4 min read

Top 10 NMAP Flags That I Use Daily

Top 10 NMAP Flags That I Use Daily

It is not the monsters we should be afraid of; it is the people that don’t recognize the same monsters inside of themselves.

— Shannon L. Alder.

If you’re a network IT (Information Technology) engineer or cybersecurity professional sure you’d know about the tool nmap.

The tool nmap which stands for network mapper 1 is an open-source tool for network discovery and is mostly use for security auditing. Been using this tool for many years and this are my favorite command line flags:

Skip reverse DNS call

This is a helpful flag especially if you don’t want that additional millisecond of fetching records from a DNS server. Or you have a specific case scenario that involves using only internal cached host file.

nmap -n scanme.nmap.org

Stop ping checks

The -PN flag specifically tells nmap that the host is online, skipping check if its alive through ping2. This is particularly useful in situations where you know the target is blocking all ICMP (Internet Control Message Protocol)3 in firewall.

nmap -PN scanme.nmap.org

Fingerprint scan

This -sV flag is useful especially in network auditing and determining if there are any ports available. The command will probe the target machine ports availability and guess the service (including the service version) that is running.

nmap -sV scanme.nmap.org

Finding live host

This command is specifically useful for network engineers to know if there are any alive host on the network. The notation below tells you to scan the specific subnet4 using ICMP protocol and return the list of hosts that responded.

nmap -sP

Scan using specified network interface

If you have multiple NIC’s (Network Interface Controller)5 and you want to route the scan to a specific NIC, then this is the solution. Normally nmap or any other tool that utilizes the computer network would use the OS designated network route (normally determined by network table and preferred gateway). The -e flag tells nmap to use that specific network controller to perform/resolve the scan.

nmap -e eth0 scanme.nmap.org

SYN ping scans

The SYN scan specifically tries to send request packets to target machine and check if it accepts the request packets. Mostly this is one of the default alternative ways of checking if the host is alive.

nmap -sP -PS scanme.nmap.org

ACK ping scans

The ACK scan is the opposite of SYN. In which this particular scan sends and ACK or (acknowledge) packet to the target machine if it will respond. Most modern firewalls block this if it’s not associated with a three-way handshake.

nmap -sP -PA scanme.nmap.org

UDP port scans

This UDP6 port/ping scan is helpful when you know the target machine only blocks TCP packets. This specific flag sends a UDP packet to ports available on the machine and checks if the target machine responds.

nmap -sP -PU scanme.nmap.org

IP (Internet Protocol) ping scans

Actually, this particular scan is special as it sends IP packets to the specified IP protocol number in their IP header. It’s kinda special in a sense that if you didn’t supply a protocol type it will send multi-packets ICMP, IGMP, and IP-in-IP packet.

nmap -sP -PO scanme.nmap.org

ARP ping scans

This particular scan is mostly useful in LAN scenario. As you send an ARP packet it will return specific address or addresses that consumed the broadcast request.

nmap -sP -PR scanme.nmap.org

Mostly, that’s all. I’ve used other flags, but these are my most used command flags for nmap.

  1. Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). ↩︎
  2. Ping measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source. The name comes from active sonar terminology that sends a pulse of sound and listens for the echo to detect objects under water. ↩︎
  3. The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached. ↩︎
  4. A subnetwork or subnet is a logical subdivision of an IP network. ↩︎
  5. A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. ↩︎
  6. The User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite. The protocol was designed by David P. Reed in 1980 and formally defined in RFC 768. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network. Prior communications are not required in order to set up communication channels or data paths. ↩︎