The Power of Nmap Flags: Understanding Their Functionality and When to Apply Them

Scanning and Host Discovery Flags for Nmap

In this Nmap Flag Guide, we focus on two primary categories of Nmap flags: Scanning Flags and Host Discovery Flags. These flags are fundamental in helping penetration testers gather reconnaissance data and structure their testing approach.

What Are Nmap Flags?

Nmap (Network Mapper) is a command-line tool used for network discovery and security auditing. It allows penetration testers to discover live hosts, open ports, services running on those ports, and various other details about the network and its devices. The commands you issue are customized with flags or command-line parameters that tell Nmap what actions to perform.

Each flag begins with a hyphen and enables specific functionality, such as scanning certain protocols, targeting specific ports, or altering how the results are output. Learning to use flags effectively is key to unlocking the full potential of Nmap and ensuring a successful penetration test.

Why Do Flags Matter for Penetration Testing?

Penetration testing (or pentesting) involves simulating attacks on a network or system to identify vulnerabilities. Nmap flags give pentesters the ability to:

• Perform stealthy scans that evade detection
• Target specific ports or hosts, narrowing the scope of the test
• Control scan speed and output, which is essential in both real-world engagements and certification exams like PenTest+
• Avoid detection by IDS (Intrusion Detection Systems) and firewalls

In this section, we will dive deeper into Scanning Flags and Host Discovery Flags, which form the foundation of any Nmap scan.

Nmap Scanning Flags: A Deep Dive

Scanning Flags are designed to identify open, closed, filtered, or unfiltered ports on a target system. These flags enable penetration testers to understand the attack surface by identifying which ports are accessible and vulnerable.

Common Scanning Flags

1. -sS (TCP SYN Scan)
   • This is the most commonly used and stealthiest scan type. It sends a SYN packet to the target port and waits for a SYN-ACK response, indicating an open port. Since it does not complete the TCP handshake, it is more difficult to detect by firewalls or IDS systems.
   • When to Use: Ideal for reconnaissance where avoiding detection is important.

Command Example:

nmap -sS scanme.nmap.org

1. -sT (TCP Connect Scan)
   • Unlike the SYN scan, the TCP Connect Scan completes the full TCP handshake. It is less stealthy but easier to perform, as it does not require raw socket privileges.
   • When to Use: This is a good choice for Windows environments or when stealth is not a priority.

Command Example:

nmap -sT 192.168.1.1

1. -sU (UDP Scan)
   • This scan type checks for open UDP ports (e.g., DNS, SNMP). UDP scanning is generally slower than TCP but is critical since many services use UDP.
   • When to Use: When you want to discover exposed UDP services.

Command Example:

nmap -sU 192.168.1.1

1. -sA (TCP ACK Scan)
   • The TCP ACK Scan is used to determine if a firewall is stateful and to check if ports are filtered. It works by sending ACK packets and analyzing the responses.
   • When to Use: Useful for mapping out firewall rules and understanding packet filtering behavior.

Command Example:

nmap -sA 192.168.0.1

Why Are Scanning Flags Important?

Scanning flags allow you to:

• Identify attack surfaces by finding open or vulnerable ports.
• Evade detection with stealthier scans, ensuring you remain undetected by firewalls and IDS.
• Collect Layer 4 data (transport layer) to aid in deeper assessments, such as operating system fingerprinting or vulnerability detection.

By using these flags correctly, pentesters can tailor their scans to specific network conditions and goals.

Nmap Host Discovery Flags: Know Your Network

While scanning flags focus on discovering open ports, host discovery flags are used to identify which systems are alive and responding on the network. Knowing which hosts are active is an essential first step before performing detailed port scans or vulnerability assessments.

Common Host Discovery Flags

1. -Pn (No Ping)
   • This flag disables the default ping check, assuming all hosts are up. It is particularly useful when ICMP is blocked or when stealth is a priority.
   • When to Use: When ICMP is blocked by firewalls or when you want to avoid triggering alerts.

Command Example:

nmap -Pn 10.10.0.0/24

1. -sn (Ping Scan / No Port Scan)
   • This flag performs host discovery only, without scanning for open ports. It sends ICMP echo requests or ARP requests to see if hosts are alive.
   • When to Use: To quickly determine which hosts are online before performing more detailed scans.

