--script filename|category|directory|expression|all[,...] .
Runs a script scan using the comma-separated list of filenames, script categories, and directories.
Each element in the list may also be a Boolean expression describing a more complex set of scripts.
Each element is interpreted first as an expression, then as a category, and finally as a file or
directory name. The special argument all makes every script in Nmap´s script database eligible to
run. The all argument should be used with caution as NSE may contain dangerous scripts including
exploits, brute force authentication crackers, and denial of service attacks.
File and directory names may be relative or absolute. Absolute names are used directly. Relative
paths are looked for in the following places until found:
~/.nmap (not searched on Windows)
the current directory
A scripts subdirectory is also tried in each of these.
When a directory name is given, Nmap loads every file in the directory whose name ends with .nse. All
other files are ignored and directories are not searched recursively. When a filename is given, it
does not have to have the .nse extension; it will be added automatically if necessary. Nmap scripts
are stored in a scripts subdirectory of the Nmap data directory by default (see
For efficiency, scripts are indexed in a database stored in scripts/script.db,. which lists the
category or categories in which each script belongs. When referring to scripts from script.db by
name, you can use a shell-style ‘*’ wildcard.
nmap --script "http-*"
Loads all scripts whose name starts with http-, such as http-auth.nse and http-open-proxy.nse.
The argument to --script had to be in quotes to protect the wildcard from the shell.
More complicated script selection can be done using the and, or, and not operators to build Boolean
expressions. The operators have the same precedence as in Lua: not is the highest, followed by
and and then or. You can alter precedence by using parentheses. Because expressions contain space
characters it is necessary to quote them.
nmap --script "not intrusive"
Loads every script except for those in the intrusive category.
nmap --script "default or safe"
This is functionally equivalent to nmap --script "default,safe". It loads all scripts that are in
the default category or the safe category or both.
nmap --script "default and safe"
Loads those scripts that are in both the default and safe categories.
nmap --script "(default or safe or intrusive) and not http-*"
Loads scripts in the default, safe, or intrusive categories, except for those whose names start
-p port ranges (Only scan specified ports) .
This option specifies which ports you want to scan and overrides the default. Individual port numbers
are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a
range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
ports from 1 through 65535. Scanning port zero. is allowed if you specify it explicitly. For IP
protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
to all protocol lists. Ports can also be specified by name according to what the port is referred to
in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.
-v (Increase verbosity level) .
Increases the verbosity level, causing Nmap to print more information about the scan in progress.
Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a
scan will take more than a few minutes. Use it twice or more for even greater verbosity.
Most changes only affect interactive output, and some also affect normal and script kiddie output.
The other output types are meant to be processed by machines, so Nmap can give substantial detail by
default in those formats without fatiguing a human user. However, there are a few changes in other
modes where output size can be reduced substantially by omitting some detail. For example, a comment
line in the grepable output that provides a list of all ports scanned is only printed in verbose mode
because it can be quite long.
-oX filespec (XML output) .
Requests that XML output be directed to the given filename. Nmap includes a document type definition
(DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended for
programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal
elements of the format, and often enumerates the attributes and values they can take on. The latest
version is always available from http://nmap.org/data/nmap.dtd.
XML offers a stable format that is easily parsed by software. Free XML parsers are available for all
major computer languages, including C/C++, Perl, Python, and Java. People have even written bindings
for most of these languages to handle Nmap output and execution specifically. Examples are
Nmap::Scanner and Nmap::Parser in Perl CPAN. In almost all cases that a non-trivial
application interfaces with Nmap, XML is the preferred format.
The XML output references an XSL stylesheet which can be used to format the results as HTML. The
easiest way to use this is simply to load the XML output in a web browser such as Firefox or IE. By
default, this will only work on the machine you ran Nmap on (or a similarly configured one) due to
the hard-coded nmap.xsl filesystem path. Use the --webxml or --stylesheet options to create portable
XML files that render as HTML on any web-connected machine.