CertTools Logo
CertTools

nmap Commands

Network scanning and security auditing tool for port discovery, SSL/TLS detection, and service enumeration

Basic Port Scanning

Scan single host

nmap example.com

Scans 1000 most common TCP ports on target host. Default scan without root privileges.

Scan IP address

nmap 192.168.1.1

Scan target by IP address. Works same as hostname scanning.

Scan multiple hosts

nmap 192.168.1.1 192.168.1.5 192.168.1.10

Scan multiple targets in single command. Space-separated list.

Scan IP range

nmap 192.168.1.1-254

Scan range of IP addresses. Useful for scanning entire subnet.

Scan subnet with CIDR notation

nmap 192.168.1.0/24

Scan entire subnet using CIDR notation. Covers all 254 hosts in /24 network.

SSL/TLS and Certificate Detection

Detect SSL/TLS services

nmap -p 443 --script ssl-cert example.com

Retrieve and display SSL/TLS certificate information. Shows subject, issuer, validity dates.

Check SSL/TLS cipher suites

nmap -p 443 --script ssl-enum-ciphers example.com

List supported cipher suites and TLS versions. Identifies weak ciphers and protocol versions.

Test for Heartbleed vulnerability

nmap -p 443 --script ssl-heartbleed example.com

Check for CVE-2014-0160 Heartbleed vulnerability. Critical for older OpenSSL versions.

Check certificate validity dates

nmap -p 443 --script ssl-cert-intaddr example.com

Check for certificates with internal IP addresses or private domains.

Comprehensive SSL/TLS scan

nmap -p 443 --script ssl-cert,ssl-enum-ciphers,ssl-known-key example.com

Run multiple SSL scripts to check certificates, ciphers, and known compromised keys.

Port Specification

Scan specific port

nmap -p 443 example.com

Scan only port 443 (HTTPS). Faster when checking specific services.

Scan multiple specific ports

nmap -p 22,80,443,8443 example.com

Scan comma-separated list of ports. Useful for checking common service ports.

Scan port range

nmap -p 1-1000 example.com

Scan ports 1 through 1000. More thorough than default scan.

Scan all 65535 ports

nmap -p- example.com

Full port scan. Time-consuming but comprehensive. Use -T4 to speed up.

Scan most common ports

nmap --top-ports 100 example.com

Scan top 100 most common ports. Good balance between speed and coverage.

Service and Version Detection

Detect service versions

nmap -sV example.com

Probe open ports to determine service and version information. Essential for security auditing.

Aggressive version detection

nmap -sV --version-intensity 9 example.com

Maximum version detection intensity (0-9). Slower but more accurate.

OS detection

sudo nmap -O example.com

Detect operating system. Requires root privileges. Useful for system profiling.

Aggressive scan (OS, version, scripts, traceroute)

sudo nmap -A example.com

Enable OS detection, version detection, script scanning, and traceroute. Comprehensive but intrusive.

Timing and Performance

Paranoid timing (slowest, stealthy)

nmap -T0 example.com

Extremely slow scan to evade IDS. 5-minute delays between probes.

Normal timing (default)

nmap -T3 example.com

Default timing template. Good balance between speed and accuracy.

Aggressive timing (faster)

nmap -T4 example.com

Fast scan for reliable networks. Recommended for most scenarios.

Insane timing (fastest, may miss ports)

nmap -T5 example.com

Maximum speed but may sacrifice accuracy. Use only on fast, reliable networks.

NSE (Nmap Scripting Engine)

Run default scripts

nmap -sC example.com

Run default NSE scripts. Equivalent to --script=default. Safe and informative.

Run specific script

nmap --script http-title example.com

Run single named script. Shows HTTP page titles.

Run script category

nmap --script vuln example.com

Run all vulnerability detection scripts. Categories: safe, intrusive, malware, version, vuln, etc.

Run multiple scripts

nmap --script http-enum,http-headers example.com

Comma-separated list of scripts. Combine specific checks.

Output Formats

Normal output to file

nmap -oN scan_results.txt example.com

Save human-readable output to file. Same format as terminal output.

XML output

nmap -oX scan_results.xml example.com

XML format for programmatic processing and import into other tools.

Grepable output

nmap -oG scan_results.grep example.com

One-line-per-host format easy to grep and parse with scripts.

Save all formats

nmap -oA scan_results example.com

Save output in normal, XML, and grepable formats simultaneously.

Practical Examples

Quick SSL/TLS certificate check

nmap -p 443 --script ssl-cert,ssl-enum-ciphers -T4 example.com

Fast scan to check certificate details and supported ciphers.

Comprehensive web server audit

nmap -p 80,443 -sV --script http-* example.com

Scan HTTP/HTTPS with all HTTP-related NSE scripts. Checks methods, headers, vulnerabilities.

Check for expired certificates across network

nmap -p 443 --script ssl-cert 192.168.1.0/24 -oA ssl_audit

Scan subnet for HTTPS services and check certificate expiration dates.

Detect weak SSL/TLS configurations

nmap -p 443 --script ssl-enum-ciphers,ssl-dh-params example.com

Identify weak ciphers, deprecated protocols, and weak Diffie-Hellman parameters.

See Also

tcpdump Commands
Packet capture and analysis
netcat Commands
Network connectivity testing
traceroute Commands
Network path analysis

Important Notes

Legal and Ethical Use

Only scan systems you own or have explicit permission to test. Unauthorized scanning may be illegal.

Firewall and IDS Detection

Scans may trigger intrusion detection systems. Use slower timing templates (-T0 to -T2) for stealth.

Root Privileges

Some scan types (SYN scan, OS detection) require root/administrator privileges. Others work as regular user.

Scan Duration

Full port scans (-p-) can take hours on slow networks. Use --top-ports or -F (fast) for quicker results.

NSE Script Updates

Keep nmap updated for latest vulnerability scripts and detection capabilities. Run nmap --script-updatedb periodically.

False Positives/Negatives

Firewalls, rate limiting, and network conditions can affect scan accuracy. Verify critical findings manually.