TryHackMe: NMAP: NMAP Switches

goay xuan hui
2 min readJan 12, 2021


#1 What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?


#2 Which switch would you use for a “UDP scan”?


#3 If you wanted to detect which operating system the target is running on, which switch would you use?


#4 Nmap provides a switch to detect the version of the services running on the target. What is this switch?


#5 The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?


#6 Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it’s highly advisable to always use at least this option)



#7 What switch would you use to save the nmap results in three major formats?


-oA <basename> command will store scan results in normal, XML and grepable formats at once in <basename>.nmap, <basename>.xml and <basename>.gnmap.

Tips: -o stands for output while -O stands for operating system (See #3)

#8 What switch would you use to save the nmap results in a “normal” format?


#9 A very useful output format: how would you save results in a “grepable” format?


#10 Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.


#11 Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors! How would you set the timing template to level 5?


#12 How would you tell nmap to only scan port 80?

-p 80

#13 How would you tell nmap to scan ports 1000–1500?

-p 1000-1500

#14 How would you tell nmap to scan all ports?


#15 How would you activate a script from the nmap scripting library?

-- -script

#16 How would you activate all of the scripts in the “vuln” category?

-- -script=vuln

To understand more about NMAP, check out the full series: Part 1: Port Scanning Responses, Part 2: Basic Port Scanning Types, Part 3: Other Port Scanning Types, Part 4: Network Scanning, Part 5: Firewall Evasion Options and Part 6: NSE Scripts!



goay xuan hui

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️