NMAP Cheatsheet #

Nmap, short for Network Mapper, is a versatile and widely used open-source tool for network exploration and security auditing. Developed by Gordon Lyon, also known as Fyodor, Nmap is designed to scan large networks efficiently while providing detailed information about network topology, host discovery, service detection, operating system identification, and vulnerability analysis. It supports a wide range of scanning techniques and is extensible through the Nmap Scripting Engine (NSE). Nmap is a critical tool for network administrators, security professionals, and penetration testers, aiding in identifying and mitigating security risks.

Scan Targets #

SWITCH	EXAMPLE	DESCRIPTION
nmap 10.0.1.1	Scan a single IP
nmap 10.0.1.1 10.0.2.1	Scan specific IPs
nmap 10.0.1.1-254	Scan a range
nmap scanme.nmap.org	Scan a domain
nmap 10.0.1.0/24	Scan using CIDR notation
-iL nmap -iL targets.txt	Scan targets from a file
-iR nmap -iR 100	Scan 100 random hosts
-exclude nmap -exclude 10.0.1.1	Exclude listed hosts

Scan Techniques #

SWITCH	EXAMPLE	DESCRIPTION
-sS nmap 10.0.1.1 -sS	TCP SYN port scan (Default)
-sT nmap 10.0.1.1 -sT	TCP connect port scan (Default without root privilege)
-sU nmap 10.0.1.1 -sU	UDP port scan
-sA nmap 10.0.1.1 -sA	TCP ACK port scan
-sW nmap 10.0.1.1 -sW	TCP Window port scan
-sM nmap 10.0.1.1 -sM	TCP Maimon port scan

Discovery Options #

SWITCH	EXAMPLE	DESCRIPTION
-sL nmap 10.0.1.1-3 -sL	No Scan. List targets only
-sn nmap 10.0.1.1/24 -sn	Disable port scanning. Host discovery only.
-Pn nmap 10.0.1.1-5 -Pn	Disable host discovery. Port scan only.
-PS nmap 10.0.1.1-5 -PS22-25,80	TCP SYN discovery on port x. Port 80 by default
-PA nmap 10.0.1.1-5 -PA22-25,80	TCP ACK discovery on port x. Port 80 by default
-PU nmap 10.0.1.1-5 -PU53	UDP discovery on port x. Port 40125 by default
-PR nmap 10.0.1.1-1/24 -PR	ARP discovery on local network
-n nmap 10.0.1.1 -n	Never do DNS resolution

Port Scan Options #

SWITCH	EXAMPLE	DESCRIPTION
-p nmap 10.0.1.1 -p 21	Port scan for port x
-p nmap 10.0.1.1 -p 21-100	Port range
-p nmap 10.0.1.1 -p U:53,T:21-25,80	Port scan multiple TCP and UDP ports
-p nmap 10.0.1.1 -p-	Port scan all ports
-p nmap 10.0.1.1 -p http,https	Port scan from service name
-F nmap 10.0.1.1 -F	Fast port scan (100 ports)
-top-ports nmap 10.0.1.1 -top-ports 2000	Port scan the top x ports
-p-65535 nmap 10.0.1.1 -p-65535	Leaving off initial port in range makes the scan start at port 1
-p0- nmap 10.0.1.1 -p0-	Leaving off end port in range makes the scan go through to port 65535

Service Version Detection #

SWITCH	EXAMPLE	DESCRIPTION
-sV nmap 10.0.1.1 -sV	Attempts to determine the version of the service running on port
-sV -version-intensity nmap 10.0.1.1 -sV -version-intensity 8	Intensity level 0 to 9. Higher number increases possibility of correctness
-sV -version-light nmap 10.0.1.1 -sV -version-light	Enable light mode. Lower possibility of correctness. Faster
-sV -version-all nmap 10.0.1.1 -sV -version-all	Enable intensity level 9. Higher possibility of correctness. Slower
-A nmap 10.0.1.1 -A	Enables OS detection, version detection, script scanning, and traceroute

OS Detection #

SWITCH	EXAMPLE	DESCRIPTION
-O nmap 10.0.1.1 -O	Remote OS detection using TCP/IP stack fingerprinting
-O -osscan-limit nmap 10.0.1.1 -O -osscan-limit	If at least one open and one closed TCP port are not found it will not try OS detection against host
-O -osscan-guess nmap 10.0.1.1 -O -osscan-guess	Makes Nmap guess more aggressively
-O -max-os-tries nmap 10.0.1.1 -O -max-os-tries 1	Set the maximum number x of OS detection tries against a target
-A nmap 10.0.1.1 -A	Enables OS detection, version detection, script scanning, and traceroute

Timing Options #

SWITCH	EXAMPLE	DESCRIPTION
-T0 nmap 10.0.1.1 -T0	Paranoid (0) Intrusion Detection System evasion
-T1 nmap 10.0.1.1 -T1	Sneaky (1) Intrusion Detection System evasion
-T2 nmap 10.0.1.1 -T2	Polite (2) slows down the scan to use less bandwidth and use less target machine resources
-T3 nmap 10.0.1.1 -T3	Normal (3) which is default speed
-T4 nmap 10.0.1.1 -T4	Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
-T5 nmap 10.0.1.1 -T5	Insane (5) speeds scan; assumes you are on an extraordinarily fast network

