Among cybersecurity tools, Nmap (Network Mapper) stands out as one of the most powerful and versatile network scanning utilities available. Nmap has stood the test of time and is so far above many other tools such that we needed to create an Nmap cheat sheet for it.
Additionally, Nmap is such a powerful and versatile tool that it becomes impossible to virtually memorize all the commands. For this reason, we have provided all possible codes to get the most out of this handy tool.
What is Nmap?
Nmap is an open-source utility designed for network discovery and security auditing. Created by Gordon Lyon (also known as Fyodor Vaskovich), Nmap has become the de facto standard for network exploration and security assessments. Its primary functions include:
- Network discovery: Identifying hosts available on a network
- Service enumeration: Determining what services targets are offering
- Operating system detection: Identifying the OS running on target systems
- Firewall analysis: Detecting packet filters and firewalls in use
- Vulnerability assessment: When combined with scripts, identifying potential security weaknesses
Essential Nmap Commands and Techniques
Here’s an organized list of commonly used commands within our Nmap cheat sheet:
Basic Scanning Techniques
Host Discovery
| Command | Description | Related Switches |
| nmap -sn 192.168.1.0/24 | Ping scan (disable port scan) | -sn: No port scan |
| nmap -Pn 192.168.1.1 | Skip ping (assume host is up) | -Pn: No ping |
| nmap -PS 192.168.1.1 | TCP SYN ping | -PS[port-list]: Can specify custom ports |
| nmap -PA 192.168.1.1 | TCP ACK ping | -PA[port-list]: Can specify custom ports |
| nmap -PU 192.168.1.1 | UDP ping | -PU[port-list]: Can specify custom ports |
| nmap -PE 192.168.1.1 | ICMP echo ping | -PE: ICMP echo request (ping) |
| nmap -PP 192.168.1.1 | ICMP timestamp ping | -PP: ICMP timestamp request |
| nmap -PM 192.168.1.1 | ICMP address mask ping | -PM: ICMP address mask request |
Port Scanning
| Command | Description | Related Switches |
| nmap 192.168.1.1 | Default scan (top 1000 TCP ports) | Default behavior without specific flags |
| nmap -p 80,443 192.168.1.1 | Scan specific ports | -p: Specify ports to scan |
| nmap -p 1-100 192.168.1.1 | Scan port range | -p: Supports range notation |
| nmap -p- 192.168.1.1 | Scan all 65535 ports | -p-: All ports |
| nmap -F 192.168.1.1 | Fast scan (top 100 ports) | -F: Fast mode |
| nmap –top-ports 2000 192.168.1.1 | Scan top 2000 common ports | –top-ports <n>: Scan n most common ports |
| nmap -p http,https 192.168.1.1 | Scan named ports | -p: Supports service names from /etc/services |
| nmap -T0 192.168.1.1 | Paranoid timing (slowest) | -T<0-5>: Timing template (0=slowest, 5=fastest) |
| nmap -T5 192.168.1.1 | Insane timing (fastest) | -T<0-5>: Timing template (0=slowest, 5=fastest) |
Scan Types
| Command | Description | Related Switches |
| nmap -sS 192.168.1.1 | TCP SYN scan (default, need root) | -sS: SYN scan (stealthy) |
| nmap -sT 192.168.1.1 | TCP connect scan (no root required) | -sT: Full TCP connect scan |
| nmap -sU 192.168.1.1 | UDP scan | -sU: UDP scan |
| nmap -sA 192.168.1.1 | TCP ACK scan | -sA: ACK scan for firewall rule mapping |
| nmap -sW 192.168.1.1 | TCP Window scan | -sW: TCP Window scan |
| nmap -sM 192.168.1.1 | TCP Maimon scan | -sM: Maimon scan |
| nmap -sN 192.168.1.1 | TCP Null scan | -sN: No flags set |
| nmap -sF 192.168.1.1 | TCP FIN scan | -sF: FIN flag only |
| nmap -sX 192.168.1.1 | TCP Xmas scan | -sX: FIN, PSH and URG flags set |
| nmap -sI zombie:port 192.168.1.1 | Idle/Zombie scan | -sI <zombie:port>: Idle scan through zombie host |
