Among cybersecurity tools, Nmap (Network Mapper) stands out as one of the most powerful and versatile network scanning utilities available.
Nmap is such a powerful and versatile tool that it becomes impossible to virtually memorize all the commands. For this reason, we have developed this ultimate Nmap cheat sheet, which provides all possible codes to get the most out of this handy tool.
What is Nmap?
Nmap is an open-source utility designed for network discovery and security auditing. Created by Gordon Lyon (also known as Fyodor Vaskovich), Nmap has become the de facto standard for network exploration and security assessments. Its primary functions include:
- Network discovery: Identifying hosts available on a network
- Service enumeration: Determining what services targets are offering
- Operating system detection: Identifying the OS running on target systems
- Firewall analysis: Detecting packet filters and firewalls in use
- Vulnerability assessment: When combined with scripts, identifying potential security weaknesses
Essential Nmap Commands and Techniques
Here’s an organized list of commonly used Nmap commands:
Basic Scanning Techniques
Host Discovery
| Command | Description | Related Switches |
| nmap -sn 192.168.1.0/24 | Ping scan (disable port scan) | -sn: No port scan |
| nmap -Pn 192.168.1.1 | Skip ping (assume host is up) | -Pn: No ping |
| nmap -PS 192.168.1.1 | TCP SYN ping | -PS[port-list]: Can specify custom ports |
| nmap -PA 192.168.1.1 | TCP ACK ping | -PA[port-list]: Can specify custom ports |
| nmap -PU 192.168.1.1 | UDP ping | -PU[port-list]: Can specify custom ports |
| nmap -PE 192.168.1.1 | ICMP echo ping | -PE: ICMP echo request (ping) |
| nmap -PP 192.168.1.1 | ICMP timestamp ping | -PP: ICMP timestamp request |
| nmap -PM 192.168.1.1 | ICMP address mask ping | -PM: ICMP address mask request |
Port Scanning
| Command | Description | Related Switches |
| nmap 192.168.1.1 | Default scan (top 1000 TCP ports) | Default behavior without specific flags |
| nmap -p 80,443 192.168.1.1 | Scan specific ports | -p: Specify ports to scan |
| nmap -p 1-100 192.168.1.1 | Scan port range | -p: Supports range notation |
| nmap -p- 192.168.1.1 | Scan all 65535 ports | -p-: All ports |
| nmap -F 192.168.1.1 | Fast scan (top 100 ports) | -F: Fast mode |
| nmap –top-ports 2000 192.168.1.1 | Scan top 2000 common ports | –top-ports <n>: Scan n most common ports |
| nmap -p http,https 192.168.1.1 | Scan named ports | -p: Supports service names from /etc/services |
| nmap -T0 192.168.1.1 | Paranoid timing (slowest) | -T<0-5>: Timing template (0=slowest, 5=fastest) |
| nmap -T5 192.168.1.1 | Insane timing (fastest) | -T<0-5>: Timing template (0=slowest, 5=fastest) |
Scan Types
| Command | Description | Related Switches |
| nmap -sS 192.168.1.1 | TCP SYN scan (default, need root) | -sS: SYN scan (stealthy) |
| nmap -sT 192.168.1.1 | TCP connect scan (no root required) | -sT: Full TCP connect scan |
| nmap -sU 192.168.1.1 | UDP scan | -sU: UDP scan |
| nmap -sA 192.168.1.1 | TCP ACK scan | -sA: ACK scan for firewall rule mapping |
| nmap -sW 192.168.1.1 | TCP Window scan | -sW: TCP Window scan |
| nmap -sM 192.168.1.1 | TCP Maimon scan | -sM: Maimon scan |
| nmap -sN 192.168.1.1 | TCP Null scan | -sN: No flags set |
| nmap -sF 192.168.1.1 | TCP FIN scan | -sF: FIN flag only |
| nmap -sX 192.168.1.1 | TCP Xmas scan | -sX: FIN, PSH and URG flags set |