Performance Options #

SWITCH	EXAMPLE	DESCRIPTION
-host-timeout 1s; 4m; 2h	Give up on target after this long
-min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout 1s; 4m; 2h	Specifies probe round trip time
-min-hostgroup/max-hostgroup 50; 1024	Parallel host scan group sizes
-min-parallelism/max-parallelism 10; 1	Probe parallelization
-max-retries 3	Specify the maximum number of port scan probe retransmissions
-min-rate 100	Send packets no slower than per second
-max-rate 100	Send packets no faster than per second

Script Scan Options #

SWITCH	EXAMPLE	DESCRIPTION
-sC nmap 10.0.1.1 -sC	Scan with default NSE scripts. Considered useful for discovery and safe
-script default nmap 10.0.1.1 -script default	Scan with default NSE scripts. Considered useful for discovery and safe
-script nmap 10.0.1.1 -script=banner	Scan with a single script. Example banner
-script nmap 10.0.1.1 -script=http*	Scan with a wildcard. Example http
-script nmap 10.0.1.1 -script=http,banner	Scan with two scripts. Example http and banner
-script nmap 10.0.1.1 -script “not intrusive”	Scan default, but remove intrusive scripts
-script-args nmap -script snmp-sysdescr -script-args snmpcommunity=admin 10.0.1.1	NSE script with arguments

Firewall and IDS Evasion #

SWITCH	EXAMPLE	DESCRIPTION
-f nmap 10.0.1.1 -f	Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
-mtu nmap 10.0.1.1 -mtu 32	Scan using specified MTU
-D nmap -D RND:10 10.0.1.1	Cloak a scan with decoys
-S nmap 10.0.1.1 -S www.example.com	Cloak a scan with a spoofed source address
-e nmap 10.0.1.1 -e eth0	Use specified interface
-g nmap 10.0.1.1 -g 53	Use specified source port number
–source-port nmap 10.0.1.1 –source-port 53	Use specified source port number
-sI nmap 10.0.1.1 -sI zombie	Zombie scan
-sY nmap 10.0.1.1 -sY	SCTP INIT scan
-sZ nmap 10.0.1.1 -sZ	SCTP COOKIE-ECHO scan
-b nmap 10.0.1.1 -b	FTP bounce scan
-Tn nmap 10.0.1.1 -Tn	Timing template (where n=0-5)

Output Options #

SWITCH	EXAMPLE	DESCRIPTION
-oN nmap 10.0.1.1 -oN output.txt	Normal output to file
-oX nmap 10.0.1.1 -oX output.xml	XML output to file
-oS nmap 10.0.1.1 -oS output.scr	Script kiddie output to file
-oG nmap 10.0.1.1 -oG output.gnmap	Grepable output to file
-v nmap 10.0.1.1 -v	Increase verbosity level
-v -v nmap 10.0.1.1 -v -v	Increase verbosity level further
-d nmap 10.0.1.1 -d	Increase debugging level
-d -d nmap 10.0.1.1 -d -d	Increase debugging level further
–packet-trace nmap 10.0.1.1 –packet-trace	Show all packets sent and received
–open nmap 10.0.1.1 –open	Show only open (or possibly open) ports
–reason nmap 10.0.1.1 –reason	Show host, port, and state, as well as the reason
–stats-every nmap 10.0.1.1 –stats-every 10s	Periodically display statistics
–log-errors nmap 10.0.1.1 –log-errors	Log errors/warnings to nmap. err

Miscellaneous #

SWITCH	EXAMPLE	DESCRIPTION
–append-output nmap 10.0.1.1 –append-output	Append to rather than clobber specified output files
–resume nmap –resume interrupted.scan	Resume an aborted scan
–stylesheet nmap –stylesheet nmap.xsl	XSL stylesheet to transform XML output
–webxml nmap –webxml	Reference stylesheet from Nmap.Org for more attractive XML
–no-stylesheet nmap –no-stylesheet	Prevent associating of XSL stylesheet w/XML output
–data-length nmap –data-length 10.0.1.1 –data-length 25	Append random data to sent packets
–ip-options nmap 10.0.1.1 –ip-options	Send packets with specified ip options
–ttl nmap 10.0.1.1 –ttl 1	Set IP time-to-live field
–spoof-mac nmap 10.0.1.1 –spoof-mac 00:11:22:33:44:55	Spoof your MAC address
–badsum nmap 10.0.1.1 –badsum	Send packets with a bogus TCP/UDP/SCTP checksum

Miscellaneous Options #

SWITCH	EXAMPLE	DESCRIPTION
-6 nmap -6 scanme.nmap.org	Enable IPv6 scanning
-A nmap 10.0.1.1 -A	Enable OS detection, version detection, script scanning, and traceroute
-V nmap -V	Print Nmap version and exit
-h nmap -h	Print Nmap help screen and exit