Show Menu

Nmap Basics Cheat Sheet by

Nmap Basic Commands

Nmap Fundam­entals

Listing open ports on a remote host
nmap [target]
Exclude a host from scan
nmap --exclude [excluded ip] [target]
Use custom DNS Server
nmap --dns-­servers [DNS1]­,[DNS2] [target]
Scan - no ping targets
nmap -PN [target]
Scan - no DNS resolve
nmap -n [target]
Scan specific port
nmap -p80 [target]
Scan an IPv6 target
nmap -6 [target]

Scanning Port Ranges

Scan specific port list
nmap -p 80,443,23 [target]
Scan specific port range
nmap -p 1-100 [target]
Scan all ports
nmap -p- [target]
Scan specific ports by protocol
nmap -p T:25,U:53 [target]
Scan by Service name
nmap -p smtp [target]
Scan Service name wildcards
nmap -p smtp* [target]
Scan only port registered in Nmap services
nmap -p [1-65535] [target]

Scanning Large Networks

Skipping tests to speed up long scans
nmap -T4 -n -Pn -p- [target]
No Ping
No reverse resolution
No port scanning
Timing Templates Arguments
Scanning is not supposed to interfere with the target system
Recomm­ended for broadband and Ethernet connec­tions
Normal Scan Template
Not Recomm­ended
-T5 or T1 or T0

Nmap Specifics

Select Interface to make scans
nmap -e [INTER­FACE] [target]
Save as text file (export)
nmap -oN [filename] [target]
Save as xml (export)
nmap -oX [filename] [target]
Save as all supported file types
nmap -oA [fil­e­name] [target]
Period­­ically display statistics
nmap –stats­­-every [time] [target]

Finding alive hosts

Default ping scan mode
nmap -sP [target]
Discov­ering hosts with TCP SYN ping scans
nmap -sP -PS [target]
Specific Port using TCP SYN ping scans
nmap -sP -PS80 [target]
Ping No arp
nmap -sP --send-ip [target]
IP Protocol ping scan (IGMP, IP-in-IP, ICMP)
nmap -sP -PO [target]
ARP Scan
nmap -sP -PR [target]

Finger­pri­nting services of a remote host

Display service version
nmap -sV [target]
Set probes
nmap -sV --vers­ion­-in­tensity 9 [target]
Aggressive detection
nmap -A [target]
Trou­b­le­­sho­­oting version scans
nmap -sV –versi­­on­-­trace [target]
Perform a RPC scan
nmap -sR [target]

Finger­pri­nting the operating system of a host

Detect Operating System
nmap -O [target]
Guess Operating System
nmap -O -p- --ossc­an-­guess [target]
Detect Operating System (Verbose )
nmap -O -v [target]
Listing protocols supported by a remote host
nmap -sO [target]
Discov­ering stateful firewalls by using a TCP ACK scan
nmap -sA [target]

Nmap Scripting Engine

Execute individual scripts
nmap –script [scrip­­t.nse] [target]
Execute scripts by category
nmap –script [category] [target]
Trou­b­le­­shoot scripts
nmap –script [script] –scrip­­t-­trace [target]
Update the script database
nmap –scrip­­t-­u­p­datedb
Script catego­­ries
auth broadcast dos default discovery external intrusive malware safe version vuln

Nmap Examples

Detect Service versions and OS
nmap -sV -O [target]
Detect Web Servers
nmap -sV --script http-title [target]
Scan top common ports
nmap --top-­ports 10 [target]
Discover host using Broadcast pings
nmap --script broadc­ast­-ping
Getting inform­ation from whois records
nmap --script whois [target]
Brute force DNS records
nmap --script dns-brute [target]
Scan a firewall for MAC address spoofing
nmap -v -sT -PN --spoo­f-mac [Mac Address] [target]
Run all scripts in the vuln category
nmap -sV --script vuln [target]
Run the scripts in the categories version or discovery
nmap -sV --scri­pt=­"­ver­sio­n,d­isc­ove­ry" [target]
Sniffer Detect
nmap -sP --script sniffe­r-d­etect [target]


Super usefull

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Basic Vim Cheat Sheet
          Basic Cisco IOS Commands Cheat Sheet

          More Cheat Sheets by RomelSan

          Robocopy Cheat Sheet
          OpenSSL Cheat Sheet