| nmap -sI zombie:port 192.168.1.1 | Idle/Zombie scan | -sI <zombie:port>: Idle scan through zombie host |
| nmap -sO 192.168.1.1 | IP protocol scan | -sO: Protocol scan |
| nmap -b ftp-bounce:21 192.168.1.1 | FTP bounce scan | -b <FTP relay host>: FTP bounce scan |
| nmap -sY 192.168.1.1 | SCTP INIT scan | -sY: SCTP INIT scan |
| nmap -sZ 192.168.1.1 | SCTP COOKIE-ECHO scan | -sZ: SCTP COOKIE-ECHO scan |
Advanced Options
Version and OS Detection
| Command | Description | Related Switches |
| nmap -sV 192.168.1.1 | Version detection | -sV: Probe open ports for service/version info |
| nmap -sV –version-intensity 0-9 | Set version intensity | –version-intensity <0-9>: From light to aggressive probing |
| nmap -sV –version-light | Light version detection (intensity 2) | –version-light: Limit to most likely probes (intensity 2) |
| nmap -sV –version-all | Try all probes (intensity 9) | –version-all: Try every probe (intensity 9) |
| nmap -A 192.168.1.1 | Enable OS detection, version, script scanning, traceroute | -A: Aggressive scan options |
| nmap -O 192.168.1.1 | OS detection | -O: Enable OS detection |
| nmap -O –osscan-limit | Limit OS detection to promising targets | –osscan-limit: Limit OS detection to promising targets |
| nmap -O –osscan-guess | More aggressive OS detection | –osscan-guess: Guess OS more aggressively |
| nmap -O –max-os-tries 1 | Limit OS detection tries | –max-os-tries <n>: Set maximum number of OS detection tries |
Output Formats
| Command | Description |
| nmap -oN output.txt 192.168.1.1 | Normal output |
| nmap -oX output.xml 192.168.1.1 | XML output |
| nmap -oG output.grep 192.168.1.1 | Grepable output |
| nmap -oA output 192.168.1.1 | Output in all formats |
| nmap -oS output.scr 192.168.1.1 | Script kiddie output |
| nmap -v 192.168.1.1 | Verbose output |
| nmap -vv 192.168.1.1 | Very verbose output |
| nmap –reason 192.168.1.1 | Display reason a port is in a particular state |
| nmap –open 192.168.1.1 | Only show open ports |
| nmap –packet-trace 192.168.1.1 | Show all packets sent and received |
| nmap -d 192.168.1.1 | Debugging |
| nmap –iflist | List available interfaces and routes |
NSE (Nmap Scripting Engine)
| Command | Description |
| nmap -sC 192.168.1.1 | Default scripts |
| nmap –script default 192.168.1.1 | Default scripts |
| nmap –script=banner 192.168.1.1 | Banner script |
| nmap –script=http-* 192.168.1.1 | All HTTP scripts |
| nmap –script=vuln 192.168.1.1 | Vulnerability assessment |
| nmap –script=safe 192.168.1.1 | Safe scripts |
| nmap –script=auth 192.168.1.1 | Authentication scripts |
| nmap –script=discovery 192.168.1.1 | Discovery scripts |
| nmap –script=malware 192.168.1.1 | Malware detection scripts |
| nmap –script=version 192.168.1.1 | Version detection scripts |
| nmap –script-updatedb | Update script database |
| nmap –script-help=script.nse | Get help for a script |
Timing and Performance
| Command | Description | Related Switches |
| nmap -T0 192.168.1.1 | Paranoid: Very slow, evades IDS | -T0: Serial, 5 min between scans |
| nmap -T1 192.168.1.1 | Sneaky: Slow, evades IDS | -T1: Serial, 15 sec between scans |
| nmap -T2 192.168.1.1 | Polite: Slows down to consume less bandwidth | -T2: Serial, 0.4 sec between scans |
| nmap -T3 192.168.1.1 | Normal: Default speed | -T3: Parallel scanning |