Command Example:

nmap -sn 10.0.0.1-50

1. -PR (ARP Scan)
   • The ARP Scan sends ARP requests to identify live hosts on local Ethernet networks. It is very fast and accurate on local subnets.
   • When to Use: On local networks where quick, accurate host detection is required.

Command Example:

nmap -PR 192.168.1.0/24

1. -n (No DNS Resolution)
   • This flag skips DNS resolution, which speeds up scans and reduces potential artifacts from DNS queries.
   • When to Use: When DNS names are not relevant or when speed is a priority.

Command Example:

nmap -n scanme.nmap.org

Why Are Host Discovery Flags Important?

• Speed: Host discovery flags help you quickly identify which systems are active, allowing you to focus your scan on relevant targets.
• Stealth: They help you avoid detection by IDS systems or firewalls that may block ICMP or DNS traffic.
• Accurate asset mapping: Knowing which systems are online helps you structure your scan more efficiently and avoid wasting time scanning inactive hosts.

Penetration testers often begin with host discovery, then refine their scope using scanning and service detection flags to gather more granular information.

Port Specification and Service Detection Flags for Nmap

In this Nmap Flag Guide, we dive into Port Specification Flags and Service Detection Flags. These flags are essential for penetration testers, particularly those preparing for exams like CompTIA PenTest+, where these Nmap features play a key role in identifying vulnerabilities and gaining a detailed understanding of the target environment.

Let’s explore these categories of flags and understand how to use them to maximize the effectiveness of your penetration tests.

Port Specification Flags: Target with Precision

Nmap allows you to control which ports you want to scan using Port Specification Flags. Rather than scanning all 65,535 ports (which can be slow and noisy), you can focus on specific ports or ranges, improving scan efficiency and reducing the risk of detection.

Key Port Specification Flags and Use Cases

1. -p (Port Range)
   • The -p flag is used to specify individual ports or a range of ports. It helps narrow down the scan to only the most relevant ports, saving time and focusing your testing.
   • Examples:

Scanning specific ports:

nmap -p 22,80,443 192.168.1.1

•  This command will scan ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) on the target.

Scanning a port range:

nmap -p 1-1024 192.168.1.1

•  This will scan the first 1024 ports (well-known ports).

• When to Use: Use this when you know the target system is using specific ports or when you are focused on a certain service like SSH, HTTP, or HTTPS.

1. -p- (Scan All 65,535 TCP Ports)
   • This flag scans all TCP ports from 1 to 65,535.

Example:

nmap -p- scanme.nmap.org

• When to Use: Use this when you want to perform a thorough scan and ensure no open ports are missed. It’s slower, but comprehensive.

1. -F (Fast Scan)
   • The -F flag scans the top 100 most common ports based on Nmap’s internal database.

Example:

nmap -F 10.10.10.10

• When to Use: Use this when you need quick results for high-probability reconnaissance without waiting for a full scan.

Why Are Port Specification Flags Important?

• Efficiency: Port specification flags help you reduce scan time by focusing on specific ports of interest, allowing you to perform targeted assessments.
• Resource Saving: Scanning fewer ports uses fewer resources and is less likely to trigger alarms or raise suspicions during a penetration test.
• Precision: These flags ensure that you’re only scanning the ports that matter, saving time and focusing on your test’s most critical areas.

Service Detection Flags: What’s Behind Those Ports?

Once you’ve discovered open ports, the next step is to identify the services running on those ports and their versions. Service Detection Flags are used to gather detailed information about these services, which is crucial for vulnerability identification, exploit planning, and further security assessments.

Key Service Detection Flags and Use Cases

1. -sV (Service Version Detection)
   • The -sV flag is the most important for identifying the services running on open ports and the versions of those services.

Example:

nmap -sV -p 21,22,80,443 192.168.0.100

•  This command will scan ports 21 (FTP), 22 (SSH), 80 (HTTP), and 443 (HTTPS) and provide detailed information about the versions of the services running on these ports.
• When to Use: Always use -sV when you want detailed service banners and version information. This is vital for mapping out attack surfaces, identifying outdated software, and preparing exploits.

1. -A (Aggressive Scan)
   • The -A flag combines multiple flags for a comprehensive scan:
     • -O (Operating System detection)
     • -sV (Service version detection)
     • –traceroute (Network path information)
     • –script=default (Runs default scripts for additional checks)

Example:

nmap -A 192.168.1.100

• When to Use: Use -A when you want maximum information quickly during the reconnaissance phase of a pentest or red team assessment.

1. -O (OS Detection)
   • The -O flag detects the operating system of the target by analyzing the TCP/IP stack behavior and packet responses.

Example:

nmap -O scanme.nmap.org

• When to Use: Use -O to tailor exploits to the target’s OS or when evaluating platform-specific vulnerabilities.

Why Are Service Detection Flags Important?

• Vulnerability Identification: Knowing the version of a service helps you match it to known vulnerabilities (CVEs), which is crucial for planning an effective attack.
• Exploit Selection: Identifying services and their versions allows you to choose the right exploit payloads for specific vulnerabilities.
• Service Fingerprinting: Accurate service detection provides deeper insights into the target environment’s functionality, helping you understand the software stack and configuration.
• Efficiency: By using flags like -A and -sV, you can gather comprehensive data in fewer commands, which is especially helpful in time-constrained assessments.

Port and Service Detection in Action: Sample Scenarios

Here are a few practical scenarios where port and service detection flags help pentesters gain actionable reconnaissance.

Scenario 1: Internal Web Application Recon

You’re conducting a penetration test on an internal web application and need to gather information about exposed HTTP services.

Command:

nmap -sS -sV -p 80,443,8080 -oN webscan.txt 192.168.1.50

 

• -sS: Stealth TCP SYN scan
• -sV: Service version detection for HTTP services
• -p 80,443,8080: Focused on common web ports
• -oN: Save output in normal format for review

You’ll get detailed information about the web server (e.g., Apache or nginx), version numbers, and whether HTTPS is supported.

Scenario 2: Network Enumeration in Time-Constrained Assessment

You have only 30 minutes to identify vulnerable systems in a network and need to be fast.

Command:

nmap -F -sV -oG fastscan.gnmap 10.0.0.0/24

 

• -F: Fast scan of the top 100 common ports
• -sV: Service version detection to identify vulnerable services quickly
• -oG: Save results in a greppable format for quick parsing

This allows you to capture important service information quickly, reducing the time spent scanning.

Scenario 3: Full OS and Service Fingerprinting

You’re performing a detailed reconnaissance during a penetration test and want to gather as much information as possible.

Command:

nmap -A -p- -oA full_recon 10.10.10.10

 

• -A: Aggressive scan for maximum detail (OS detection, service versions, traceroute)
• -p-: Scan all 65,535 TCP ports
• -oA: Save the output in normal, XML, and greppable formats for later analysis

This command provides a comprehensive overview of the target system, including OS, services, open ports, and network path details.

Best Practices for Port and Service Detection Flags

• Use -p to limit your scan scope and reduce scan time. This helps you focus only on critical ports.
• Always follow -p with -sV to identify the services running on those ports. This gives you more context for vulnerability assessment.
• Use -A sparingly. While it’s a great flag for rapid reconnaissance, it can be noisy and may trigger alerts in a sensitive environment.
• Service version detection should be a standard part of any scan, as it helps you identify vulnerabilities based on software versions.

Output Format Flags for Nmap

In Part 3 of our Nmap Flag Guide, we’ll explore Output Format Flags, a critical area for penetration testers and those preparing for certifications like CompTIA PenTest+. These flags help you capture scan results in various formats that are useful for further analysis, reporting, and integration with other tools. Whether you’re delivering findings to clients or making your results more usable for automation, mastering Nmap’s output formatting features is essential.

Why Output Matters in Penetration Testing

Output formatting is a crucial part of penetration testing because:

• Documentation: Penetration testers need to document their findings in a clear, concise manner for clients or stakeholders.
• Integration: Scan results can be used with other security tools, such as vulnerability scanners or exploit frameworks.
• Report Creation: Well-organized output is essential for creating readable reports, whether for internal use or to share with clients.
• PenTest+ Exam: During the CompTIA PenTest+ certification, you may be asked questions about interpreting and using Nmap output in real-world scenarios.

