Nmap Cheat Sheet

Nmap stands for Network Mapper. It is used for scanning networks, find hosts available in the network, finds ports that are open, firewall configurations, and other characteristics. Click Here if you are interested in Most Asked Nmap Interview Questions and Answers.

Nmap output gives information about scanned targets which includes whether the host is up or down, state of ports (it may be open, filtered, closed, or unfiltered), OS versions, etc. Here is the list of important Nmap commands. It is advisable to use the Wireshark tool to see the behavior of the scan. Click Here if you are interested in learning How we can install Nmap on Windows machines.

Base Syntax

#nmap [ScanType] [Options] {Targets}

1. Scan a target

TargetSyntax/Example
Scan a Single IP

#nmap <IP> 

Scan a multiple IPs#nmap 192.168.1.104,108
Scan a Host

#nmap <url>

Scan a range of IPs#nmap 192.168.1.0-255
Scan using wildcard#nmap 192.168.0.*
Scan a subnet#nmap 192.168.0.1/24
Scan target from text file#nmap -iL IPList.txt

2. Target Ports

Option DescriptionSyntax/Example
Scan a single port

#nmap -p 22 <IP>

Scan a range of ports

#nmap -p 100-500 <IP>

Scan multiple ports

#nmap -p 23,443 <IP>

Scan 100 most popular ports

#nmap -F <IP>

Scan n most popular ports

#nmap --top-ports <n> <IP>

Scan all 65535 ports

#nmap -p- <IP>

Leaving off end port in range makes Nmap scan through port 65535

#nmap -p0- <IP>

Scan linearly i.e. do not randomize ports

#nmap -r <IP>

3. Scan Types options

Scan Types DescriptionSyntax/Example
Syn Scan

#nmap -sS <IP>

TCP Connect Scan

#nmap -sT <IP>

UDP Scan

#nmap -sU <IP>

Version Scan

#nmap -sV <IP>

OS Detection

#nmap -O <IP>

Set custom list of TCP using “URGACKPSHRSTSYNFIN” in any order and combination

#nmap --scanflags URGSYN <IP>

4. Probing Options

DescriptionSyntax/Example
Don’t  probe i.e. assuming all hosts are up

#nmap -Pn <IP>

Default probe (TCP, 80, 443 & ICMP)

#nmap -PB <IP>

Check whether targets are up by probing TCP ports

#nmap -PS <portlist> <IP>

Use ICMP Echo Request

#nmap -PE <IP>

Use ICMP TimeStamp Request

#nmap -PP <IP>

Use ICMP Network Request

#nmap -PM <IP>

5. Aggregate Timing Options 

Option DescriptionSyntax/Example
Very Slow, used for evasion from network administrator

#nmap -T0 <IP>

Quite Slow, used for evasion from network administrator

#nmap -T1 <IP>

Polite, use less bandwidth

#nmap -T2 <IP>

Normal: Default

#nmap -T3 <IP>

Aggressive: fast

#nmap -T4 <IP>

Insane: Very Aggressive, may miss open ports

#nmap -T5 <IP>

6. Output Formats

Option DescriptionSyntax/Example
Standard Nmap output

#nmap -oN <file> <IP>

Greppable format

#nmap -oG <file> <IP>

XML format

#nmap -oX <file> <IP>

Generate Nmap, Greppable, and XML output files using basename

#nmap -oA <basename> <file> <IP>

You can view generated output file by using below command
#cat <filename>

7. Misc Options

Option DescriptionSyntax/Examples
Disable reverse IP address lookup

#nmap -n <IP>

Use IPv6

#nmap -6 <IP>

Use for OS detection, Version detection, Script Scanning and traceroot

#nmap -A <IP>

Display reason Nmap thinks port is open, closed or filtered

#nmap --reason <IP>

8. Advanced Scripts

TCP syn scan(-sS) all ports (-p-)  with speed (-T3) and results save in tcpscan.txt

#nmap -vv -Pn -sS -T3 -p- -oN /root/tcpscan.txt

UDP scan(-sU) all ports (-p-)  with speed (-T3) and results save in udpscan.txt

#nmap -Pn – top-ports 1000 -sU -T3 -p- -oN /root/udpscan.txt

NMap Scripting Engine

You can use different scripts available in the Nmap scripting engine to do various networking tasks. Below the Nmap command run all available scripts against the target IP.

#cd /usr/share/nmap/scripts
#nmap -vv -p 137 --script=all <Target IP>

Conclusion

NMap is considered the most powerful and reliable tool for vulnerability assessment and penetration testing. We have discussed many commands and scripts which help you to gain intensive knowledge of the target. The more you use Nmap, the more you will know the true potential of this tool.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.