Nmap Cheat Sheet

Nmap Cheat Sheet

Reference guide for scanning networks with Nmap.

Table of Contents

1. What is Nmap?

2. How to Use Nmap

   1. Command Line

3. Basic Scanning Techniques

   1. Scan a Single Target

   2. Scan Multiple Targets

   3. Scan a List of Targets

   4. Scan a Range of Hosts

   5. Scan an Entire Subnet

   6. Scan Random Hosts

   7. Exclude Targets From a Scan

   8. Exclude Targets Using a List

   9. Perform an Aggresive Scan

   10. Scan an IPv6 Target

4. Port Scanning Options

   1. Perform a Fast Scan

   2. Scan Specific Ports

   3. Scan Ports by Name

   4. Scan Ports by Protocol

   5. Scan All Ports

   6. Scan Top Ports

   7. Perform a Sequential Port Scan

   8. Attempt to Guess an Unknown OS

   9. Service Version Detection

   10. Troubleshoot Version Scan

   11. Perform a RPC Scan

5. Discovery Options

   1. Perform a Ping Only Scan

   2. Do Not Ping

   3. TCP SYN Ping

   4. TCP ACK Ping

   5. UDP Ping

   6. SCTP INIT Ping

   7. ICMP Echo Ping

   8. ICMP Timestamp Ping

   9. ICMP Address Mask Ping

   10. IP Protocol Ping

   11. ARP Ping

   12. Traceroute

   13. Force Reverse DNS Resolution

   14. Disable Reverse DNS Resolution

   15. Alternative DNS Lookup

   16. Manually Specify DNS Server

   17. Create a Host List

6. Firewall Evasion Techniques

   1. Fragment Packets

   2. Specify a Specific MTU

   3. Use a Decoy

   4. Idle Zombie Scan

   5. Manually Specify a Source Port

   6. Append Random Data

   7. Randomize Target Scan Order

   8. Spoof MAC Address

   9. Send Bad Checksums

7. Advanced Scanning Functions

   1. TCP SYN Scan

   2. TCP Connect Scan

   3. UDP Scan

   4. TCP NULL Scan

   5. TCP FIN Scan

   6. Xmas Scan

   7. TCP ACK Scan

   8. Custom TCP Scan

   9. IP Protocol Scan

   10. Send Raw Ethernet Packets

   11. Send IP Packets

8. Timing Options

   1. Timing Templates

   2. Set the Packet TTL

   3. Minimum Number of Parallel Operations

   4. Maximum Number of Parallel Operations

   5. Minimum Host Group Size

   6. Maximum Host Group Size

   7. Maximum RTT Timeout

   8. Initial RTT TImeout

   9. Maximum Number of Retries

   10. Host Timeout

   11. Minimum Scan Delay

   12. Maximum Scan Delay

   13. Minimum Packet Rate

   14. Maximum Packet Rate

   15. Defeat Reset Rate Limits

9. Output Options

   1. Save Output to a Text File

   2. Save Output to a XML File

   3. Grepable Output

   4. Output All Supported File Types

   5. Periodically Display Statistics

   6. 1337 Output

10. Compare Scans

    1. Comparison Using Ndiff

    2. Ndiff Verbose Mode

    3. XML Output Mode

11. Troubleshooting and Debugging

    1. Get Help

    2. Display Nmap Version

    3. Verbose Output

    4. Debugging

    5. Display Port State Reason

    6. Only Display Open Ports

    7. Trace Packets

    8. Display Host Networking

    9. Specify a Network Interface

12. Nmap Scripting Engine

    1. Execute Individual Scripts

    2. Execute Multiple Scripts

    3. Execute Scripts by Category

    4. Execute Multiple Script Categories

    5. Troubleshoot Scripts

    6. Update the Script Database

What is Nmap?

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running. It was designed to rapidly scan large networks, but works fine against single hosts.

How to Use Nmap

Nmap can be used in a variety of ways depending on the user's level of technical expertise.

Technical Expertise	Usage
Beginner	Zenmap the graphical user interface for Nmap
Intermediate	Command line
Advanced	Python scripting with the Python-Nmap package

Command Line

nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }

Basic Scanning Techniques

The -s switch determines the type of scan to perform.

Nmap Switch	Description
-sA	ACK scan
-sF	FIN scan
-sI	IDLE scan
-sL	DNS scan (a.k.a. list scan)
-sN	NULL scan
-sO	Protocol scan
-sP	Ping scan
-sR	RPC scan
-sS	SYN scan
-sT	TCP connect scan
-sW	Windows scan
-sX	XMAS scan

Scan a Single Target

Scan Multiple Targets

nmap [target1, target2, etc]

Scan a List of Targets

Scan a Range of Hosts

nmap [range of IP addresses]

Scan an Entire Subnet

Scan Random Hosts

Exclude Targets From a Scan

nmap [targets] --exclude [targets]

Exclude Targets Using a List

nmap [targets] --excludefile [list.txt]

Perform an Aggresive Scan

Scan an IPv6 Target

Port Scanning Options

Perform a Fast Scan

Scan Specific Ports

nmap -p [port(s)] [target]

Scan Ports by Name

nmap -p [port name(s)] [target]

Scan Ports by Protocol

nmap -sU -sT -p U:[ports],T:[ports] [target]

Scan All Ports

Scan Top Ports

nmap --top-ports [number] [target]

Perform a Sequential Port Scan

Attempt to Guess an Unknown OS

nmap -O --osscan-guess [target]

Service Version Detection

Troubleshoot Version Scan

nmap -sV --version-trace [target]

Perform a RPC Scan

Discovery Options

Host Discovery The -p switch determines the type of ping to perform.

