My Nmap Command

I am using Nmap to do basic port scans for customers that requested them. The Nmap GUI “Zenmap” offers some profiles to choose the appropriate options for the scan. But when using a mere ssh session, these profiles are not given.

On the Internet, there are many good and detailed examples of how to use Nmap, such as here or here. However, I mostly need a simple and standard Nmap command for my basic scans. Here I list the command that I am using by default as a short memo for myself: :)


I am using the following options:

  • -Pn: to omit the ICMP echo request ping before scanning a host. Often, ports are opened while ping is blocked.
  • -sS: for the default TCP SYN scan
  • -sU: for an additional scan of UDP
  • -A: to enable several scan options, such as OS detection, host detection, etc.
  • oN FILENAME: save the output to FILENAME
  • [optional] -T2: for a slower scan rate. This option can be omitted if a faster rate is necessary. When using Nmap over night, I am using -T2 for IDS evasion. OR:
  • [optional] -T4: for a faster scan rate
  • [optional] -p 1-65535: to scan all ports and not only “the 1000 most popular used ones”
  • HOSTNAME: the name or IP address of the target

And don’t forget to run Nmap a second time with the “-6” option for IPv6!

Finally, this is the link to the Nmap port states (open, closed, filtered, …).

Sample Output

This is an example output of such a scan (IPv4 only):


© Image Sketch by Mareike Weber.

One thought on “My Nmap Command

Leave a Reply

Your email address will not be published. Required fields are marked *