST packet.

full connection and then tears down with RST

Easiest to detect but also the most reliable.

nmap -sT <target-ip>

TCP,ACK scan / flag probe -multiple methods:

TTL version, if TTL or RST packet < 64 port is open

Windows version , f the Windows on the RST packet is anything other than 0, port open

It can be used to check filtering. If ACK is sent and no response, stateful firewall present.

nmap -sA <target-ip> (ACK scan)

nmap -sW <target-ip>( windows scan)

NULL, FIN and Xmas scan:

It uses FIN,URG or PSH flag

Open gives no response. Closed give RST/ACK

nmap -sN <target-ip> (null scan)

nmap -sF <target-ip>(fın scan)



nmap -Pn <spoofed IP> <target-ip>

Source Address spoofing:

nmap -e <network-interface> -S <IP-source> <target>

Mac address spoofing:

nmap — spoof-mac <MAC|vendor> <target>

Decoy will send spoofed IP address along with your IP address

FIREWALL evasion:

Multiple Decoy IP addresses:

this command is used to scan multiple decoy IP addresses. Nmap will send multiple packets with different IP addresses, along with your attacker’s IP address.

nmap -D RND:<number> <target>

as an example as shown below:

nmap -D RDN:30

1) paranoid:

paranoid (0) intrusion detection system evasion:

nmap <target-ip> -T0

2) Sneaky:

sneaky (1) intrusion detection system evasion:

nmap <target-ip> -T1

3) Polite:

polite (2) slows down the san to use less bandwidth and use less target machine resources

nmap <target-ip> -T2

4) Normal:

normal (3) which is default speed

nmap <target-ip> -T3

5) Agressive:

Agressive (4) speeds scan; assumes you are on reasonably fast and reliable network

nmap <target-ip> -T4

6) Insane:

Insane (5) speeds scan; assumes you are on an extraordinarly fast network

nmap <target-ip> -T5

UDP scan:

Most popular services runs over the TCP, but there are many common services that also UDP; DNS(53), DHCP(67), NTP(123), NETBIOS(137), etc…

  1. nmap sU <target-ip>
  2. nmap -sU -p U:53,123 <targetip>
  3. nmap -sU -sS -p U:53,123 T:80,443 <target-ip>

List of switches:

  • -sA (ACK scan)
  • -sF (FIN scan)
  • -sI (IDLE scan)
  • -sL (DNS scan)
  • -sN (NULL scan)
  • -sO (Protocol scan)
  • -sP or -sn (Ping scan)
  • -sR (RPC scan)
  • -sS (SYN scann)
  • -sT (TCP connect)
  • -sW (Windows scan)
  • -sX (XMAS scan)
  • -A (OS detection)
  • -sV (determine service info)
  • -PI (ICMP scan)
  • -Pn (no ping)
  • -Po(no ping)
  • -PS (SYN scan)
  • -PT(TCP ping)
  • -oN(normal output)
  • -oX (XML output)
  • -n(never do dns scan)
  • -f(fragment packets)
  • -D(IP address decoy


NSE stands for nmap scripting engine and it’s basically a digital library of nmap scripts that helps to enhance the default nma features and report the results in a traditional nmap output

for the good purposes NMAP allows you to create your own NSE script which can be importable to the config file of NMAP and that is superb.

with that being said. lets show those in the practical manner:


Scan with default NSE scripts. Considered useful for discovery and safe:

nmap -sC

nmap --script default

Scan with a single script example banner as below:

nmap --script=banner

Scan with a wildcard example HTTP:

nmap — script=http*

NSE script with argument:

nmap — script snmp-sysdescr — script-args snmpcommunity=admin

Useful NSE script Examples:

http site map generator:

nmap -Pn — script=http-sitemap-generator scanme.nmap.org

fast search for random web servers:

nmap -n -Pn -p 80 — open -sV -vvv — script banner,http-title -IR 1000

Brute force DNS hostnames guessing subdomains:

nmap -Pn — script=dns-brute domain.com

safe SMB scripts to run:

nmap -n -Pn -vv -O -sV — script- smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2*, -vv

Checks for SQL injection:

nmap -p 80 — script http-sql-injection scanme.nmap.org


So far, I have tried to share almost every useful commands but at least, I do recommend you to search about more such awesome parameters,commands because NMAP has been designed,written very well, and as I mentioned in my blog check whether you shall be able to create your own NSE scripts and that can be very handy especially by proof of concept.

Many Thanks for u support and reading this blog.

Ahmet Göker | junior hacker | PoC/exploit researcher | CTF player | CE bachelor

U can follow me on social platforms :

Twitter: https://twitter.com/TurkishHoodie_

medium: https://medium.com/@turkishhoodie010

Telegram: DarkGhost

linkedin: https://www.linkedin.com/in/ahmetgöker

Youtube: https://youtube.com/TurkishHoodie




Ahmet Göker

🦀 Reverse-Engineering 🦀Binary-Exploitation 🦀 Hardware programming 🦀Computer scientist