| nmap -T4 192.168.1.1 | Aggressive: Fast, assumes reliable network | -T4: More aggressive parallel scanning |
| nmap -T5 192.168.1.1 | Insane: Very fast, assumes extremely reliable network | -T5: Insanely aggressive scanning |
| nmap –min-rate 100 192.168.1.1 | Send packets no slower than 100 per second | –min-rate <rate>: Send packets no slower than <rate> per second |
| nmap –max-rate 100 192.168.1.1 | Send packets no faster than 100 per second | –max-rate <rate>: Send packets no faster than <rate> per second |
| nmap –max-retries 2 192.168.1.1 | Limit retry attempts for port scans | –max-retries <tries>: Cap number of port scan probe retransmissions |
| nmap –min-parallelism 10 | Min probe parallelization | –min-parallelism <n>: Min probe parallelization |
| nmap –max-parallelism 10 | Max probe parallelization | –max-parallelism <n>: Max probe parallelization |
| nmap –min-hostgroup 50 | Min hosts scanned in parallel | –min-hostgroup <n>: Min hosts per scan group |
| nmap –max-hostgroup 100 | Max hosts scanned in parallel | –max-hostgroup <n>: Max hosts per scan group |
| nmap –scan-delay 1s | Adjust delay between probes | –scan-delay <time>: Adjust delay between probes |
| nmap –max-scan-delay 10s | Max scan delay | –max-scan-delay <time>: Max scan delay |
Firewall / IDS Evasion and Spoofing
| Command | Description | Related Switches |
| nmap -f 192.168.1.1 | Fragment packets | -f: Fragment packets (may bypass filters) |
| nmap –mtu 24 192.168.1.1 | Specify MTU size | –mtu <n>: Use specified MTU for fragmentation |
| nmap -D decoy1,decoy2 192.168.1.1 | Cloak scan with decoys | -D <decoy1,decoy2,…>: Mask scan using decoys |
| nmap -S source_ip 192.168.1.1 | Spoof source IP address | -S <IP_Address>: Spoof source address |
| nmap -e eth0 192.168.1.1 | Use specified interface | -e <interface>: Use specified interface |
| nmap –source-port 53 192.168.1.1 | Use given port number as source port | –source-port <port>: Use custom source port |
| nmap –data-length 200 192.168.1.1 | Append random data to packets | –data-length <n>: Append random data to packets |
| nmap –randomize-hosts 192.168.1.1 | Randomize target host order | –randomize-hosts: Randomize target host order |
| nmap –spoof-mac MAC 192.168.1.1 | Spoof MAC address | –spoof-mac <MAC>: Spoof MAC address |
| nmap –proxies proxy_url 192.168.1.1 | Use HTTP/SOCKS4 proxies | –proxies <url1,[url2],…>: Relay connections through HTTP/SOCKS4 proxies |
| nmap –badsum 192.168.1.1 | Send packets with bogus checksums | –badsum: Send packets with bogus TCP/UDP checksums |
| nmap –ttl 60 192.168.1.1 | Set IP time-to-live field | –ttl <val>: Set IP time-to-live field |
Advanced Target Specification
| Command | Description | Related Switches |
| nmap 192.168.1.1 192.168.2.1 | Scan multiple targets | Multiple IP addresses space separated |
| nmap 192.168.1.0/24 | Scan entire subnet | CIDR notation for network blocks |
| nmap 192.168.1.1-254 | Scan a range | Hyphen notation for ranges |
| nmap scanme.nmap.org | Scan domain | Hostnames are resolved via DNS |
| nmap -iL targets.txt | Scan targets from file | -iL <file>: Input from list of hosts/networks |
| nmap -iR 10 | Scan 10 random hosts | -iR <num>: Choose random targets |
| nmap –exclude 192.168.1.1 | Exclude hosts | –exclude <host1,[host2],…]: Exclude hosts/networks |
| nmap –excludefile exclude.txt | Exclude hosts from file | –excludefile <file>: Exclude list from file |
Leave a Reply