Nmap Cheat Sheet

Nmap Cheat Sheet

Reference guide for scanning networks with Nmap.

Table of Contents

12. Nmap Scripting Engine

What is Nmap?

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running. It was designed to rapidly scan large networks, but works fine against single hosts.

How to Use Nmap

Nmap can be used in a variety of ways depending on the user's level of technical expertise.

Command Line

Basic Scanning Techniques

The -s switch determines the type of scan to perform.

Scan a Single Target

Scan Multiple Targets

Scan a List of Targets

Scan a Range of Hosts

Scan an Entire Subnet

Scan Random Hosts

Exclude Targets From a Scan

Exclude Targets Using a List

Perform an Aggresive Scan

Scan an IPv6 Target

Port Scanning Options

Perform a Fast Scan

Scan Specific Ports

Scan Ports by Name

Scan Ports by Protocol

Scan All Ports

Scan Top Ports

Perform a Sequential Port Scan

Attempt to Guess an Unknown OS

Service Version Detection

Troubleshoot Version Scan

Perform a RPC Scan

Discovery Options

Host Discovery The -p switch determines the type of ping to perform.

Perform a Ping Only Scan

Do Not Ping

TCP SYN Ping

TCP ACK Ping

UDP Ping

SCTP INIT Ping

ICMP Echo Ping

ICMP Timestamp Ping

ICMP Address Mask Ping

IP Protocol Ping

ARP ping

Traceroute

Force Reverse DNS Resolution

Disable Reverse DNS Resolution

Alternative DNS Lookup

Manually Specify DNS Server

Can specify a single server or multiple.

Create a Host List

Port Specification and Scan Order

Service/Version Detection

Script Scan

OS Detection

Timing and Performance

The -t switch determines the speed and stealth performed.

Not specifying a T value will default to -T3, or normal speed.

Firewall Evasion Techniques

Firewall/IDS Evasion and Spoofing

Fragment Packets

Specify a Specific MTU

Use a Decoy

Idle Zombie Scan

Manually Specify a Source Port

Append Random Data

Randomize Target Scan Order

Spoof MAC Address

Send Bad Checksums

Advanced Scanning Functions

TCP SYN Scan

TCP Connect Scan

UDP Scan

TCP NULL Scan

TCP FIN Scan

Xmas Scan

TCP ACK Scan

Custom TCP Scan

IP Protocol Scan

Send Raw Ethernet Packets

Send IP Packets

Timing Options

Timing Templates

Set the Packet TTL

Minimum NUmber of Parallel Operations

Maximum Number of Parallel Operations

Minimum Host Group Size

Maximum Host Group Size

Maximum RTT Timeout

Initial RTT Timeout

Maximum Number of Retries

Host Timeout

Minimum Scan Delay

Maxmimum Scan Delay

Minimum Packet Rate

Maximum Packet Rate

Defeat Reset Rate Limits

Output Options

Save Output to a Text File

Save Output to a XML File

Grepable Output

Output All Supported File Types

Periodically Display Statistics

1337 Output

Compare Scans

Comparison Using Ndiff

Ndiff Verbose Mode

XML Output Mode

Troubleshooting and Debugging

Get Help

Display Nmap Version

Verbose Output

Debugging

Display Port State Reason

Only Display Open Ports

Trace Packets

Display Host Networking

Specify a Network Interface

Nmap Scripting Engine

Execute Individual Scripts

Execute Multiple Scripts

Execute Scripts by Category

Execute Multiple Script Categories

Troubleshoot Scripts

Update the Script Database

Reference Sites