| nmap -sO 192.168.1.1 | IP protocol scan | -sO: Protocol scan |
| nmap -b ftp-bounce:21 192.168.1.1 | FTP bounce scan | -b <FTP relay host>: FTP bounce scan |
| nmap -sY 192.168.1.1 | SCTP INIT scan | -sY: SCTP INIT scan |
| nmap -sZ 192.168.1.1 | SCTP COOKIE-ECHO scan | -sZ: SCTP COOKIE-ECHO scan |
Advanced Options
Version and OS Detection
| Command | Description | Related Switches |
| nmap -sV 192.168.1.1 | Version detection | -sV: Probe open ports for service/version info |
| nmap -sV –version-intensity 0-9 | Set version intensity | –version-intensity <0-9>: From light to aggressive probing |
| nmap -sV –version-light | Light version detection (intensity 2) | –version-light: Limit to most likely probes (intensity 2) |
| nmap -sV –version-all | Try all probes (intensity 9) | –version-all: Try every probe (intensity 9) |
| nmap -A 192.168.1.1 | Enable OS detection, version, script scanning, traceroute | -A: Aggressive scan options |
| nmap -O 192.168.1.1 | OS detection | -O: Enable OS detection |
| nmap -O –osscan-limit | Limit OS detection to promising targets | –osscan-limit: Limit OS detection to promising targets |
| nmap -O –osscan-guess | More aggressive OS detection | –osscan-guess: Guess OS more aggressively |
| nmap -O –max-os-tries 1 | Limit OS detection tries | –max-os-tries <n>: Set maximum number of OS detection tries |
Output Formats
| Command | Description |
| nmap -oN output.txt 192.168.1.1 | Normal output |
| nmap -oX output.xml 192.168.1.1 | XML output |
| nmap -oG output.grep 192.168.1.1 | Grepable output |
| nmap -oA output 192.168.1.1 | Output in all formats |
| nmap -oS output.scr 192.168.1.1 | Script kiddie output |
| nmap -v 192.168.1.1 | Verbose output |
| nmap -vv 192.168.1.1 | Very verbose output |
| nmap –reason 192.168.1.1 | Display reason a port is in a particular state |
| nmap –open 192.168.1.1 | Only show open ports |
| nmap –packet-trace 192.168.1.1 | Show all packets sent and received |
| nmap -d 192.168.1.1 | Debugging |
| nmap –iflist | List available interfaces and routes |
NSE (Nmap Scripting Engine)
| Command | Description |
| nmap -sC 192.168.1.1 | Default scripts |
| nmap –script default 192.168.1.1 | Default scripts |
| nmap –script=banner 192.168.1.1 | Banner script |
| nmap –script=http-* 192.168.1.1 | All HTTP scripts |
| nmap –script=vuln 192.168.1.1 | Vulnerability assessment |
| nmap –script=safe 192.168.1.1 | Safe scripts |
| nmap –script=auth 192.168.1.1 | Authentication scripts |
| nmap –script=discovery 192.168.1.1 | Discovery scripts |
| nmap –script=malware 192.168.1.1 | Malware detection scripts |
| nmap –script=version 192.168.1.1 | Version detection scripts |
| nmap –script-updatedb | Update script database |
| nmap –script-help=script.nse | Get help for a script |
Timing and Performance
| Command | Description | Related Switches |
| nmap -T0 192.168.1.1 | Paranoid: Very slow, evades IDS | -T0: Serial, 5 min between scans |
| nmap -T1 192.168.1.1 | Sneaky: Slow, evades IDS | -T1: Serial, 15 sec between scans |
| nmap -T2 192.168.1.1 | Polite: Slows down to consume less bandwidth | -T2: Serial, 0.4 sec between scans |
| nmap -T3 192.168.1.1 | Normal: Default speed | -T3: Parallel scanning |
| nmap -T4 192.168.1.1 | Aggressive: Fast, assumes reliable network | -T4: More aggressive parallel scanning |
| nmap -T5 192.168.1.1 | Insane: Very fast, assumes extremely reliable network | -T5: Insanely aggressive scanning |
| nmap –min-rate 100 192.168.1.1 | Send packets no slower than 100 per second | –min-rate <rate>: Send packets no slower than <rate> per second |
