Welcome to my Nmap Cheat Sheet page! Nmap is one of my favorite tools not only for pentesting or security purposes but also as one of my go-to troubleshooting tools.
Nmap 2.00 was released on December 12, 1998. Can you believe it? I have been using Nmap since the early 2000s, and although I have tried MANY tools that do the same thing, nothing has yet to beat its place in my toolbox.
If you see an error, something I missed, or have a better way of doing something, please contact me.
Nmap – https://nmap.org/ – Offical Nmap website
The Nmap Handbook: A Deep Dive into Network Mapping and Scanning – Great Reference with real-world up-to-date examples.
The Official Nmap Project Guide to Network Discovery and Security Scanning – The orginal and still one of the best Nmap resources
nmap [scan types] [options] {IP-Address specification}
SWITCH | EXAMPLE | DESCRIPTION |
nmap 10.1.1.1 | Scan a single IP | |
nmap 10.1.1.1 10.1.1.8 | Scan specific IPs | |
nmap 10.1.1.1-254 | Scan a range | |
nmap scanme.nmap.org | Scan a domain | |
nmap 10.1.1.0/24 | Scan using CIDR notation | |
-iL | nmap -iL targets.txt | Scan targets from a file |
-iR | nmap -iR 100 | Scan 100 random hosts |
-exclude | nmap -exclude 10.1.1.254 | Exclude listed hosts |
SWITCH | EXAMPLE | DESCRIPTION |
-sS | nmap 10.1.1.1 -sS | TCP SYN port scan (Default) |
-sT | nmap 10.1.1.1 -sT | TCP connect port scan (Default without root privilege) |
-sU | nmap 10.1.1.1 -sU | UDP port scan |
-sA | nmap 10.1.1.1 -sA | TCP ACK port scan |
-sW | nmap 10.1.1.1 -sW | TCP Window port scan |
-sM | nmap 10.1.1.1 -sM | TCP Maimon port scan |
SWITCH | EXAMPLE | DESCRIPTION |
-sL | nmap 10.1.1.1-3 -sL | No Scan. List targets only |
-sn | nmap 10.1.1.0/24 -sn | Disable port scanning. Host discovery only. |
-Pn | nmap 10.1.1.1-5 -Pn | Disable host discovery. Port scan only. |
-PS | nmap 10.1.1.1-5 -PS22-25,80 | TCP SYN discovery on port x. |
Port 80 by default | ||
-PA | nmap 10.1.1.1-5 -PA22-25,80 | TCP ACK discovery on port x. |
Port 80 by default | ||
-PU | nmap 10.1.1.1-5 -PU53 | UDP discovery on port x. |
Port 40125 by default | ||
-PR | nmap 10.1.1.1-1/24 -PR | ARP discovery on local network |
-n | nmap 10.1.1.1 -n | Never do DNS resolution |
SWITCH | EXAMPLE | DESCRIPTION |
-sV | nmap 10.1.1.1 -sV | Attempts to determine the version of the service running on port |
-sV -version-intensity | nmap 10.1.1.1 -sV -version-intensity 8 | Intensity level 0 to 9. Higher number increases possibility of correctness |
-sV -version-light | nmap 10.1.1.1 -sV -version-light | Enable light mode. Lower possibility of correctness. Faster |
-sV -version-all | nmap 10.1.1.1 -sV -version-all | Enable intensity level 9. Higher possibility of correctness. Slower |
-A | nmap 10.1.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
SWITCH | EXAMPLE | DESCRIPTION |
-O | nmap 10.1.1.1 -O | Remote OS detection using TCP/IP stack fingerprinting |
-O -osscan-limit | nmap 10.1.1.1 -O -osscan-limit | If at least one open and one closed TCP port are not found it will not try OS detection against host |
-O -osscan-guess | nmap 10.1.1.1 -O -osscan-guess | Makes Nmap guess more aggressively |
-O -max-os-tries | nmap 10.1.1.1 -O -max-os-tries 1 | Set the maximum number x of OS detection tries against a target |
-A | nmap 10.1.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
SWITCH | EXAMPLE | DESCRIPTION |
-T0 | nmap 10.1.1.1 -T0 | Paranoid (0) Intrusion Detection System evasion |
-T1 | nmap 10.1.1.1 -T1 | Sneaky (1) Intrusion Detection System evasion |
-T2 | nmap 10.1.1.1 -T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine resources |
-T3 | nmap 10.1.1.1 -T3 | Normal (3) which is default speed |
-T4 | nmap 10.1.1.1 -T4 | Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network |
-T5 | nmap 10.1.1.1 -T5 | Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
SWITCH | EXAMPLE INPUT | DESCRIPTION |
-host-timeout <time> | 1s; 4m; 2h | Give up on target after this long |
-min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | 1s; 4m; 2h | Specifies probe round trip time |
-min-hostgroup/max-hostgroup <size<size> | 50; 1024 | Parallel host scan group sizes |
-min-parallelism/max-parallelism <numprobes> | 10; 1 | Probe parallelization |
-max-retries <tries> | 3 | Specify the maximum number of port scan probe retransmissions |
-min-rate <number> | 100 | Send packets no slower than <number> per second |
-max-rate <number> | 100 | Send packets no faster than <number> per second |
SWITCH | EXAMPLE | DESCRIPTION |
-sC | nmap 10.1.1.1 -sC | Scan with default NSE scripts. Considered useful for discovery and safe |
