Nmap Cheat Sheet
Welcome to my Nmap Cheat Sheet page! Nmap is one of my favorite tools not only for pentesting or security purposes but also as one of my go-to troubleshooting tools.
Nmap 2.00 was released on December 12, 1998. Can you believe it? I have been using Nmap since the early 2000s, and although I have tried MANY tools that do the same thing, nothing has yet to beat its place in my toolbox.
If you see an error, something I missed, or have a better way of doing something, please contact me.
Resources:
Nmap – https://nmap.org/ – Offical Nmap website
The Official Nmap Project Guide to Network Discovery and Security Scanning – The orginal and still one of the best Nmap resources
Scanning Command Syntax:
nmap [scan types] [options] {IP-Address specification}
Scan a
Specific Target
| SWITCH | EXAMPLE | DESCRIPTION |
| nmap 10.1.1.1 | Scan a single IP | |
| nmap 10.1.1.1 10.1.1.8 | Scan specific IPs | |
| nmap 10.1.1.1-254 | Scan a range | |
| nmap scanme.nmap.org | Scan a domain | |
| nmap 10.1.1.0/24 | Scan using CIDR notation | |
| -iL | nmap -iL targets.txt | Scan targets from a file |
| -iR | nmap -iR 100 | Scan 100 random hosts |
| -exclude | nmap -exclude 10.1.1.254 | Exclude listed hosts |
Nmap Scan Techniques
| SWITCH | EXAMPLE | DESCRIPTION |
| -sS | nmap 10.1.1.1 -sS | TCP SYN port scan (Default) |
| -sT | nmap 10.1.1.1 -sT | TCP connect port scan (Default without root privilege) |
| -sU | nmap 10.1.1.1 -sU | UDP port scan |
| -sA | nmap 10.1.1.1 -sA | TCP ACK port scan |
| -sW | nmap 10.1.1.1 -sW | TCP Window port scan |
| -sM | nmap 10.1.1.1 -sM | TCP Maimon port scan |
Host Discovery
| SWITCH | EXAMPLE | DESCRIPTION |
| -sL | nmap 10.1.1.1-3 -sL | No Scan. List targets only |
| -sn | nmap 10.1.1.0/24 -sn | Disable port scanning. Host discovery only. |
| -Pn | nmap 10.1.1.1-5 -Pn | Disable host discovery. Port scan only. |
| -PS | nmap 10.1.1.1-5 -PS22-25,80 | TCP SYN discovery on port x. |
| Port 80 by default | ||
| -PA | nmap 10.1.1.1-5 -PA22-25,80 | TCP ACK discovery on port x. |
| Port 80 by default | ||
| -PU | nmap 10.1.1.1-5 -PU53 | UDP discovery on port x. |
| Port 40125 by default | ||
| -PR | nmap 10.1.1.1-1/24 -PR | ARP discovery on local network |
| -n | nmap 10.1.1.1 -n | Never do DNS resolution |
Port Specification
| SWITCH | EXAMPLE | DESCRIPTION |
| -sV | nmap 10.1.1.1 -sV | Attempts to determine the version of the service running on port |
| -sV -version-intensity | nmap 10.1.1.1 -sV -version-intensity 8 | Intensity level 0 to 9. Higher number increases possibility of correctness |
| -sV -version-light | nmap 10.1.1.1 -sV -version-light | Enable light mode. Lower possibility of correctness. Faster |
| -sV -version-all | nmap 10.1.1.1 -sV -version-all | Enable intensity level 9. Higher possibility of correctness. Slower |
| -A | nmap 10.1.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
OS Detection
| SWITCH | EXAMPLE | DESCRIPTION |
| -O | nmap 10.1.1.1 -O | Remote OS detection using TCP/IP stack fingerprinting |
| -O -osscan-limit | nmap 10.1.1.1 -O -osscan-limit | If at least one open and one closed TCP port are not found it will not try OS detection against host |
| -O -osscan-guess | nmap 10.1.1.1 -O -osscan-guess | Makes Nmap guess more aggressively |
| -O -max-os-tries | nmap 10.1.1.1 -O -max-os-tries 1 | Set the maximum number x of OS detection tries against a target |
| -A | nmap 10.1.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
Timing and Performance
| SWITCH | EXAMPLE | DESCRIPTION |
| -T0 | nmap 10.1.1.1 -T0 | Paranoid (0) Intrusion Detection System evasion |
| -T1 | nmap 10.1.1.1 -T1 | Sneaky (1) Intrusion Detection System evasion |
| -T2 | nmap 10.1.1.1 -T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine resources |
| -T3 | nmap 10.1.1.1 -T3 | Normal (3) which is default speed |
| -T4 | nmap 10.1.1.1 -T4 | Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network |
| -T5 | nmap 10.1.1.1 -T5 | Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
Timing and Performance Switches
| SWITCH | EXAMPLE INPUT | DESCRIPTION |
| -host-timeout <time> | 1s; 4m; 2h | Give up on target after this long |
| -min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | 1s; 4m; 2h | Specifies probe round trip time |
| -min-hostgroup/max-hostgroup <size<size> | 50; 1024 | Parallel host scan group sizes |
| -min-parallelism/max-parallelism <numprobes> | 10; 1 | Probe parallelization |
| -max-retries <tries> | 3 | Specify the maximum number of port scan probe retransmissions |
| -min-rate <number> | 100 | Send packets no slower than <number> per second |
| -max-rate <number> | 100 | Send packets no faster than <number> per second |
NSE Scripts
| SWITCH | EXAMPLE | DESCRIPTION |
| -sC | nmap 10.1.1.1 -sC | Scan with default NSE scripts. Considered useful for discovery and safe |
