Nmap Command Builder

It depends on the scan type. TCP SYN scans (-sS), UDP scans (-sU), OS detection (-O), and many NSE scripts require root/administrator privileges because they need raw socket access. TCP Connect scans (-sT) can run without elevated privileges since they use standard system calls. Our command builder automatically indicates when sudo/admin access is required and explains why.

TCP SYN scan (-sS) sends a SYN packet and waits for a response without completing the three-way handshake, making it faster and harder to detect. TCP Connect scan (-sT) completes the full TCP handshake, which is slower and more likely to be logged but does not require root privileges. SYN scan is preferred for most security assessments when you have root access.

Scan duration varies significantly based on settings. A quick scan of the top 100 ports on a single host might take seconds, while scanning all 65,535 ports across a large subnet with service detection could take hours. Factors include: number of ports scanned, timing template (-T0 to -T5), service version detection (-sV), OS detection (-O), NSE scripts, and network latency. Use -T4 for faster scans on reliable networks.

Scanning your own networks is generally legal. However, scanning networks you do not own without explicit written permission may violate computer crime laws like the Computer Fraud and Abuse Act (CFAA) in the US. Always obtain authorization before scanning any network. Even authorized scanning should be coordinated with IT/security teams to avoid triggering alerts or causing service disruptions.

The -Pn flag tells Nmap to skip host discovery and treat all specified hosts as online. Use it when hosts are behind firewalls that block ping probes, you are scanning specific hosts you know are active, or ping discovery is giving false negatives. Without -Pn, Nmap first checks if hosts are alive before port scanning, which can miss hosts that block ICMP.

NSE (Nmap Scripting Engine) extends Nmap with Lua scripts for tasks like vulnerability detection, brute force testing, and service enumeration. Use --script with categories (vuln, auth, discovery) or specific script names (http-title, ssl-cert). The -sC flag runs default safe scripts. Examples: --script vuln for vulnerability scanning, --script http-enum for web directory enumeration.

T3 (Normal) is the default and suitable for most internal scans. T4 (Aggressive) works well for fast, reliable networks and is commonly used in penetration testing. T2 (Polite) reduces bandwidth impact for production networks. T0/T1 (Paranoid/Sneaky) are for evading intrusion detection systems but are extremely slow. T5 (Insane) may miss results due to packet loss.

Use NSE vulnerability scripts: --script vuln runs all vulnerability detection scripts, or target specific CVEs like --script smb-vuln-ms17-010 for EternalBlue. Combine with -sV for accurate service version detection. For web applications, use --script http-vuln-*. Always review script descriptions first as some scripts can crash vulnerable services.

Nmap supports multiple output formats: -oN (normal text), -oX (XML for tools like Metasploit), -oG (grepable for scripting), -oS (script kiddie format), and -oA (all formats at once with a base filename). XML output is best for importing into other security tools. Use -oA scan_results to create scan_results.nmap, scan_results.xml, and scan_results.gnmap files.