Nmap Cheatsheet

Nmap (Network Mapper) is an open-source tool used for network discovery and security auditing. It’s a powerful and utility that helps users scan and map networks to find hosts, services, open ports, and more.

This is cheat sheet for nmap commands.

Penetration testing distros like Kali and Parrot os has nmap tool preinstalled. But if you are using any other linux distro, then run the below command according to the distro to install nmap:

For Debian/Ubuntu:

1

sudo apt-get install nmap

For Fedora:

1

sudo dnf install nmap

For Arch Linux:

1

sudo pacman -S nmap

Note: In all the below command “10.10.0.1” is used as target. Change it according to your target.

Basic Commands:

Check version information:

1

nmap --version

Check nmap help menu:

1

nmap --help

Update script database:

1

nmap --script-updatedb

List targets only, no scan:

1

nmap 10.10.0.1 -sL

Perform default simple scan:

1

nmap 10.10.0.1

Host Discovery:

Perform Ping scan to discover online hosts:

1

nmap -sP 10.10.0.1

Perform only Ping scan, no port scan:

1

nmap -sn 10.10.0.1

Perform ARP scan:

1

nmap -PR 10.10.0.1

Perform TCP SYN/ACK, UDP or SCTP discovery to given ports:

1

nmap -PS/PA/PU/PY [port_list] 10.10.0.1

Basic Scan Types:

Perform TCP SYN scan (This is default scan in nmap):

1

nmap -sS 10.10.0.1

Perform TCP Connect scan:

1

nmap -sT 10.10.0.1

Perform UDP scan:

1

nmap -sU 10.10.0.1

Perform ACK scan (Firewall evasion)

1

nmap -sA 10.10.0.1

Perform Version scan (Detect services versions)

1

nmap -sV 10.10.0.1

Perform Null/FIN/Xmas SCan:

1

nmap -sN/sF/sX 10.10.0.1

Target Specific Scan:

Scan a single IP:

1

nmap 10.10.0.1

Scan specific IPs:

1

nmap 10.10.0.1 10.10.0.2

Scan a IP range:

1

nmap 10.10.0.1-254

Scan network using CIDR notation:

1

nmap 10.10.0.1/24

Scan a domain:

1

nmap scanme.nmap.org

Scan targets from a file:

1

nmap -iL targets.txt

Exclude hosts:

1

nmap 10.10.0.1/24 --exclude 10.10.0.15

Port Specific Scan:

By default, nmap Scans 1000 most common ports.

To scan specific ports:

1

nmap -p [port_list] 10.10.0.1

To scan all 65535 ports:

1

nmap -p- 10.10.0.1

To scan most common 100 ports (Fast Scan):

1

nmap -F 10.10.0.1

OS Detection:

Detect the operating system:

1

nmap -O 10.10.0.1

Guess OS even if unsure:

1

nmap --osscan-guess 10.10.0.1

Timing and Performance:

Set timing (0=slow, 5=fast):

1

nmap -T0/T1/T2/T3/T4/T5 10.10.0.1

Control probes sent in parallel:

1

nmap --min-parallelism/max-parallelism [numprobes] 10.10.0.1

Specify the maximum number of port scan probe retransmissions:

1

nmap -max-retries [tries] 10.10.0.1

Send packets not slower than [num] per second:

1

nmap -min-rate [num] 10.10.0.1

Send packets not faster than [num] per second:

1

nmap -max-rate [num] 10.10.0.1

Output and Verbosity:

Save output to a file:

1

nmap 10.10.0.1 -oN output.txt

Save output in XML format:

1

nmap 10.10.0.1 -oX output.xml

Save output in grepable format:

1

nmap 10.10.0.1 -oG output

Save output in all three formats:

1

nmap 10.10.0.1 -oA output

Increase verbosity level:

1

nmap -v 10.10.0.1

Very verbose:

1

nmap -vv 10.10.0.1

Nmap Scripting Engine:

Run Default script:

1

nmap -sC 10.10.0.1

Run specific script:

1

nmap --script [script_name] 10.10.0.1

Run vulnerabilities scanning scripts:

1

nmap --script vuln 10.10.0.1

Pass arguments to scripts:

1

nmap --script-args [args] 10.10.0.1

Get help for a specific script:

1

nmap --script-help [script_name]

Firewall Evasion Techniques:

Send Fragmented packets:

1

nmap -f 10.10.0.1

Set specific MTU:

1

nmap -mtu <val> 10.10.0.1

Use decoys to hide scan source:

1

nmap -D decoy1,decoy2,[my_IP],decoy3 10.10.0.1

Use a specific source port:

1

nmap --source-port [portnum] 10.10.0.1

Happy Hacking!