| nmap –max-rate 100 192.168.1.1 | Send packets no faster than 100 per second | –max-rate <rate>: Send packets no faster than <rate> per second |
| nmap –max-retries 2 192.168.1.1 | Limit retry attempts for port scans | –max-retries <tries>: Cap number of port scan probe retransmissions |
| nmap –min-parallelism 10 | Min probe parallelization | –min-parallelism <n>: Min probe parallelization |
| nmap –max-parallelism 10 | Max probe parallelization | –max-parallelism <n>: Max probe parallelization |
| nmap –min-hostgroup 50 | Min hosts scanned in parallel | –min-hostgroup <n>: Min hosts per scan group |
| nmap –max-hostgroup 100 | Max hosts scanned in parallel | –max-hostgroup <n>: Max hosts per scan group |
| nmap –scan-delay 1s | Adjust delay between probes | –scan-delay <time>: Adjust delay between probes |
| nmap –max-scan-delay 10s | Max scan delay | –max-scan-delay <time>: Max scan delay |
Firewall / IDS Evasion and Spoofing
| Command | Description | Related Switches |
| nmap -f 192.168.1.1 | Fragment packets | -f: Fragment packets (may bypass filters) |
| nmap –mtu 24 192.168.1.1 | Specify MTU size | –mtu <n>: Use specified MTU for fragmentation |
| nmap -D decoy1,decoy2 192.168.1.1 | Cloak scan with decoys | -D <decoy1,decoy2,…>: Mask scan using decoys |
| nmap -S source_ip 192.168.1.1 | Spoof source IP address | -S <IP_Address>: Spoof source address |
| nmap -e eth0 192.168.1.1 | Use specified interface | -e <interface>: Use specified interface |
| nmap –source-port 53 192.168.1.1 | Use given port number as source port | –source-port <port>: Use custom source port |
| nmap –data-length 200 192.168.1.1 | Append random data to packets | –data-length <n>: Append random data to packets |
| nmap –randomize-hosts 192.168.1.1 | Randomize target host order | –randomize-hosts: Randomize target host order |
| nmap –spoof-mac MAC 192.168.1.1 | Spoof MAC address | –spoof-mac <MAC>: Spoof MAC address |
| nmap –proxies proxy_url 192.168.1.1 | Use HTTP/SOCKS4 proxies | –proxies <url1,[url2],…>: Relay connections through HTTP/SOCKS4 proxies |
| nmap –badsum 192.168.1.1 | Send packets with bogus checksums | –badsum: Send packets with bogus TCP/UDP checksums |
| nmap –ttl 60 192.168.1.1 | Set IP time-to-live field | –ttl <val>: Set IP time-to-live field |
Advanced Target Specification
| Command | Description | Related Switches |
| nmap 192.168.1.1 192.168.2.1 | Scan multiple targets | Multiple IP addresses space separated |
| nmap 192.168.1.0/24 | Scan entire subnet | CIDR notation for network blocks |
| nmap 192.168.1.1-254 | Scan a range | Hyphen notation for ranges |
| nmap scanme.nmap.org | Scan domain | Hostnames are resolved via DNS |
| nmap -iL targets.txt | Scan targets from file | -iL <file>: Input from list of hosts/networks |
| nmap -iR 10 | Scan 10 random hosts | -iR <num>: Choose random targets |
| nmap –exclude 192.168.1.1 | Exclude hosts | –exclude <host1,[host2],…]: Exclude hosts/networks |
| nmap –excludefile exclude.txt | Exclude hosts from file | –excludefile <file>: Exclude list from file |
Nmap Cheat Sheet Example Scans
Nmap offers multiple scanning techniques such that each method significantly contributes to the results after a port scan. However, it only allows one scan type at a time with a format of -s<scan_type>. Some of the most common nmap scan types are:
nmap -s<scan_type> <target_host>
- Ping Sweep (-sn): This type of nmap scan sends ICMP packets to discover the number of devices that respond to it. Ping sweep helps determine the number of available or active devices on the network. It is fast and hard to detect.
