Nmap Cheat Sheet

This is a cheat Sheet for Nmap and other useful information.

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning

Basic Syntax
nmap [ScanType] [Options] {targets}

Target Specification

Flag

Example

Description

nmap 192.168.1.1

Scan a single IP

nmap 192.168.1.1 192.168.2.1

Scan specific IPs

nmap 192.168.1.1-254

Scan a range

nmap scanme.nmap.org

Scan a domain

nmap 192.168.1.0/24

Scan using CIDR notation

-iL

nmap -iL targets.txt

Scan targets from a file

-iR

nmap -iR 100

Scan 100 random hosts

--exclude

nmap --exclude 192.168.1.1

Exclude listed hosts

Scan Techniques

Flag

Example

Description

-sS

nmap 192.168.1.1 -sS

TCP SYN port scan (Default)

-sT

nmap 192.168.1.1 -sT

TCP connect port scan (Default without root privilege)

-sU

nmap 192.168.1.1 -sU

UDP port scan

-sA

nmap 192.168.1.1 -sA

TCP ACK port scan

-sV

nmap 192.168.1.1 -sV

Attempts to determine the version of the service running on port

-O

nmap 192.168.1.1 -O

Remote OS detection using TCP/IP stack fingerprinting

Host Discovery

Flag

Example

Description

-sL

nmap 192.168.1.1-3 -sL

No Scan. List targets only

-sn

nmap 192.168.1.1/24 -sn

Disable port scanning

-Pn

nmap 192.168.1.1-5 -Pn

Disable host discovery. Port scan only

-PS

nmap 192.168.1.1-5 -PS22-25,80

TCP SYN discovery on port x. Port 80 by default

-PA

nmap 192.168.1.1-5 -PA22-25,80

TCP ACK discovery on port x. Port 80 by default

-PU

nmap 192.168.1.1-5 -PU53

UDP discovery on port x. Port 40125 by default

-PR

nmap 192.168.1.1-1/24 -PR

ARP discovery on local network

-n

nmap 192.168.1.1 -n

Never do DNS resolution

Flag

Example

Description

-p

nmap 192.168.1.1 -p 21

Port scan for port x

-p

nmap 192.168.1.1 -p 21-100

Port range

-p

nmap 192.168.1.1 -p U:53,T:21-25,80

Port scan multiple TCP and UDP ports

-p

nmap 192.168.1.1 -p http,https

Port scan from service name

-F

nmap 192.168.1.1 -F

Fast port scan (100 ports)

--top-ports

nmap 192.168.1.1 --top-ports 2000

Port scan the top x ports

-p-

nmap 192.168.1.1 -p-

Port scan all ports

-p-65535

nmap 192.168.1.1 -p-65535

Leaving off initial port in range makes the scan start at port 1

-p0-

nmap 192.168.1.1 -p0-

Leaving off end port in range makes the scan go through to port 65535

Port Specification

Timing and Performance

Flag

Example

Description

-T0

nmap 192.168.1.1 -T0

Paranoid (0) Intrusion Detection System evasion

-T1

nmap 192.168.1.1 -T1

Sneaky (1) Intrusion Detection System evasion

-T2

nmap 192.168.1.1 -T2

Polite (2) slows down the scan to use less bandwidth, runs ~10 times slower than default

-T3

nmap 192.168.1.1 -T3

Normal (3) which is default speed

-T4

nmap 192.168.1.1 -T4

Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

-T5

nmap 192.168.1.1 -T5

Insane (5) Very aggressive; will likely overwhelm targets or miss open ports

Scripting Engine

A full list of Nmap default Scripting Engine scripts is available at nmap.org/nsedoc

Flag

Description

-sC

Run default scripts

--script=<ScriptName>|<ScriptCategory>|<ScriptDir>...

Run individual or groups of scripts

--script-args=<Name1=Value1,...>

Use the list of script arguments

--script-updatedb

Update script database

Script Categories

Category

Description

auth

Utilize credentials or bypass authentication on target hosts.

broadcast

Discover hosts not included on command line by broadcasting on local network.

brute

Attempt to guess passwords on target systems, for a variety of protocols, including http, SNMP, IAX, MySQL, VNC, etc.

default

Scripts run automatically when -sC or -A are used. discovery: Try to learn more information about target hosts through public sources of information, SNMP, directory services, and more.

dos

May cause denial of service conditions in target hosts

exploit

Attempt to exploit target systems.

external

Interact with third-party systems not included in target list.

fuzzer

Send unexpected input in network protocol fields. intrusive: May crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion.

malware

Look for signs of malware infection on the target hosts.

safe

Designed not to impact target in a negative fashion

version

Measure the version of software or protocol spoken by target hosts.

vul

Measure whether target systems have a known vulnerability.

Useful Nmap Scripts

Command

Description

nmap -Pn --script=http-sitemap-generator scanme.nmap.org

http site map generator

nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000

Fast search for random web servers

nmap -Pn --script=dns-brute domain.com

Brute forces DNS hostnames guessing subdomains

nmap --script whois* domain.com

Whois query

nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org

Detect cross site scripting vulnerabilities

nmap -p80 --script http-sql-injection scanme.nmap.org

Check for SQL injections

nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain= -p53

dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server

nmap --script http-robots.txt

http-robots.txt: Harvests robots.txt files from discovered web servers

nmap -n -Pn -vv -O -sV --script smb-enum,smb-ls,smb-mbenum,smb-os-discovery,smb-s,smb-vuln,smbv2 -vv 192.168.1.1

Safe SMB scripts to run

nmap --script smb-brute.nse -p445

smb-brute: Attempts to determine valid username and password combinations via automated guessing

nmap --script smb-psexec.nse – script-args=smbuser=, smbpass=[,config=] -p445

smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs

Tool

URL

Description

SQLMap

http://sqlmap.org

Automatic SQL injection and database takeover tool

External Scripts

A list of Nmap external Scripting Engine scripts is available at nmap.org/nsedoc/external

Name

URL

Description

nmap_vulners

https://github.com/vulnersCom/nmap-vulners

NSE script using some well-known service to provide info on vulnerabilities

Vulscan

https://github.com/scipag/vulscan

Advanced vulnerability scanning with Nmap NSE

banner-plus.nse

https://github.com/hdm/scan-tools/blob/master/nse/banner-plus.nse

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service

Tools