Nmap Cheatsheet

Nmap Cheatsheet

The Ultimate Network Scanner Reference Guide

Basic Nmap Scans

Basic Scan
nmap 192.168.1.1
Performs a basic scan on a single IP address.
Network Scan
nmap 192.168.1.0/24
Scans all devices in a subnet.
Multiple IP Scan
nmap 192.168.1.1 192.168.1.2
Scan multiple IP addresses.
Range Scan
nmap 192.168.1.1-10
Scan a range of IP addresses.
Scan from File
nmap -iL targets.txt
Scan targets listed in a file.
Fast Scan
nmap -F 192.168.1.1
Only scan the 100 most common ports.

Host Discovery Techniques

Ping Scan
nmap -sn 192.168.1.0/24
Scan network for live hosts without port scanning.
No Ping
nmap -Pn 192.168.1.1
Scan target without host discovery (assume host is up).
TCP SYN Ping
nmap -PS22,80,443 192.168.1.0/24
Host discovery using TCP SYN ping on specified ports.
TCP ACK Ping
nmap -PA22,80,443 192.168.1.0/24
Host discovery using TCP ACK ping on specified ports.
UDP Ping
nmap -PU53,161 192.168.1.0/24
Host discovery using UDP ping on specified ports.
ICMP Echo Ping
nmap -PE 192.168.1.0/24
Host discovery using ICMP echo request.
ICMP Timestamp Ping
nmap -PP 192.168.1.0/24
Host discovery using ICMP timestamp request.
ICMP Address Mask Ping
nmap -PM 192.168.1.0/24
Host discovery using ICMP address mask request.

Port Scanning Techniques

TCP SYN Scan
nmap -sS 192.168.1.1
Stealthy scan using TCP SYN (default).
TCP Connect Scan
nmap -sT 192.168.1.1
Full TCP connection scan.
UDP Scan
nmap -sU 192.168.1.1
Scan UDP ports.
Specific Port Scan
nmap -p 80,443,3389 192.168.1.1
Scan specific ports.
Port Range Scan
nmap -p 1-1000 192.168.1.1
Scan a range of ports.
All Ports Scan
nmap -p- 192.168.1.1
Scan all 65535 ports.
Top Ports Scan
nmap --top-ports 100 192.168.1.1
Scan the top N most common ports.
TCP FIN Scan
nmap -sF 192.168.1.1
Stealthy scan using FIN packet.
TCP NULL Scan
nmap -sN 192.168.1.1
Stealthy scan with no flags set.
TCP XMAS Scan
nmap -sX 192.168.1.1
Stealthy scan with FIN, PSH, URG flags set.

Service and OS Detection

Service Version Detection
nmap -sV 192.168.1.1
Detect service versions running on open ports.
Intensive Service Detection
nmap -sV --version-intensity 9 192.168.1.1
More aggressive service detection (0-9 scale).
OS Detection
nmap -O 192.168.1.1
Detect the operating system of the target.
OS Detection with More Probes
nmap -O --osscan-guess 192.168.1.1
More aggressive OS detection.
OS Detection with Limit
nmap -O --max-os-tries 1 192.168.1.1
Limit OS detection tries to speed up scan.
Combined Detection
nmap -sV -O 192.168.1.1
Detect both service versions and OS.
Aggressive Detection
nmap -A 192.168.1.1
Enable OS detection, version detection, script scanning, and traceroute.

Nmap Scripting Engine (NSE)

Default Scripts
nmap -sC 192.168.1.1
Run default scripts (same as –script=default).
Specific Script
nmap --script=http-title 192.168.1.1
Run a specific script.
Script Category
nmap --script=vuln 192.168.1.1
Run all scripts in the vulnerability category.
Multiple Script Categories
nmap --script=default,safe 192.168.1.1
Run scripts from multiple categories.
Script with Arguments
nmap --script=http-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.1
Run script with custom arguments.
Update Scripts
nmap --script-updatedb
Update the script database.
SMB Scripts
nmap --script=smb-* 192.168.1.1
Run all SMB-related scripts.
SSL Scripts
nmap --script=ssl-* -p 443 192.168.1.1
Run all SSL-related scripts on port 443.
Auth Scripts
nmap --script=auth 192.168.1.1
Run scripts in the auth category to check for authentication issues.

Advanced Options

Timing Templates
nmap -T4 192.168.1.1
Set timing template (0-5, higher is faster).
Packet Trace
nmap --packet-trace 192.168.1.1
Show all packets sent and received.
Reason Output
nmap --reason 192.168.1.1
Display the reason a port is in a particular state.
Debug Mode
nmap -d 192.168.1.1
Enable debugging output.
Verbosity
nmap -v 192.168.1.1
Increase verbosity level (-vv for more).
Max Retries
nmap --max-retries 2 192.168.1.1
Limit number of port scan probe retransmissions.
Fragment Packets
nmap -f 192.168.1.1
Fragment packets to evade some firewalls.
Scan Delay
nmap --scan-delay 1s 192.168.1.1
Add delay between packets to evade detection.
Decoy Scan
nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1
Hide scan with decoys (ME = your real IP).
Source IP Spoofing
nmap -S 10.0.0.1 192.168.1.1
Spoof source IP address.
MAC Address Spoofing
nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1
Spoof MAC address.
Custom MTU
nmap --mtu 24 192.168.1.1
Use custom MTU size (multiple of 8).

Output Options

Normal Output
nmap -oN scan.txt 192.168.1.1
Save output in normal format.
XML Output
nmap -oX scan.xml 192.168.1.1
Save output in XML format.
Grepable Output
nmap -oG scan.grep 192.168.1.1
Save output in grepable format.
All Formats
nmap -oA scan 192.168.1.1
Save in all formats (normal, XML, grepable).
Append to File
nmap --append-output -oN scan.txt 192.168.1.1
Append to output files rather than overwriting.
Resume Scan
nmap --resume scan.xml
Resume an aborted scan from an XML output file.

Common Scan Combinations

Quick Scan
nmap -T4 -F 192.168.1.0/24
Fast scan of common ports on a subnet.
Comprehensive Scan
nmap -sS -sV -sC -p- -T4 -A -v 192.168.1.1
Full featured scan with service detection, script scan, and OS detection.
Vulnerability Scan
nmap -sV --script vuln 192.168.1.1
Scan for known vulnerabilities.
Web Server Scan
nmap -p 80,443 --script=http-* 192.168.1.1
Focused scan for web servers with HTTP scripts.

This cheatsheet is for educational purposes only. Always ensure you have proper authorization before scanning any network or system.

Avatar photo

I'm passionate about technology, coding. I've been interested in computers since I was a kid. My favorite programming languages are python and JavaScript

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *