Nmap Tutorial Series 3: Advanced Nmap Commands

Time to tackle the third part of the Nmap Tutorial Series. After covering Nmap Basics and Nmap Host Discovery, we are going to look at some more advanced Nmap commands. Sometimes it is necessary to perform scans that will do something else than the TCP scan that Nmap is doing by default. Those more advanced commands are used to detect exotic services or to evade firewalls.

Note: If you want to use Nmap on Windows without the need of installing bare-metal Linux or a virtual machine utilizing the power of WSL 2, we have an entire tutorial series covering how to do that.

Table of Contents

πŸ‘€ This Tutorial has some related Articles!
πŸ‘‰ Part 1 – Nmap Basics
πŸ‘‰ Part 2 – Nmap Host Discovery
πŸ‘‰ Part 3 – Advanced Nmap Commands
πŸ‘‰ Part 4 – Nmap NSE Scripts
πŸ‘‰ Part 5 – Nmap on Windows

Advanced Nmap Commands Overview

First, let’s have an overview of all the advanced Nmap commands.

-sTTCP Connect Scan
-sUUDP Scan
-sXXmas Scan
-sOIP Protocol Scan
-slIdle Scan
Nmap Commands Overview

TCP SYN Scan (-sS)

sudo nmap -sS language: CSS (css)
Nmap TCP Syn Scan

This scan scans for the 1000 most used TCP ports by sending SYN packages to a target and awaiting a response. This Nmap command is more on the stealthy side of things because it doesn’t try to connect to the target, you might be able to avoid being detected when using this command. I say might because it highly depends if the network has an IDS (Intrusion Detection System) in place or not.

TCP Connect Scan (-sT)

nmap -sT language: CSS (css)
Nmap TCP Connect Scan

The TCP Connect scan can be run without sudo, it attempts to establish a plain connection to the target host. This command is noisy, so use it with caution.

UDP Scan (-sU)

sudo nmap -sU language: CSS (css)
Nmap UDP Scan

The UDP Scan is a valuable asset for scanning services that use UDP like DNS and DHCP. I always run a UDP scan to find all the services that don’t use TCP.

πŸ‘€ This Tutorial has some related Articles!
πŸ‘‰ How to get started in Cyber Security – The Complete Guide
πŸ‘‰ How to get started with Bug Bounties
πŸ‘‰ Terminal Customization Series
πŸ‘‰ Best Ethical Hacking Books
πŸ‘‰ Download Kali Linux Safe & Easy
πŸ‘‰ Best Ethical Hacking Tools
πŸ‘‰ Install VSCode on Kali Linux
πŸ‘‰ Dual Boot Kali Linux with Windows
πŸ‘‰ Install Kali Linux on VirtualBox – Complete Beginner Guide
πŸ‘‰ Top Things to do after installing Kali Linux
πŸ‘‰ WiFi Adapter for Kali Linux – The Ultimate Guide
πŸ‘‰ Nmap Beginner Guide Series
πŸ‘‰ Metasploit Tutorial Series
πŸ‘‰ Burp Suite Beginner Guide

TCP NULL Scan (-sN)

sudo nmap -sN language: CSS (css)
Nmap TCP NULL Scan

The TCP NULL Scan sends packets without TCP flags. This method is used to get the firewall to respond to the scan.

TCP FIN Scan (-sF)

sudo nmap -sF language: CSS (css)
Nmap TCP FIN Scan

The TCP FIN Scan is used to get a TCP ACK response from the target. This is just another way to get around a firewall and trigger a response from the target host.

Xmas Scan (-sX)

sudo nmap -sX language: CSS (css)
Nmap Xmas Scan

This funny-sounding scan, a quote from Nmap’s official documentation, β€œSets the FIN, PSH and URG flags, lighting the packet up like a Christmas tree.” describes this scan pretty well. This is used to provoke a response from a target host behind a firewall. It’s obvious that this is a noisy approach.

TCP ACK Scan (-sA)

sudo nmap -sA language: CSS (css)
Nmap TCP ACK Scan

The TCP ACK scan is used to check if a system is protected by a firewall or not. If no RST response is given from the target system, Nmap assumes that the target system is filtered. If the target system returns an RST response, it will be set as unfiltered. Ports being filtered is an indication that the system is behind a firewall. Unfiltered ports are most likely allowed through the firewall through specific rules.

IP protocol Scan (-sO)

sudo nmap -sO language: CSS (css)
Nmap IP Protocol Scan

The IP protocol scan shows all protocols that are supported by the target. This option is mostly used to determine what kind of scans you will run against the target system based on its protocols. You can find a list of all protocols here.

sudo nmap -sZ language: CSS (css)
nmap SCTP Cookie Echo Scan

This scan is a more advanced SCTP scan. It’s a pretty silent way of scanning because it drops packets containing Cookie Echo chunks on open ports, but it does send an Abort response if the port is closed. This scan is pretty silent, although it still can be detected by a well-configured IDS.

Idle Scan (-sI)

sudo nmap -sI<--Zombie Host) language: CSS (css)
Nmap Idle Scan

This scanning method runs a completely blind TCP port scan against the target. There are no packets sent from your own IP address. This technique uses a so-called Zombie Host to gather information about the target. You basically specify a Zombie Host on the network that will send the packets for you, making it hard for IDS to detect your scanner.

I really like this method and use it quite often as it is really stealthy. Note that this scan does not work all the time, as you can see in my example.


This should give you a good of some Advanced Nmap Commands. How often you use those Nmap Commands in the real world highly depends on the scenario. Sometimes simple Nmap scans are enough to detect open ports on most systems.

πŸ‘€ This Tutorial has some related Articles!
πŸ‘‰ Part 1 – Nmap Basics
πŸ‘‰ Part 2 – Nmap Host Discovery
πŸ‘‰ Part 3 – Advanced Nmap Commands
πŸ‘‰ Part 4 – Nmap NSE Scripts
πŸ‘‰ Part 5 – Nmap on Windows

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link
Powered by Social Snap