In this part, we will explore the various ways to format your Nmap output, including normal, XML, grepable, and all-in-one formats.

The Main Output Format Flags in Nmap

Nmap offers several output formats that allow you to capture scan results in a way that is suitable for different use cases. Let’s take a look at each of the main output format flags.

1. -oN: Normal Output Format

• Description: The -oN flag saves the scan results in a human-readable, plain-text format. It is similar to the output you would normally see in the terminal.
• Use Case: Ideal for manual review and report writing. This format is easy to copy/paste into documents and is good for explaining results to non-technical stakeholders.

Example:

nmap -sV -oN internal_network.txt 192.168.1.1

 

• Explanation: This command scans for service versions (-sV) on the target 192.168.1.1 and saves the output in a normal text format as internal_network.txt.

2. -oX: XML Output

• Description: The -oX flag generates output in XML format, making it easy to parse programmatically. This format is machine-readable and can be used for integration with other tools like SIEM systems, vulnerability scanners, and exploit frameworks.
• Use Case: Perfect for importing the results into other automated systems or using tools like Metasploit and Nessus for further analysis.

Example:

nmap -sV -oX output.xml scanme.nmap.org

 

• Explanation: This command performs a version detection scan (-sV) and saves the results in XML format as output.xml.

3. -oG: Grepable Output

• Description: The -oG flag outputs the results in a simplified, grepable format. This format is suitable for quick parsing with command-line tools like grep, awk, and sed. It is especially helpful when you need to extract specific information, such as open ports or service banners, and use it in scripts.
• Use Case: Ideal for quick filtering or extracting specific data using command-line tools, especially when handling large datasets.

Example:

nmap -sV -oG open_ports.gnmap 192.168.0.0/24

 

• Explanation: This command performs a service version scan (-sV) across the 192.168.0.0/24 subnet and saves the output in grepable format as open_ports.gnmap.

4. -oA: All Output Formats

• Description: The -oA flag saves the scan results in all available formats: normal, XML, and grepable. This is incredibly useful if you need to keep comprehensive records in multiple formats for analysis, automation, or reporting.
• Use Case: Ideal for thorough documentation when you want to capture all scan data in multiple formats, ensuring flexibility for future analysis.

Example:

nmap -A -p 22,80,443 -oA company_network 192.168.10.0/24

 

• Explanation: This command runs an aggressive scan (-A) on ports 22, 80, 443 and saves the output in normal, XML, and grepable formats as files with the prefix company_network.

Additional Output Tips and Tricks

Adding Timestamps and Labels to Output

For better organization, you can add timestamps to the filenames when saving output. This is helpful for tracking scan history or creating versions of your reports.

Example:

nmap -sS -oA pentest_scan_$(date +%F) 192.168.1.100

 

• Explanation: This command adds the current date to the output filename, creating files like pentest_scan_2025-05-09.nmap, pentest_scan_2025-05-09.xml, and pentest_scan_2025-05-09.gnmap.

Why Output Format Flags Matter

Output flags are not just about how the scan results are displayed—they are integral to the following tasks:

• Documentation: Generate clear, organized reports to share with stakeholders, security teams, or clients.
• Automation: Convert scan results into a format that other tools can use for further processing, such as integrating with vulnerability scanners or SIEM platforms.
• Analysis: Quickly sift through results with grepable output to filter and focus on key findings, such as open ports, vulnerabilities, or specific services.
• PenTest+ Exam: Understanding output formats is essential for exam scenarios where you might need to analyze or manipulate scan results as part of your response.

Sample Scenario: Enterprise Port Audit

Let’s consider an example where you’re performing a port audit across 50 internal systems and need to save the results for later analysis.

Command:

nmap -sS -sV -T3 -p 1-1024 -oA internal_audit 10.0.0.1-50

 

• -sS: Stealth scan for identifying open ports
• -sV: Service version detection
• -T3: Balanced scan speed
• -p 1-1024: Scan well-known ports (ports 1-1024)
• -oA internal_audit: Save output in all formats (normal, XML, grepable)

In this scenario, you’ll be able to review and process your findings in any format that suits your needs.

