Never Ending Security

It starts all here

NMAP (Network Mapping) Cheat Sheet

Nmap (Network Mapping) Cheat Sheet. It is a very famous port scanner available for free. It is not just only a port scanner, it also do various jobs like banner grabbing, OS fingerprinting, Nmap script scanning, evading firewalls, etc. So we are gonna show you some important commands of Nmap.
Step 1: Open up the console and type nmap
It will give you the whole commands of Nmap. But we are here to understanding the commands so we should go ahead.

Here is the cheatsheet of NMAP.


Goal Command Example
Scan a Single Target nmap [target] nmap
Scan Multiple Targets nmap [target1, target2, etc] nmap
Scan a List of Targets nmap -iL [list.txt] nmap -iL targets.txt
Scan a Range of Hosts nmap [range of ip addresses] nmap
Scan an Entire Subnet nmap [ip address/cdir] nmap
Scan Random Hosts nmap -iR [number] nmap -iR 0
Excluding Targets from a Scan nmap [targets] –exclude [targets] nmap –exclude,
Excluding Targets Using a List nmap [targets] –excludefile [list.txt] nmap –excludefile notargets.txt
Perform an Aggressive Scan nmap -A [target] nmap -A
Scan an IPv6 Target nmap -6 [target] nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe

Goal Command Example
Perform a Ping Only Scan nmap -sP [target] nmap -sP
Don’t Ping nmap -PN [target] nmap -PN
TCP SYN Ping nmap -PS [target] nmap -PS
TCP ACK Ping nmap -PA [target] nmap -PA
UDP Ping nmap -PU [target] nmap -PU
SCTP INIT Ping nmap -PY [target] nmap -PY
ICMP Echo Ping nmap -PE [target] nmap -PE
ICMP Timestamp Ping nmap -PP [target] nmap -PP
ICMP Address Mask Ping nmap -PM [target] nmap -PM
IP Protocol Ping nmap -PO [target] nmap -PO
ARP Ping nmap -PR [target] nmap -PR
Traceroute nmap –traceroute [target] nmap –traceroute
Force Reverse DNS Resolution nmap -R [target] nmap -R
Disable Reverse DNS Resolution nmap -n [target] nmap -n
Alternative DNS Lookup nmap –system-dns [target] nmap –system-dns
Manually Specify DNS Server(s) nmap –dns-servers [servers] [target] nmap –dns-servers
Create a Host List nmap -sL [targets] nmap -sL


Goal Command Example
TCP SYN Scan nmap -sS [target] nmap -sS
TCP Connect Scan nmap -sT [target] nmap -sT
UDP Scan nmap -sU [target] nmap -sU
TCP NULL Scan nmap -sN [target] nmap -sN
TCP FIN Scan nmap -sF [target] nmap -sF
Xmas Scan nmap -sX [target] nmap -sX
TCP ACK Scan nmap -sA [target] nmap -sA
Custom TCP Scan nmap –scanflags [flags] [target] nmap –scanflags SYNFIN
IP Protocol Scan nmap -sO [target] nmap -sO
Send Raw Ethernet Packets nmap –send-eth [target] nmap –send-eth
Send IP Packets nmap –send-ip [target] nmap –send-ip


Goal Command Example
Perform a Fast Scan nmap -F [target] nmap -F
Scan Specific Ports nmap -p [port(s)] [target] nmap -p 21-25,80,139,8080
Scan Ports by Name nmap -p [port name(s)] [target] nmap -p ftp,http*
Scan Ports by Protocol nmap -sU -sT -p U:[ports],T:[ports] [target] nmap -sU -sT -p U:53,111,137,T:21-25,80,139,8080
Scan All Ports nmap -p ‘*’ [target] nmap -p ‘*’
Scan Top Ports nmap –top-ports [number] [target] nmap –top-ports 10
Perform a Sequential Port Scan nmap -r [target] nmap -r


Goal Command Example
Operating System Detection nmap -O [target] nmap -O
Submit TCP/IP Fingerprints
Attempt to Guess an Unknown OS nmap -O –osscan-guess [target] nmap -O –osscan-guess
Service Version Detection nmap -sV [target] nmap -sV
Troubleshooting Version Scans nmap -sV –version-trace [target] nmap -sV –version-trace
Perform a RPC Scan nmap -sR [target] nmap -sR