| -script default | nmap 10.1.1.1 -script default | Scan with default NSE scripts. Considered useful for discovery and safe |
| -script | nmap 10.1.1.1 -script=banner | Scan with a single script. Example banner |
| -script | nmap 10.1.1.1 -script=http* | Scan with a wildcard. Example http |
| -script | nmap 10.1.1.1 -script=http,banner | Scan with two scripts. Example http and banner |
| -script | nmap 10.1.1.1 -script “not intrusive” | Scan default, but remove intrusive scripts |
| -script-args | nmap -script snmp-sysdescr -script-args snmpcommunity=admin 10.1.1.1 | NSE script with arguments |
NSE Script Examples
| COMMAND | DESCRIPTION |
| nmap -Pn -script=http-sitemap-generator scanme.nmap.org | http site map generator |
| nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 | Fast search for random web servers |
| nmap -Pn -script=dns-brute domain.com | Brute forces DNS hostnames guessing subdomains |
| nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 10.1.1.1 | Safe SMB scripts to run |
| nmap -script whois* domain.com | Whois query |
| nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org | Detect cross site scripting vulnerabilities |
| nmap -p80 -script http-sql-injection scanme.nmap.org | Check for SQL injections |
Firewall / IDS Evasion
| SWITCH | EXAMPLE | DESCRIPTION |
| -f | nmap 10.1.1.1 -f | Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters |
| -mtu | nmap 10.1.1.1 -mtu 32 | Set your own offset size |
| -D | nmap -D 10.1.1.101,10.1.1.102,10.1.1.103,10.1.1.23 10.1.1.1 | Send scans from spoofed IPs |
| -D | nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip | Above example explained |
| -S | nmap -S www.twitter.com www.facebook.com | Scan Facebook from twitter (-e eth0 -Pn may be required) |
| -g | nmap -g 53 10.1.1.1 | Use given source port number |
| -proxies | nmap -proxies http://10.1.1.1::8080, http://10.1.1.2:8080 10.1.1.1 | Relay connections through HTTP/SOCKS4 proxies |
| -data-length | nmap -data-length 200 10.1.1.1 | Appends random data to sent packets |
Output Control
| SWITCH | EXAMPLE | DESCRIPTION |
| -oN | nmap 10.1.1.1 -oN normal.file | Normal output to the file normal.file |
| -oX | nmap 10.1.1.1 -oX xml.file | XML output to the file xml.file |
| -oG | nmap 10.1.1.1 -oG grep.file | Grepable output to the file grep.file |
| -oA | nmap 10.1.1.1 -oA results | Output in the three major formats at once |
| -oG – | nmap 10.1.1.1 -oG – | Grepable output to screen. -oN -, -oX – also usable |
| -append-output | nmap 10.1.1.1 -oN file.file -append-output | Append a scan to a previous scan file |
| -v | nmap 10.1.1.1 -v | Increase the verbosity level (use -vv or more for greater effect) |
| -d | nmap 10.1.1.1 -d | Increase debugging level (use -dd or more for greater effect) |
| -reason | nmap 10.1.1.1 -reason | Display the reason a port is in a particular state, same output as -vv |
| -open | nmap 10.1.1.1 -open | Only show open (or possibly open) ports |
| -packet-trace | nmap 10.1.1.1 -T4 -packet-trace | Show all packets sent and received |
| -iflist | nmap -iflist | Shows the host interfaces and routes |
| -resume | nmap -resume results.file | Resume a scan |
Nmap Output Examples
| COMMAND | DESCRIPTION |
| nmap -p80 -sV -oG – -open 10.1.1.1/24 | grep open | Scan for web servers and grep to show which IPs are running web servers |
| nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d ” ” -f5 > live-hosts.txt | Generate a list of the IPs of live hosts |
| nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txt | Append IP to the list of live hosts |
| ndiff scanl.xml scan2.xml | Compare output from nmap using the ndif |
| xsltproc nmap.xml -o nmap.html | Convert nmap xml files to html files |
| grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less | Reverse sorted list of how often ports turn up |
Misc Nmap Flags
| SWITCH | EXAMPLE | DESCRIPTION |
| -6 | nmap -6 2607:f0d0:1002:51::3 | Enable IPv6 scanning |
| -h | nmap -h | nmap help screen |
| -open | nmap -open | Show open ports only |
Useful Nmap Commands
| COMMAND | DESCRIPTION |
| nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn | Discovery only on ports x, no port scan |
| nmap 192.168.1.1-1/24 -PR -sn -vv | Arp discovery only on local network, no port scan |
| nmap -iR 10 -sn -traceroute | Traceroute to random targets, no port scan |
| nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1 | Query the Internal DNS for hosts, list targets only |
nmap 192.168.1.1 –packet-trace | Show the details of the packets that are sent and received during a scan and capture the traffic |
Pings and Traceroutes
| COMMAND | DESCRIPTION |
| nmap -sP 10.1.1.1 | Ping scan only |
| nmap -PU 10.1.1.1 | UDP ping scan |
| nmap -PE 10.1.1.1 | ICMP echo ping |
| nmap -PO 10.1.1.1 | IP protocal ping |
| nmap -PR 10.1.1.1 | ARP ping |
| nmap -Pn 10.1.1.1 | Scan without pinging |
| nmap -traceroute 10.1.1.1 | Traceroute |