nmap Command Switches

Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address detection, and operating system detection. Nmap has the benefit of scanning a large number of machines in a single session. It's supported by many operating systems, including Unix, Windows, and Linux.
The state of the port as determined by an nmap scan can be open, filtered, or unfiltered. Open means that the target machine accepts incoming request on that port. Filteredmeans a firewall or network filter is screening the port and preventing nmap from discovering whether it's open. Unfiltered mean the port is determined to be closed, and no firewall or filter is interfering with the nmap requests.
Nmap supports several types of scans. Table 1 details some of the common scan methods.
Table 1: Nmap scan types 
Nmap scan type
TCP connect
The attacker makes a full TCP connection to the target system. The most reliable scan type but also the most detectable. Open ports reply with a SYN/ACK while closed ports reply with a RST/ACK.
XMAS tree scan
The attacker checks for TCP services by sending XMAS-tree packets, which are named as such because all the "lights" are on, meaning the FINURG, and PSHflags are set (the meaning of the flags will be discussed later in this chapter). Closed ports reply with a RST flag.
SYN stealth scan
This is also known as half-open scanning. The hacker sends a SYN packet and receives a SYN-ACK back from the server. It's stealthy because a full TCP connection isn't opened. Open ports reply with a SYN/ACK while closed ports reply with a RST/ACK.
Null scan
This is an advanced scan that may be able to pass through firewalls undetected or modified. Null scan has all flags off or not set. It only works on Unix systems. Closed ports will return a RST flag.
Windows scan
This type of scan is similar to the ACK scan and can also detect open ports.
ACK scan
This type of scan is used to map out firewall rules. ACK scan only works on Unix. The port is considered filtered by firewall rules if an ICMP destination unreachable message is received as a result of the ACK scan.
The nmap command has numerous switches to perform different types of scans. The common command switches are listed in Table 2.
Table 2: Common nmap command switches 
nmap command switch
Scan performed
TCP connect scan
SYN scan
FIN scan
XMAS tree scan
Null scan
Ping scan
UDP scan
Protocol scan
ACK scan
Windows scan
RPC scan
List/DNS scan
Idle scan
Don't ping
TCP ping
SYN ping
ICMP ping
TCP and ICMP ping
ICMP timestamp
ICMP netmask
Normal output
XML output
Greppable output
All output
-T Paranoid
Serial scan; 300 sec between scans
-T Sneaky
Serial scan; 15 sec between scans
-T Polite
Serial scan; .4 sec between scans
-T Normal
Parallel scan
-T Aggressive
Parallel scan, 300 sec timeout, and 1.25 sec/probe
-T Insane
Parallel scan, 75 sec timeout, and .3 sec/probe
To perform an nmap scan, at the Windows command prompt type Nmap IPaddress followed by any command switches used to perform specific type of scans. For example, to scan the host with the IP address using a TCP connect scan type, enter this command:
Nmap -sT
Make sure you're familiar with the different types of nmap scans, the syntax to run nmap, and how to analyze nmap results. The syntax and switches used by the nmap command will be tested on the CEH exam.


  1. I get a lot of great information from this blog. Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.
    Hacking Training | Best Hacking Course in India

  2. Nice Article! Indian Cyber Army's is now coming up with Summer Internship in cyber crime investigation and ethical hacking which is is live now


Popular Posts