Nmap Cheat Sheet

Nmap stands for Network Mapper. It is used for scanning networks, finding hosts available in the network, finding ports that are open, firewall configurations, and other characteristics. Click Here if you are interested in Most Asked Nmap Interview Questions and Answers.

Nmap output gives information about scanned targets which includes whether the host is up or down, the state of ports (it may be open, filtered, closed, or unfiltered), OS versions, etc. Here is the list of important Nmap commands. It is advisable to use the Wireshark tool to see the behavior of the scan. Click Here if you are interested in learning How we can install Nmap on Windows machines.

Base Syntax

#nmap [ScanType] [Options] {Targets}

1. Scan a target

Target	Syntax/Example
Scan a Single IP	#nmap <IP>
Scan a multiple IPs	#nmap 192.168.1.104,108
Scan a Host	#nmap <url>
Scan a range of IPs	#nmap 192.168.1.0-255
Scan using wildcard	#nmap 192.168.0.*
Scan a subnet	#nmap 192.168.0.1/24
Scan target from text file	#nmap -iL IPList.txt

2. Target Ports

Option Description	Syntax/Example
Scan a single port	#nmap -p 22 <IP>
Scan a range of ports	#nmap -p 100-500 <IP>
Scan multiple ports	#nmap -p 23,443 <IP>
Scan 100 most popular ports	#nmap -F <IP>
Scan n most popular ports	#nmap --top-ports <n> <IP>
Scan all 65535 ports	#nmap -p- <IP>
Leaving off end port in range makes Nmap scan through port 65535	#nmap -p0- <IP>
Scan linearly i.e. do not randomize ports	#nmap -r <IP>

3. Scan Types options

Scan Types Description	Syntax/Example
Syn Scan	#nmap -sS <IP>
TCP Connect Scan	#nmap -sT <IP>
UDP Scan	#nmap -sU <IP>
Version Scan	#nmap -sV <IP>
OS Detection	#nmap -O <IP>
Set custom list of TCP using “URGACKPSHRSTSYNFIN” in any order and combination	#nmap --scanflags URGSYN <IP>

4. Probing Options

Description	Syntax/Example
Don’t  probe i.e. assuming all hosts are up	#nmap -Pn <IP>
Default probe (TCP, 80, 443 & ICMP)	#nmap -PB <IP>
Check whether targets are up by probing TCP ports	#nmap -PS <portlist> <IP>
Use ICMP Echo Request	#nmap -PE <IP>
Use ICMP TimeStamp Request	#nmap -PP <IP>
Use ICMP Network Request	#nmap -PM <IP>

5. Aggregate Timing Options 

Option Description	Syntax/Example
Very Slow, used for evasion from network administrator	#nmap -T0 <IP>
Quite Slow, used for evasion from network administrator	#nmap -T1 <IP>
Polite, use less bandwidth	#nmap -T2 <IP>
Normal: Default	#nmap -T3 <IP>
Aggressive: fast	#nmap -T4 <IP>
Insane: Very Aggressive, may miss open ports	#nmap -T5 <IP>

6. Output Formats

Option Description	Syntax/Example
Standard Nmap output	#nmap -oN <file> <IP>
Greppable format	#nmap -oG <file> <IP>
XML format	#nmap -oX <file> <IP>
Generate Nmap, Greppable, and XML output files using basename	#nmap -oA <basename> <file> <IP>

You can view generated output file by using the below command
#cat <filename>

7. Misc Options

Option Description	Syntax/Examples
Disable reverse IP address lookup	#nmap -n <IP>
Use IPv6	#nmap -6 <IP>
Use for OS detection, Version detection, Script Scanning and traceroot	#nmap -A <IP>
Display reason Nmap thinks port is open, closed or filtered	#nmap --reason <IP>

8. Advanced Scripts

TCP syn scan(-sS) all ports (-p-)  with speed (-T3) and results save in tcpscan.txt

#nmap -vv -Pn -sS -T3 -p- -oN /root/tcpscan.txt

UDP scan(-sU) all ports (-p-)  with speed (-T3) and results save in udpscan.txt

#nmap -Pn --top-ports 1000 -sU -T3 -p- -oN /root/udpscan.txt

Nmap Scripting Engine

You can use different scripts available in the Nmap scripting engine to do various networking tasks. Below the Nmap command run all available scripts against the target IP.

#cd /usr/share/nmap/scripts
#nmap -vv -p 137 --script=all <Target IP>

Conclusion

NMap is considered the most powerful and reliable tool for vulnerability assessment and penetration testing. We have discussed many commands and scripts which help you to gain intensive knowledge of the target. The more you use Nmap, the more you will know the true potential of this tool.