Best Practices for Output Flag Use

• Always use -oA in final scans or when working on larger engagements. This ensures you have comprehensive records in all formats for analysis, reporting, and documentation.
• Use timestamps in filenames when conducting multiple scans or managing long-term projects. This helps track your scans chronologically.
• Use -oX for integration with other tools, such as Metasploit or vulnerability management platforms.
• For quick parsing or extraction, rely on -oG. This allows you to easily pull specific details, such as open ports or service versions, from large scan results.
• When preparing a penetration testing report, it’s often a good idea to combine -oN (for a human-readable format) and -oX (for automation or tool integration) to create a thorough and accessible report.

Why Timing and Evasion Matter in Penetration Testing

When performing penetration tests, especially against well-secured or monitored networks, you need to take steps to avoid detection by Intrusion Detection Systems (IDS), firewalls, and other security mechanisms. Many security systems can detect scans by recognizing patterns, such as high-speed scanning or repeated probes.

Using timing and evasion techniques, Nmap provides ways to:

• Control scan speed and make the scan more stealthy
• Randomize scan order to avoid triggering alarms
• Spoof source addresses to obscure the origin of the scan
• Fragment packets to confuse packet inspection systems

By mastering these techniques, penetration testers can avoid detection and complete their assessments before getting blocked.

Timing Templates: The -T Flag

Nmap’s -T flag allows you to control the timing and aggressiveness of a scan. It ranges from T0 (slowest) to T5 (fastest), with each setting affecting how quickly Nmap sends probes and how often.

Timing Templates Overview

• -T0 (Paranoid): This setting is the slowest and most stealthy. It is useful when you suspect security monitoring or need to avoid detection at all costs.
• -T1 (Sneaky): Slightly faster than T0, still stealthy and good for evading detection.
• -T2 (Polite): A slower scan, which is less aggressive and can bypass certain IDS/IPS systems.
• -T3 (Normal): The default timing template. Balanced between speed and stealth.
• -T4 (Aggressive): A much faster scan that may trigger alarms but is useful for internal networks or quick assessments.
• -T5 (Insane): The fastest scan, very aggressive, and likely to be detected by IDS/IPS systems.

Example:

nmap -sS -T2 -oA stealth_scan 192.168.1.100

 

• -T2: This tells Nmap to perform a polite scan, which is slower but more stealthy, reducing the likelihood of detection.
• -sS: Uses the SYN scan (stealth scan).
• -oA: Saves the results in normal, XML, and grepable formats.

When to Use: For red team engagements or stealthy assessments, use -T0 or -T1 to stay under the radar. For internal networks or fast assessments, -T4 or -T5 may be appropriate.

Evasion Flags for IDS/Firewall Bypass

Many modern networks employ security mechanisms such as firewalls and IDS/IPS systems that monitor and block scanning activities. Nmap provides several evasion flags to bypass these systems by modifying the way the scan is conducted.

Key Evasion Flags

1. -f (Fragment Packets)
   • This flag fragments the packets into smaller pieces, making it more difficult for IDS/IPS systems to reassemble and detect the scan.

Example:

nmap -sS -f 192.168.1.1

• When to Use: When scanning networks with firewalls or IDS systems that inspect traffic at a packet level.

1. –mtu (Set Maximum Transmission Unit)
   • Adjusts the size of the packets sent. Using smaller packets can reduce detection, but may affect the accuracy of the scan.

Example:

nmap –mtu 32 192.168.1.1

• When to Use: For evading detection when the network is using strict packet inspection.

1. –data-length
   • This flag appends random data to the packets, confusing IDS systems and making it harder for them to detect the scan.

Example:

nmap -sS –data-length 50 192.168.1.1

• When to Use: When you want to add noise to your packets to avoid detection.

1. -D (Decoy Mode)
   • This flag uses decoy IP addresses, making it harder to determine which IP address is the real source of the scan.

Example:

nmap -sS -D 10.0.0.5,10.0.0.6,ME 192.168.1.1

• When to Use: Use when you want to obfuscate your true scanning source and make detection harder.

1. -S (Spoof Source Address)
   • Spoofs the source IP address. This only works if you control the routing, but it can make it seem as though the scan is coming from a different system.

Example:

nmap -S 10.0.0.99 192.168.1.1

• When to Use: For hiding your scanning source, useful in advanced red team assessments or testing firewall rule configurations.