Nmap Switch	Description
-PI	ICMP ping
-Po	No ping
-PS	SYN ping
-PT	TCP ping

Perform a Ping Only Scan

Do Not Ping

TCP SYN Ping

TCP ACK Ping

UDP Ping

SCTP INIT Ping

ICMP Echo Ping

ICMP Timestamp Ping

ICMP Address Mask Ping

IP Protocol Ping

ARP ping

Traceroute

nmap --traceroute [target]

Force Reverse DNS Resolution

Disable Reverse DNS Resolution

Alternative DNS Lookup

nmap --system-dns [target]

Manually Specify DNS Server

Can specify a single server or multiple.

nmap --dns-servers [servers] [target]

Create a Host List

Port Specification and Scan Order

Service/Version Detection

Nmap Switch	Description
-sV	Enumerates software versions

Script Scan

Nmap Switch	Description
-sC	Run all default scripts

OS Detection

Timing and Performance

The -t switch determines the speed and stealth performed.

Nmap Switch	Description
-T0	Serial, slowest scan
-T1	Serial, slow scan
-T2	Serial, normal speed scan
-T3	Parallel, normal speed scan
-T4	Parallel, fast scan

Not specifying a T value will default to -T3, or normal speed.

Firewall Evasion Techniques

Firewall/IDS Evasion and Spoofing

Fragment Packets

Specify a Specific MTU

nmap --mtu [MTU] [target]

Use a Decoy

nmap -D RND:[number] [target]

Idle Zombie Scan

nmap -sI [zombie] [target]

Manually Specify a Source Port

nmap --source-port [port] [target]

Append Random Data

nmap --data-length [size] [target]

Randomize Target Scan Order

nmap --randomize-hosts [target]

Spoof MAC Address

nmap --spoof-mac [MAC|0|vendor] [target]

Send Bad Checksums

Advanced Scanning Functions

TCP SYN Scan

TCP Connect Scan

UDP Scan

TCP NULL Scan

TCP FIN Scan

Xmas Scan

TCP ACK Scan

Custom TCP Scan

nmap --scanflags [flags] [target]

IP Protocol Scan

Send Raw Ethernet Packets

Send IP Packets

Timing Options

Timing Templates

Set the Packet TTL

nmap --ttl [time] [target]

Minimum NUmber of Parallel Operations

nmap --min-parallelism [number] [target]

Maximum Number of Parallel Operations

nmap --max-parallelism [number] [target]

Minimum Host Group Size

nmap --min-hostgroup [number] [targets]

Maximum Host Group Size

nmap --max-hostgroup [number] [targets]

Maximum RTT Timeout

nmap --initial-rtt-timeout [time] [target]

Initial RTT Timeout

nmap --max-rtt-timeout [TTL] [target]

Maximum Number of Retries

nmap --max-retries [number] [target]

Host Timeout

nmap --host-timeout [time] [target]

Minimum Scan Delay

nmap --scan-delay [time] [target]

Maxmimum Scan Delay

nmap --max-scan-delay [time] [target]

Minimum Packet Rate

nmap --min-rate [number] [target]

Maximum Packet Rate

nmap --max-rate [number] [target]

Defeat Reset Rate Limits

nmap --defeat-rst-ratelimit [target]

Output Options

Nmap Switch	Description
-oN	Normal output
-oX	XML output
-oA	Normal, XML, and Grepable format all at once

Save Output to a Text File

nmap -oN [scan.txt] [target]

Save Output to a XML File

nmap -oX [scan.xml] [target]

Grepable Output

nmap -oG [scan.txt] [target]

Output All Supported File Types

nmap -oA [path/filename] [target]

Periodically Display Statistics

nmap --stats-every [time] [target]

1337 Output

nmap -oS [scan.txt] [target]

Compare Scans

Comparison Using Ndiff

ndiff [scan1.xml] [scan2.xml]

Ndiff Verbose Mode

ndiff -v [scan1.xml] [scan2.xml]

XML Output Mode

ndiff --xml [scan1.xml] [scan2.xml]

Troubleshooting and Debugging

Get Help

Display Nmap Version

Verbose Output

Debugging

Display Port State Reason

Only Display Open Ports

Trace Packets

nmap --packet-trace [target]

Display Host Networking

Specify a Network Interface

nmap -e [interface] [target]

Nmap Scripting Engine

Execute Individual Scripts

nmap --script [script.nse] [target]

Execute Multiple Scripts

nmap --script [expression] [target]

Execute Scripts by Category

nmap --script [category] [target]

Execute Multiple Script Categories

nmap --script [category1,category2,etc]

Troubleshoot Scripts

nmap --script [script] --script-trace [target]

Update the Script Database

Reference Sites

• Nmap - The Basics

• Reference link 1

• Beginner's Guide to Nmap

• Top 32 Nmap Command

• Nmap Linux man page

• 29 Practical Examples of Nmap Commands

• Nmap Scanning Types, Scanning Commands , NSE Scripts

• Nmap CheatSheet

• Nmap Cheat Sheet

• Nmap Cheat Sheet: From Discovery to Exploits

• Nmap: my own cheatsheet

• NMAP Commands Cheatsheet

• Nmap Cheat Sheet

• Nmap Cheat Sheet