- TCP (-sT): TCP connect scan completes the three-way handshake between the scanning machine and the target host, such that it’s noisy and triggers the packet filtering platforms like firewalls and intrusion detection systems.
- UDP (-sU): The -sU option in nmap looks for the active UDP protocol ports listening for a connection. Nmap combines this scan with the TCP connect scan to check open ports for both protocols. However, its results can be falsely positive, and the response is slow as a precautionary measure by target machines to such packets.
- SYN (-sS): Also known as the half-open or stealth scan because the scanner immediately responds with the RST packet after receiving the SYN-ACK packet from the target host. Hence, it closes the connection before completing the handshake.
- FIN (-sF): It’s the same as the SYN scan except that Nmap sends the FIN flag instead of an RST in a packet for closing the connection.
- NULL (-sN): The target systems do not know how to respond to a Null scan as all the flags inside the TCP header are off or set to null.
- XMAS (-sX): XMAS is the same as the null scan, except that nmap turns on all the flags in the TCP header.
Specifying Targets for Nmap Scan
Anything that isn’t an option or a flag in nmap is dealt with as a target host. It allows us to specify a range of hosts in a single command. The most simple among them is the specification of a single hostname or the target host address.
sudo nmap <www.hostname.com>
On providing the hostname as a target, nmap uses DNS resolution to resolve the hostname to an IP address and perform the target discovery process to confirm its availability. The hostname may resolve to more than one IP address, in which case, by default, it considers the first one. You can use the –all-resolve option for nmap to scan all addresses.
sudo nmap --all-resolve <www.hostname.com>
Nmap allows you to specify targets in three various ways:
- Multiple Specifications: Nmap allows to specify multiple IP addresses at a time as follows:
sudo nmap X.X.X.21, X.X.X.28, X.X.X.45
- CIDR notation: The CIDR notation-based addressing allows scanning of a whole network or a range of adjacent IP addresses. All it requires is to append the IP address/hostname with the network suffix/bits as follows:
sudo nmap <X.X.X.0/24>
or
sudo nmap <www.hostname.com/24>
Hence, nmap will scan all the IP addresses from X.X.X.0 to X.X.X.255. Nmap also allows you to exclude an IP address with the help of the –exclude option as follows:
sudo nmap <X.X.X.0/24> --exclude X.X.X.25, X.X.X.35
However, it’s not flexible in a scenario when you want to exclude IPs including .0 and .255 for subnetworks and broadcast addresses, as in the case of X.X.0.0/16. Nmap resolves this issue by introducing octet-based addressing.
- Octet range: It allows you to use wild cards * and – for a comma-separated range of numbers for each octet. For instance, for the target address, X.X.0-255,1-254 nmap will skip all addresses that end in .0 and .255.
Similarly for the address range X.X.2-5,8.1 nmap will scan addresses X.X.2.1, X.X.3.1, X.X.4.1, X.X.5.1, and X.X.8.1.
nmap X.X.2-5,8.1
Lastly, given the ip address of X.X.X.* nmap will scan all addresses from 0 to 255.
Input Target Address List to Nmap
Even though Nmap provides multiple ways to specify target host addresses, it’s infeasible to write down all of them in a single command. Specifically, in a scenario when a DHCP leases around 100 IPs that you wish to scan.
