Network Mapper (Nmap) also known as the God of Port Scanners used for network discovery and the basis for most security enumeration during the initial stages of a Penetration Testing. Nmap has a multitude of options and when you first start playing with this excellent tool it can be a bit daunting. In this cheat sheet you will find a series of practical example commands for running Nmap and getting the most of this powerful tool. Below is Nmap Cheat Sheet and Helpful Tips and Techniques.
Keep in mind that this cheat sheet merely touches the surface of the available options. The Nmap Documentation portal is your reference for digging deeper into the options available.
Nmap in a nutshell
- Target Specification
- Host Discovery
- Port Specification
- Service Discovery / Version Detection
- Operating System Version Detection
- Firewall / IDS Evasion and Spoofing
- Time and Performance based Scan
- Output of Scan
- Vulnerability / Exploit Detection, using Nmap Scripts (NSE)
Target Specification
Scan a single IP
nmap 192.168.1.1
Scan specific IPs
nmap 192.168.1.1 192.168.1.5
Scan a Range
nmap 192.168.1.1-254
Scan a Domain / Host
nmap nmap scanme.nmap.org
Scan Targets from a File
namp -iL targets.txt
Exclude the Listed Host from the Target Range
nmap --exclude 192.168.1.5 192.168.1.1-10
Host Discovery
To List given targets only, no Scan
nmap -sL 192.168.1.1-3
To Disable Port Scanning, Host Discovery only
nmap -sn 192.168.1.1/24
To Disable Host Discovery. Port scan only
nmap -Pn 192.168.1.1-5
TCP SYN discovery on given port
nmap -PS 80,21 192.168.1.1
TCP ACK discovery on given port
nmap -PA 80,21 192.168.1.1
UDP discovery on given port
nmap -PU 53 192.168.1.1
Port Specification
Scan a given Port (i.e 21 here)
nmap -p 21 192.168.1.1
Scan the given Port Range
nmap -p 21-100 192.168.1.1
Scan the multiple TCP and UDP ports
nmap -p U:53,T:21-25,80 192.168.1.1
Scan all 65535 ports
nmap -p- 192.168.1.1
Scans the given Service Name
nmap -p http,https 192.168.1.1
Scans the Top 100 ports
nmap -F 192.168.1.1
Service Discovery / Version Detection
Detect Version of the Running Services
nmap -sV 192.168.1.1
To set intensity range between 0 to 9. Higher number increases possibility of correctness
nmap -sV --version-intensity 5 192.168.1.1
To enable the light mode(intensity =2). It is faster but have less possibility of correctness
nmapย -sV --version-light 192.168.1.1
To enables the intense mode(intensity =9). It is slower but have more possibility of correctness
nmap -sV --version-all 192.168.1.1
Operating System Version Detection
Detect the Operating system
nmap -sV 192.168.1.1
Aggressive mode i.e OS, Service Version, Trace route.
nmap -A 192.168.1.1
Firewall / IDS Evasion and Spoofing
Use tiny fragmented IP packets. Its harder for packet filters
nmap -f 192.168.1.1
Used to set our own offset size
nmap --mtu 32 192.168.1.1
Use the Spoofed IP to scan
nmap -D decoy-ip1,decoy-ip2, your-own-ip remote-host-ip
Scans target.com from example.com (Domain Name Spoofing)
nmap -S example.com target.com
Uses the given port as a source
nmap -g 53 192.168.1.1
Appends random data to sent packets
nmap --data-length 200 192.168.1.1
Time and Performance based Scan
Slow scan
nmap -T0 192.168.1.1
Sneaky scan
nmap -T1 192.168.1.1
Timely scan
nmap -T2 192.168.1.1
Default scan
nmap -T3 192.168.1.1
Aggressive scan
nmap -T4 192.168.1.1
Very Aggressive scan
nmap -T5 192.168.1.1
Output of Scan
To scan in the Verbose mode (-vv for greater effect)
nmap -v 192.168.1.1
Save the scan results to the scan.file
nmap 192.168.1.1 -oN scan.file
Save the results in xml.file
nmap 192.168.1.1 -oX xml.file
Save the results in grep.file
nmap 192.168.1.1 -oG grep.file
Saves the Output in the three major formats at once
nmap 192.168.1.1 -oA result
To scan in the debug mode (-dd for greater effect)
nmap 192.168.1.1 -d
To see all the packets sent and received
nmap 192.168.1.1 -T4 --packet-trace
Vulnerability / Exploit Detection, using Nmap Scripts (NSE)
Scan with default NSE Scripts
nmap 192.168.1.1 -sC
Scan with given NSE Script ( Example: nmap.nse )
nmap 192.168.1.1 --script=nmap.nse
Use script with arguments
nmap 192.168.1.1 โscript=nmap.nse --script-args user=admin