-script default | nmap 10.1.1.1 -script default | Scan with default NSE scripts. Considered useful for discovery and safe |
-script | nmap 10.1.1.1 -script=banner | Scan with a single script. Example banner |
-script | nmap 10.1.1.1 -script=http* | Scan with a wildcard. Example http |
-script | nmap 10.1.1.1 -script=http,banner | Scan with two scripts. Example http and banner |
-script | nmap 10.1.1.1 -script “not intrusive” | Scan default, but remove intrusive scripts |
-script-args | nmap -script snmp-sysdescr -script-args snmpcommunity=admin 10.1.1.1 | NSE script with arguments |
COMMAND | DESCRIPTION |
nmap -Pn -script=http-sitemap-generator scanme.nmap.org | http site map generator |
nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 | Fast search for random web servers |
nmap -Pn -script=dns-brute domain.com | Brute forces DNS hostnames guessing subdomains |
nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 10.1.1.1 | Safe SMB scripts to run |
nmap -script whois* domain.com | Whois query |
nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org | Detect cross site scripting vulnerabilities |
nmap -p80 -script http-sql-injection scanme.nmap.org | Check for SQL injections |
SWITCH | EXAMPLE | DESCRIPTION |
-f | nmap 10.1.1.1 -f | Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters |
-mtu | nmap 10.1.1.1 -mtu 32 | Set your own offset size |
-D | nmap -D 10.1.1.101,10.1.1.102,10.1.1.103,10.1.1.23 10.1.1.1 | Send scans from spoofed IPs |
-D | nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip | Above example explained |
-S | nmap -S www.twitter.com www.facebook.com | Scan Facebook from twitter (-e eth0 -Pn may be required) |
-g | nmap -g 53 10.1.1.1 | Use given source port number |
-proxies | nmap -proxies http://10.1.1.1::8080, http://10.1.1.2:8080 10.1.1.1 | Relay connections through HTTP/SOCKS4 proxies |
-data-length | nmap -data-length 200 10.1.1.1 | Appends random data to sent packets |
SWITCH | EXAMPLE | DESCRIPTION |
-oN | nmap 10.1.1.1 -oN normal.file | Normal output to the file normal.file |
-oX | nmap 10.1.1.1 -oX xml.file | XML output to the file xml.file |
-oG | nmap 10.1.1.1 -oG grep.file | Grepable output to the file grep.file |
-oA | nmap 10.1.1.1 -oA results | Output in the three major formats at once |
-oG – | nmap 10.1.1.1 -oG – | Grepable output to screen. -oN -, -oX – also usable |
-append-output | nmap 10.1.1.1 -oN file.file -append-output | Append a scan to a previous scan file |
-v | nmap 10.1.1.1 -v | Increase the verbosity level (use -vv or more for greater effect) |
-d | nmap 10.1.1.1 -d | Increase debugging level (use -dd or more for greater effect) |
-reason | nmap 10.1.1.1 -reason | Display the reason a port is in a particular state, same output as -vv |
-open | nmap 10.1.1.1 -open | Only show open (or possibly open) ports |
-packet-trace | nmap 10.1.1.1 -T4 -packet-trace | Show all packets sent and received |
-iflist | nmap -iflist | Shows the host interfaces and routes |
-resume | nmap -resume results.file | Resume a scan |
COMMAND | DESCRIPTION |
nmap -p80 -sV -oG – -open 10.1.1.1/24 | grep open | Scan for web servers and grep to show which IPs are running web servers |
nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d ” ” -f5 > live-hosts.txt | Generate a list of the IPs of live hosts |
nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txt | Append IP to the list of live hosts |
ndiff scanl.xml scan2.xml | Compare output from nmap using the ndif |
xsltproc nmap.xml -o nmap.html | Convert nmap xml files to html files |
grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less | Reverse sorted list of how often ports turn up |
SWITCH | EXAMPLE | DESCRIPTION |
-6 | nmap -6 2607:f0d0:1002:51::3 | Enable IPv6 scanning |
-h | nmap -h | nmap help screen |
-open | nmap -open | Show open ports only |
COMMAND | DESCRIPTION |
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn | Discovery only on ports x, no port scan |
nmap 192.168.1.1-1/24 -PR -sn -vv | Arp discovery only on local network, no port scan |
nmap -iR 10 -sn -traceroute | Traceroute to random targets, no port scan |
nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1 | Query the Internal DNS for hosts, list targets only |
nmap 192.168.1.1 –packet-trace | Show the details of the packets that are sent and received during a scan and capture the traffic |
COMMAND | DESCRIPTION |
nmap -sP 10.1.1.1 | Ping scan only |
nmap -PU 10.1.1.1 | UDP ping scan |
nmap -PE 10.1.1.1 | ICMP echo ping |
nmap -PO 10.1.1.1 | IP protocal ping |
nmap -PR 10.1.1.1 | ARP ping |
nmap -Pn 10.1.1.1 | Scan without pinging |
nmap -traceroute 10.1.1.1 | Traceroute |