Use the -iL argument to pass Nmap the .txt file containing a list of hosts for scan, such that each entry can be in any of the formats (discussed above) supported by the utility.
sudo nmap -iL <target_hosts.txt>
Specifying Ports for Nmap Scan
Port scanning is the heart of nmap as it helps to identify ports state and running services. Port scanning in nmap works by specifying targets to find information, but it isn’t necessary as mostly we don’t have a complete picture of the network. Nmap recognizes ports state based on six types:
- Open: the application or service is listening for tcp or udp connections.
- Filtered: nmap cannot determine the port state due to packet filtering via firewall or routing rules.
- Closed: the probes were successful, but no service is listening for a connection on this port.
- Unfiltered: the probes were successfully received, but nmap can not determine their state. In this scenario, the SYN and FIN scans may help determine if the port is open or not.
- Open|Filtered: nmap can not establish if the port state is listening for connections or filtered. It happens when the open port does not respond to the probe. It also occurs when a packet filter drops the nmap probes or any response sent by the target.
- Closed|Filtered: it is a state when it is unclear if the port is closed or filtered.
Nmap provides a list of essential options to perform a port scan. To begin with, the bare minimum, specify the target IP address, hostname, or network range as follows:
nmap <IP_address>/<www.hostname.com>
The above command performs a default scan that will probe 1000 TCP ports and provide all the host-related information, their states, and the services running. However, it takes a lot of time and may invoke firewall or intrusion detection systems. To avoid firewall or IDS detection, you can use the following nmap options:
To scan a single port:
sudo nmap -p 80 <hostname>
To scan a single port:
sudo nmap -p 1-100 <hostname>
To perform a fast scan on the 100 most common ports:
sudo nmap -F <hostname>
To scan port based on service:
sudo nmap -p smtp,https <hostname>
To find more about all available port scanning options via the nmap -h command.
Service and Host Discovery
Nmap offers various options to grab information about the operating system and the running services to determine open ports.
To detect the operating system alone:
nmap -O <target_host>
To detect the service and host machine:
nmap -A <target_host>
Service Version Discovery
Nmap allows you to find more details about the services running on the target machine ports. Add the -sV option to the nmap scan for a standard service version discovery:
nmap -sS -sV <target_host>
It also enables us to set the intensity of the scan with the help of a –version-intensity option for an aggressive and light service detection scan. High version intensity for service scanning provides more accurate results however, it takes more time, creates noise, and has high chances of detection.
nmap -sV --version-intensity 5 <target_host>
While the banner grabbing lightweight detection has more advantages in terms of staying undetected during services enumeration.
nmap -sV --version-intensity 0 <target_host>
Saving Nmap Output
Nmap offers various file formats to save its output. By default, nmap stores the scan output in .txt format with a simple redirect >.
nmap -sS -p 80,443 <target_host> > nmap_outputfile
Whereas the nmap -oN option stores the scan results and displays the output at the same time.
nmap -oN nmap_outputfile.txt <target_host>
For XML and grep formats use -oX and-oG options as follows:
nmap -sS -sV --version-intensity 5 -oX nmap_outputfile.xml <target_host> nmap -sS -sV --version-intensity 5 -oX nmap_outputfile.txt <target_host>
To save the results in all formats:
nmap -oA nmap_outputfile <target_host>
Nmap Scripting Engine (NSE)
NSE is a powerful nmap functionality that expands its features considerably. The NSE scripts are written in Lua language and help perform various tasks such as scanning for vulnerabilities (vuln), brute forcing credentials (brute), and bypassing authentication (auth) of running services. Use the –script option to activate the script as follows:
nmap -sV -p 80 --script=vuln <target_host>
To find more about the available database of NSE scripts, cd into the /usr/share/nmap/scripts/ directory:
cd /usr/share/nmap/scripts head scripts.db
Or grep all the available scripts for a particle protocol as follows:
grep "ftp" /usr/share/nmap/scripts/scripts.db
Conclusion
Nmap is a command-line utility with versions for both Windows and Linux. It’s a versatile tool for network administrators and security practitioners to resolve issues and find flaws. This Nmap cheat sheet is a beginner’s guide for getting started with the Nmap tool, analyzing network services and their vulnerabilities.