1. –source-port
   • Sends packets from a specific source port, such as port 53 (DNS), which may be whitelisted on firewalls.

Example:

nmap -sS –source-port 53 192.168.1.1

• When to Use: To bypass firewalls that whitelist specific ports (like DNS or HTTP).

Nmap Scripting Engine (NSE): Extend Your Capabilities

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful features. It allows penetration testers to run custom or predefined scripts for a variety of purposes:

• Service enumeration
• Vulnerability detection
• Authentication brute-forcing
• Exploit simulation
• Malware detection

Scripts are categorized and stored in Nmap’s script repository, and they can be used to automate various aspects of the reconnaissance and exploitation phases of a penetration test.

Running NSE Scripts

1. -sC (Default Script Set)
   • This flag runs a set of default scripts, including basic service enumeration and vulnerability detection.

Example:

nmap -sC 192.168.1.1

• When to Use: When you want to gather general information about a target without specifying individual scripts.

1. –script (Specify Custom Script)
   • This allows you to run specific NSE scripts. Scripts can be identified by name or category.

Example:

nmap –script http-vuln-cve2021-26855 -p 443 192.168.1.1

• When to Use: When you want to run a specific vulnerability scan, such as checking for CVE-2021-26855 (Microsoft Exchange vulnerability).

1. –script-args (Pass Arguments to Scripts)
   • You can pass arguments to scripts to customize their behavior, such as providing username and password lists for brute-forcing.

Example:

nmap –script http-brute –script-args userdb=users.txt,passdb=passwords.txt -p 80 192.168.1.1

• When to Use: When you need to customize the attack, like providing lists for brute-force attacks.

1. –script-help (Show Script Help)
   • This flag shows detailed help and usage information for a specific NSE script.

Example:

nmap –script-help smb-os-discovery

Practical NSE Script Examples

Vulnerability Check:

nmap –script vuln 192.168.1.100

1.  This command runs all scripts in the vuln category to check for known vulnerabilities.

Heartbleed Detection:

nmap -p 443 –script ssl-heartbleed 192.168.1.1

1.  This checks if the target is vulnerable to the Heartbleed bug in OpenSSL.

HTTP Enumeration:

nmap –script http-enum -p 80 192.168.1.10

1.  This script lists web directories and potentially sensitive endpoints.

Real-World Pentest Strategy: A Combined Example

Let’s combine timing, evasion, and NSE scripts in a stealthy and comprehensive scan. This scenario simulates a red team engagement where you need to avoid detection while gathering as much information as possible.

Command:

nmap -sS -sV -T2 -f -D 192.168.1.10,192.168.1.11,ME –script vuln -oA stealth_report 10.0.0.1-10

 

What This Does:

• -sS: Stealthy TCP SYN scan to avoid detection.
• -sV: Perform service version detection for detailed insights into open services.
• -T2: Use polite timing to slow down the scan and avoid triggering alerts.
• -f: Fragment packets to make it harder for IDS systems to detect.
• -D: Use decoy IP addresses (192.168.1.10, 192.168.1.11) and obfuscate the real source (“ME”).
• –script vuln: Run scripts from the vuln category to check for common vulnerabilities.
• -oA: Save output in all formats (normal, XML, grepable).

This approach ensures a thorough, stealthy assessment while remaining undetected by security systems.

Final Thoughts

Nmap is an essential tool for penetration testers, providing the ability to conduct thorough network reconnaissance, identify vulnerabilities, and evade detection. Mastering its diverse set of flags allows security professionals to tailor scans to specific targets, control scan speed, and navigate complex environments with precision. From basic host discovery to advanced evasion techniques and the power of the Nmap Scripting Engine (NSE), Nmap offers a vast array of features that enable detailed vulnerability assessments and stealthy penetration testing. Understanding when and how to use flags like -sV, -T2, and -A can significantly enhance your ability to uncover critical vulnerabilities while avoiding detection. With the right skills and strategies, penetration testers can harness Nmap to perform highly effective assessments, whether preparing for certification exams like CompTIA PenTest+ or executing real-world security assessments. Practicing different flag combinations and leveraging advanced techniques will ensure you are ready for any scenario, empowering you to stay ahead of the ever-evolving threat landscape.