Goal Command Example
Timing Templates nmap -T[0-5] [target] nmap -T3
Set the Packet TTL nmap –ttl [time] [target] nmap –ttl 64
Minimum # of Parallel Operations nmap –min-parallelism [number] [target] nmap –min-parallelism 10
Maximum # of Parallel Operations nmap –max-parallelism [number] [target] nmap –max-parallelism 1
Minimum Host Group Size nmap –min-hostgroup [number] [targets] nmap –min-hostgroup 50
Maximum Host Group Size nmap –max-hostgroup [number] [targets] nmap –max-hostgroup 1
Maximum RTT Timeout nmap –initial-rtt-timeout [time] [target] nmap –initial-rtt-timeout 100ms
Initial RTT Timeout nmap –max-rtt-timeout [TTL] [target] nmap –max-rtt-timeout 100ms
Maximum Retries nmap –max-retries [number] [target] nmap –max-retries 10
Host Timeout nmap –host-timeout [time] [target] nmap –host-timeout 30m
Minimum Scan Delay nmap –scan-delay [time] [target] nmap –scan-delay 1s
Maximum Scan Delay nmap –max-scan-delay [time] [target] nmap –max-scan-delay 10s
Minimum Packet Rate nmap –min-rate [number] [target] nmap –min-rate 50
Maximum Packet Rate nmap –max-rate [number] [target] nmap –max-rate 100
Defeat Reset Rate Limits nmap –defeat-rst-ratelimit [target] nmap –defeat-rst-ratelimit


Goal Command Example
Fragment Packets nmap -f [target] nmap -f
Specify a Specific MTU nmap –mtu [MTU] [target] nmap –mtu 32
Use a Decoy nmap -D RND:[number] [target] nmap -D RND:10
Idle Zombie Scan nmap -sI [zombie] [target] nmap -sI
Manually Specify a Source Port nmap –source-port [port] [target] nmap –source-port 1025
Append Random Data nmap –data-length [size] [target] nmap –data-length 20
Randomize Target Scan Order nmap –randomize-hosts [target] nmap –randomize-hosts
Spoof MAC Address nmap –spoof-mac [MAC|0|vendor] [target] nmap –spoof-mac Cisco
Send Bad Checksums nmap –badsum [target] nmap –badsum


Goal Command Example
Save Output to a Text File nmap -oN [scan.txt] [target] nmap -oN scan.txt
Save Output to a XML File nmap -oX [scan.xml] [target] nmap -oX scan.xml
Grepable Output nmap -oG [scan.txt] [targets] nmap -oG scan.txt
Output All Supported File Types nmap -oA [path/filename] [target] nmap -oA ./scan
Periodically Display Statistics nmap –stats-every [time] [target] nmap –stats-every 10s
133t Output nmap -oS [scan.txt] [target] nmap -oS scan.txt


Goal Command Example
Getting Help nmap -h nmap -h
Display Nmap Version nmap -V nmap -V
Verbose Output nmap -v [target] nmap -v
Debugging nmap -d [target] nmap -d
Display Port State Reason nmap –reason [target] nmap –reason
Only Display Open Ports nmap –open [target] nmap –open
Trace Packets nmap –packet-trace [target] nmap –packet-trace
Display Host Networking nmap –iflist nmap –iflist
Specify a Network Interface nmap -e [interface] [target] nmap -e eth0


Goal Command Example
Execute Individual Scripts nmap –script [script.nse] [target] nmap –script banner.nse
Execute Multiple Scripts nmap –script [expression] [target] nmap –script ‘http-*’
Script Categories all, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Category nmap –script [category] [target] nmap –script ‘not intrusive’
Execute Multiple Script Categories nmap –script [category1,category2,etc] nmap –script ‘default or safe’
Troubleshoot Scripts nmap –script [script] –script-trace [target] nmap –script banner.nse –script-trace
Update the Script Database nmap –script-updatedb nmap –script-updatedb

Download NMap

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s