nmap Command Builder

nmap in depth: scan types, NSE scripting, and authorised reconnaissance

nmap — Network Mapper — was created by Gordon Lyon (Fyodor) in 1997 and remains the canonical tool for network discovery and security auditing. It can identify live hosts, enumerate open ports, fingerprint operating systems, detect application versions, and run sophisticated checks through the NSE (Nmap Scripting Engine). It is used daily by sysadmins to inventory networks, by blue teams to validate firewalls, and by red teams under formal scope. This generator helps you build a syntactically valid command; the legal and ethical responsibility for scanning only authorised targets always lies with you.

Scan types

• -sS — TCP SYN (default, requires root, half-open, relatively stealthy).
• -sT — full TCP connect, no root needed but noisier.
• -sU — UDP scan (slow, lots of false negatives).
• -sA — TCP ACK, used to map firewall rules.
• -sN / -sF / -sX — NULL/FIN/Xmas, occasionally bypass stateless filters.
• -sn — ping scan only (no port scan), great for inventories.
• -Pn — skip host discovery, assume all hosts are up (mandatory when ICMP is blocked).
• -PR — ARP ping (default on local segments — never blocked).

Port specification, timing, and detection

Choose ports with -p 80,443,1000-2000, all 65535 with -p-, or the most common N with --top-ports 100. Timing templates from -T0 (paranoid, evades IDS, hours) through -T3 (default) to -T5 (insane, lossy). For service and OS information add -sV (version), -O (OS fingerprint, requires root) or -A (aggressive: -sV -O -sC --traceroute).

NSE — Nmap Scripting Engine

NSE is a Lua engine bundled with nmap. It ships with hundreds of scripts grouped in categories (default, safe, discovery, vuln, exploit, brute, intrusive). Examples:

--script default            # equivalent to -sC
--script vuln               # known-CVE checks
--script http-enum          # HTTP path enumeration
--script smb-vuln-*         # SMB vulnerabilities (MS17-010, etc.)
--script ssl-enum-ciphers   # TLS configuration audit
--script ssh-auth-methods   # SSH auth methods supported

Treat vuln, exploit, brute and intrusive categories as intrusive — they can crash fragile services and must only run on authorised targets.

Output and reporting

-oN file.txt    # human-readable
-oX file.xml    # XML (ideal to feed pipelines, Metasploit, etc.)
-oG file.gnmap  # grepable
-oA prefix      # all three at once
--reason        # show why each port is in that state
-v / -vv        # verbosity
--open          # show only open ports

Worked examples

# Fast TCP scan with version detection
sudo nmap -sS -sV --top-ports 1000 -T4 192.168.1.0/24

# Full scan + scripts + OS fingerprint (slow but complete)
sudo nmap -p- -A -T4 -oA full-scan target.example.com

# Discover live hosts on a /24 without touching ports
sudo nmap -sn 10.0.0.0/24

# Vulnerability scan (NSE)
sudo nmap -sV --script vuln 10.0.0.5

# UDP top 50 (slow!)
sudo nmap -sU --top-ports 50 -T4 192.168.1.1

Alternatives and complements

masscan can scan the IPv4 Internet in a few minutes (asynchronous, ~1M packets/s, SYN only) — handy for first-pass triage but no version detection. RustScan wraps nmap with a much faster TCP discovery phase. ZMap targets Internet-wide research. The legacy GUI Zenmap was deprecated in 2020; alternatives include the Nmap Vulners scripts on the CLI and dashboards built on top of the XML output.

Legal and ethical use

Port-scanning hosts you do not own or are not authorised to test is a crime in most countries. In the United States, the CFAA covers unauthorised access; in Brazil, Lei 12.737/2012 (invasion of a computer device) applies. Even non-intrusive scans can trigger IDS alerts, contractual violations, or ISP abuse complaints. Always: (1) get written authorisation; (2) keep scope, IPs and time windows in the rules of engagement; (3) use the cloud provider's pentest form (AWS, Azure, GCP no longer require pre-approval for most accounts but still have policies); (4) prefer bug-bounty programs (HackerOne, Bugcrowd) whose scope is explicit.

FAQ

Is it legal to scan the Internet? No — you need authorisation from each owner or to use an explicit bug-bounty/research programme.

How long does a full scan take? nmap -p- -T4 on a single host takes ~15–20 minutes if the host responds normally; with -A add a few more. On a /24 expect tens of minutes; masscan first then nmap -sV on hits is faster.

Does OS detection always work? No — firewalls, NAT and modern TCP stacks frequently confuse the fingerprint. nmap gives a probability; combine with version detection.

What is the difference between -sS and -sT? -sS sends raw SYN packets and never completes the handshake (half-open) — needs root, less visible to applications. -sT uses the kernel's connect() syscall — no root required but the connection is logged by the target service.

How do I avoid being blocked by IDS? Lower timing (-T1/-T2), randomise host order (--randomize-hosts), use decoys (-D RND:10), spread the scan over time. None of this makes an unauthorised scan legal.