NMAP Cheat Sheet

Nmap is a free open source tool, employed to discover hosts and services on a computer network by sending packets and analyzing the retrieved responses. Nmap offers some features for probing computer networks, including host discovery and service and operating system detection.

  • Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.

  • Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.

  • Port scanning – Enumerating the open ports on target hosts.

  • OS detection – Determining the operating system and hardware characteristics of network devices.

  • Version detection – Interrogating network services on remote devices to determine the application name and version number.

  • Scriptable interaction with the target support using the Nmap Scripting Engine (NSE).

Usage of Nmap

  • Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.

  • Identifying open ports on a target host in preparation for auditing.

  • Network inventory, network mapping, and maintenance and asset management.

  • Auditing the security of a network by identifying new servers.

  • Generating traffic to hosts on a network, response analysis and response time measurement.

  • Finding and exploiting vulnerabilities in a network.

  • DNS queries and subdomain search

NMAP Commands Cheatsheet

The following section explains the usage of category-wise NMAP diverse commands with examples as following -

Basic Scanning Commands

Scan a Single Targetnmap [target]nmap
Scan Multiple Targetsnmap [target1, target2, etcnmap
Scan a Range of Hostsnmap [range of ip addresses]nmap
Scan an Entire Subnetnmap [ip address/cdir]nmap
Scan Random Hostsnmap -iR [number]nmap -iR 0
Excluding Targets from a Scannmap [targets] – exclude [targets]nmap –exclude,
Excluding Targets Using a Listnmap [targets] – excludefile [list.txt]nmap –excludefile notargets.txt
Perform an Aggressive Scannmap -A [target]nmap -A
Scan an IPv6 Targetnmap -6 [target]nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe

Discovery Options

Perform a Ping Only Scannmap -sP [target]nmap -sP
Don’t Pingnmap -PN [target]nmap -PN
TCP SYN Pingnmap -PS [target]nmap -PS
TCP ACK Pingnmap -PA [target]nmap -PA
UDP Pingnmap -PU [target]nmap -PU
SCTP INIT Pingnmap -PY [target]nmap -PY
ICMP Echo Pingnmap -PE [target]nmap -PE
ICMP Timestamp Pingnmap -PP [target]nmap -PP
CMP Address Mask Pingnmap -PM [target]nmap -PM
IP Protocol Pingnmap -PO [target]nmap -PO

ARP Pingnmap -PR [target]nmap -PR
Traceroutenmap –traceroute [target]nmap –traceroute
Force Reverse DNS Resolutionnmap -R [target]nmap -R
Disable Reverse DNS Resolutionnmap -n [target]nmap -n
Alternative DNS Lookupnmap –system-dns [target]nmap –system-dns
Manually Specify DNS Server(s)nmap –dns-servers [servers] [target]nmap –dns-servers
Create a Host Listnmap -sL [targets]nmap -sL

Advanced Scanning Options

TCP SYN Scannmap -sS [target]nmap -sS
TCP Connect Scannmap -sT [target]nmap -sT
UDP Scannmap -sU [target]nmap -sU
TCP NULL Scannmap -sN [target]nmap -sN
TCP FIN Scannmap -sF [target]nmap -sF
Xmas Scannmap -sX [target]nmap -sX
TCP ACK Scannmap -sA [target]nmap -sA
Custom TCP Scannmap –scanflags [flags] [target]nmap –scanflags SYNFIN
IP Protocol Scannmap -sO [target]nmap -sO
Send Raw Ethernet Packetsnmap –send-eth [target]nmap –send-eth
Send IP Packetsnmap –send-ip [target]nmap –send-ip

Port Scanning Options

Perform a Fast Scannmap -F [target]nmap -F
Scan Specific Portsnmap -p [port(s)] [target]nmap -p 21-25,80,139,8080
Scan Ports by Namenmap -p [port name(s)] [target]nmap -p ftp,http*
Scan Ports by Protocolnmap -sU -sT -p U: [ports],T:[ports] [target]nmap -sU -sT -p U:53,111,137,T:21- 25,80,139,8080
Scan All Portsnmap -p ‘*’ [target]nmap -p ‘*’
Scan Top Portsnmap –top-ports [number] [target]nmap –top-ports 10
Perform a Sequential Port Scannmap -r [target]nmap -r

Version Detection

Operating System Detectionnmap -O [target]nmap -O
Submit TCP/IP Fingerprintswww.nmap.org/submit/

Attempt to Guess an Unknown OSnmap -O –osscan guess [target]nmap -O –osscan-guess
Service Version Detectionnmap -sV [target]nmap -sV
Troubleshooting Version Scansnmap -sV –version trace [target]nmap -sV –version-trace
Perform a RPC Scannmap -sR [target]nmap -sR

Firewall Evasion Techniques

augment Packetsnmap -f [target]nmap -f
pacify a Specific MTUnmap –mtu [MTU] [target]nmap –mtu 32 192.168.0.
Use a Decoynmap -D RND:[number] [target]nmap -D RND:10
le Zombie Scannmap -sI [zombie] [target]nmap -sI
Manually Specify a Source Portnmap –source-port [port] [target]nmap –source-port 10
Append Random Datanmap –data-length [size] [target]nmap –data-length 2
Randomize Target Scan Ordernmap –randomize-hosts [target]nmap –randomize-ho
Spoof MAC Addressnmap –spoof-mac [MAC|0|vendor] [target]nmap –spoof-mac Cis
Send Bad Checksumsnmap –badsum [target]nmap –badsum

Troubleshooting And Debugging

Getting Helpnmap -hnmap -h
Display Nmap Versionnmap -Vnmap -V
Verbose Outputnmap -v [target]nmap -v
Debuggingnmap -d [target]nmap -d
Display Port State Reasonnmap –reason [target]nmap –reason
Only Display Open Portsnmap –open [target]nmap –open
Trace Packetsnmap –packet-trace [target]nmap –packet-trace
Display Host Networkingnmap –iflistnmap –iflist
Specify a Network Interfacenmap -e [interface] [target]nmap -e eth0

NMAP Scripting Engine

Execute Individual Scriptsnmap –script [script.nse] [target]nmap –script banner.nse
Execute Multiple Scriptsnmap –script [expression] [target]nmap –script ‘http-*’
Script Categoriesall, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Categorynmap –script [category] [target]nmap –script ‘not intrusive’
Execute Multiple Script Categoriesnmap –script [category1,category2,etc]nmap –script ‘default or safe’
Troubleshoot Scriptsnmap –script [script] –script trace [target]nmap –script banner.nse –script-trace
Update the Script Databasenmap –script-updatedbnmap –script-updatedb