Nmap Cheat Sheet

Nmap is one of the most popular network mappers in the infosec world. It’s utilized by cybersecurity professionals and newbies alike to audit and discover local and remote open ports, as well as hosts and network information. Here is a quick cheat sheet that you can use while working with Nmap. 


Scanning command syntax

Scanning Command Syntax
nmap [scan types] [options] {172.16.1.1 specification}

Port Specification options

SyntaxExampleDescription
-Pnmap –p 23 172.16.1.1Port scanning port specific port
-Pnmap –p 23-100 172.16.1.1Port scanning port specific port range
-pnmap -pU:110,T:23-25,443 172.16.1.1U-UDP,T-TCP different port types scan
-p-nmap -p- 172.16.1.1Port scan for all ports
-pnmap -smtp,https 172.16.1.1Port scan from specified protocols
-Fnmap –F 172.16.1.1Fast port scan for speed up
-P "*"namp -p "*" ftp 172.16.1.1Port scan using name
-rnmap -r 172.16.1.1Sequential port scan

 

Host /172.16.1.1 discovery

Switch/SyntaxExampleDescription
-sLnmap 172.16.1.1-5 -sLList 172.16.1.1 without scanning
-snnmap 172.16.1.1/8 -snDisable port scanning
-Pnnmap 172.16.1.1-8 -PnPort scans only and no host discovery
-PSnmap 172.16.1.185 -PS22-25,80TCP SYN discovery on specified port
-PAnmap 172.16.1.185 -PA22-25,80TCP ACK discovery on specified port
-PUnmap 172.16.1.1-8 -PU53UDP discovery on specified port
-PR nmap 172.16.1.1-1/8 -PRARP discovery within local network
-n nmap 172.16.1.1 -nno DNS resolution

 

Nmap Port Scan types

Switch/SyntaxExampleDescription
-sSnmap 172.16.1.1 -sSTCP SYN port scan
-sTnmap 172.16.1.1 -sTTCP connect port scan
-sAnmap 172.16.1.1 -sATCP ACK port scan
-sUnmap 172.16.1.1 -sUUDP port scan
-Sfnmap -Sf 172.16.1.1TCP FIN scan
-sXnmap -SX 172.16.1.1XMAS scan
-Sp nmap -Sp 172.16.1.1Ping scan
-sU nmap -Su 172.16.1.1UDP scan
-sAnmap -Sa 172.16.1.1TCP ACK scan
-SLnmap -Sl 172.16.1.1list scan

 

Nmap Port Selection

nmap 172.16.1.1single IP scan
nmap 172.16.1.1 172.16.100.1scan specific IPs
nmap 172.16.1.1-254scan a range of IPs
nmap xyz.orgscan a domain
nmap 10.1.1.0/8scan using CIDR notation
nmap -iL scan.txtscan 172.16.1.1s from a file
nmap --exclude 172.16.1.1specified IP s exclude from scan

 

Use of NMAP scripts NSE

nmap --script= test script 172.16.1.0/24execute thee listed script against target IP address
nmap --script-update-dbadding new scripts
nmap -sV -sCuse of safe default scripts for scan
nmap --script-help="Test Script"get help for script

Firewall proofing

nmap -f [172.16.1.1]scan fragment packets
nmap –mtu [MTU] [172.16.1.1]specify MTU
nmap -sI [zombie] [172.16.1.1]scan idle zoombie
nmap –source-port [port] [172.16.1.1]manual source port - specify
nmap –data-length [size] [172.16.1.1]randomly append data
nmap –randomize-hosts [172.16.1.1]172.16.1.1 scan order randomization
nmap –badsum [172.16.1.1]bad checksum

 

NMAP output formats

Default/normal outputnmap -oN scan.txt 172.16.1.1
XMLnmap -oX scanr.xml 172.16.1.1
Grepable formatsnmap -oG grep.txt 172.16.1.1
All formatsnmap -oA 172.16.1.1

Scan options

SyntaxDescription
nmap -sP 172.16.1.1Ping scan only
nmap -PU 172.16.1.1UDP ping scan
nmap -PE 172.16.1.1ICMP echo ping
nmap -PO 172.16.1.1IP protocol ping
nmap -PR 172.16.1.1ARP ping
nmap -Pn 172.16.1.1Scan without pinging
nmap –traceroute 172.16.1.1Traceroute

NMAP Timing options

SyntaxDescription
nmap -T0 172.16.1.1Slowest scan
nmap -T1 172.16.1.1Tricky scan to avoid IDS
nmap -T2 172.16.1.1Timely scan
nmap -T3 172.16.1.1Default scan timer
nmap -T4 172.16.1.1Aggressive scan
nmap -T5 172.16.1.1Very aggressive scan

 

September 20, 2019
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013