HomeNmapNmap cheat sheet

Nmap cheat sheet

Nmap complete cheat sheet

Nmap cheat sheet – We saw about Nmap scanning in the previous post, if you have not read that post yet read that post first. In this post, I am going to divide all the commands that we can use in Nmap into sections and give them for you to understand.

What is Nmap?

The full name of Nmap is network mapper. Using this Nmap tool you can know the complete details about a network and also about that networking security. Simply put, Nmap is an information-gathering tool.

How to use Nmap?

Nmap can be used in a variety of ways depending on the user’s level of technical expertise.

Beginner – Zenmap the graphical user interface for Nmap

Intermediate – Command Line

Advanced – Python scripting with the Python-Nmap package

Nmap cheat sheet

Basic Scanning Techniques

The -s switch determines the type of scan to perform.

-sA – ACK scan
-sF – FIN scan
-sI – IDLE scan
-sL – DNS scan (a.k.a. list scan)
-sN – NULL scan
-sO – Protocol scan
-sP – Ping scan
-sR – RPC scan
-sS – SYN scan
-sT – TCP connect scan
-sW – Windows scan
-sX – XMAS scan

				
					Scan a Single Target >> nmap [target]
Scan Multiple Targets >> nmap [target1, target2, etc]
Scan a List of Targets >> nmap -iL [list.txt]
Scan a Range of Hosts >> nmap [range of IP addresses]
Scan an Entire Subnet >> nmap [ip address/cdir]
Scan Random Hosts >> nmap -iR [number]
Exclude Targets From a Scan >>nmap [targets] --exclude [targets]
Exclude Targets Using a List >> nmap [targets] --excludefile [list.txt]
Perform an Aggressive Scan >> nmap -A [target]
Scan an IPv6 Target >> nmap -6 [target]
				
			

Port Scanning Options

The Nmap tool will scan the port first but the default setting will scan the open TCP port. If you want to scan the other port you have to do it manually. All port scanning commands are given below.

				
					Perform a Fast Scan >> nmap -F [target]
Scan Specific Ports >> nmap -p [port(s)] [target]
Scan Ports by Name >> nmap -p [port name(s)] [target]
Scan Ports by Protocol >> nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan All Ports >> nmap -p 1-65535 [target]
Scan Top Ports >> nmap --top-ports [number] [target]
Perform a Sequential Port Scan >> nmap -r [target]
Attempt to Guess an Unknown OS >> nmap -O --osscan-guess [target]
Service Version Detection >> nmap -sV [target]
Troubleshoot Version Scan >> nmap -sV --version-trace [target]
Perform a RPC Scan >> nmap -sR [target]
				
			

Discovery options

Host Discovery The -p switch determines the type of ping to perform.

-PI  – ICMP ping
-Po  – No ping
-PS  – SYN ping
-PT  – TCP ping

Perform a Ping Only Scan
Do Not Ping
TCP SYN Ping
TCP ACK Ping
UDP Ping
SCTP INIT Ping
ICMP Echo Ping
ICMP Timestamp Ping
ICMP Address Mask Ping
IP Protocol Ping
ARP ping
Traceroute
Force Reverse DNS Resolution
Disable Reverse DNS Resolution
Alternative DNS Lookup
Manually Specify DNS Server
Create a Host List

nmap -sn [target]
nmap -Pn [target]
nmap -PS [target]
nmap -PA [target]
nmap -PU [target]
nmap -PY [target]
nmap -PE [target]
nmap -PP [target]
nmap -PM [target]
nmap -PO [target]
nmap -PR [target]
nmap –traceroute [target]
nmap -R [target]
nmap -n [target]
nmap –system-dns [target]
nmap –dns-servers [servers] [target]
nmap -sL [targets]

Timing and Performance

Switch

Example

Description

-T0

nmap 192.168.1.1 -T0

Paranoid (0) Intrusion Detection
System evasion

-T1

nmap 192.168.1.1 -T1

Sneaky (1) Intrusion Detection System
evasion

-T2

nmap 192.168.1.1 -T2

Polite (2) slows down the scan to use
less bandwidth and use less target
machine resources

-T3

nmap 192.168.1.1 -T3

Normal (3) which is default speed

-T4

nmap 192.168.1.1 -T4

Aggressive (4) speeds scans; assumes
you are on a reasonably fast and
reliable network

-T5

nmap 192.168.1.1 -T5

Insane (5) speeds scan; assumes you
are on an extraordinarily fast network

   

Switch

Example input

Description

–host-timeout <time>

1s; 4m; 2h

Give up on target after this long

–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>

1s; 4m; 2h

Specifies probe round trip time

–min-hostgroup/max-hostgroup <size<size>

50; 1024

Parallel host scan group
sizes

–min-parallelism/max-parallelism <numprobes>

10; 1

Probe parallelization

–scan-delay/–max-scan-delay <time>

20ms; 2s; 4m; 5h

Adjust delay between probes

–max-retries <tries>

3

Specify the maximum number
of port scan probe retransmissions

–min-rate <number>

100

Send packets no slower than <numberr> per second

–max-rate <number>

100

Send packets no faster than <number> per second

OS Detection

Switch

Example

Description

-O

nmap 192.168.1.1 -O

Remote OS detection using TCP/IP
stack fingerprinting

-O –osscan-limit

nmap 192.168.1.1 -O –osscan-limit

If at least one open and one closed
TCP port are not found it will not try
OS detection against host

-O –osscan-guess

nmap 192.168.1.1 -O –osscan-guess

Makes Nmap guess more aggressively

-O –max-os-tries

nmap 192.168.1.1 -O –max-os-tries 1

Set the maximum number x of OS
detection tries against a target

-A

nmap 192.168.1.1 -A

Enables OS detection, version detection, script scanning, and traceroute

Output

Switch

Example

Description

-oN

nmap 192.168.1.1 -oN normal.file

Normal output to the file normal.file

-oX

nmap 192.168.1.1 -oX xml.file

XML output to the file xml.file

-oG

nmap 192.168.1.1 -oG grep.file

Grepable output to the file grep.file

-oA

nmap 192.168.1.1 -oA results

Output in the three major formats at once

-oG –

nmap 192.168.1.1 -oG –

Grepable output to screen. -oN -, -oX – also usable

–append-output

nmap 192.168.1.1 -oN file.file –append-output

Append a scan to a previous scan file

-v

nmap 192.168.1.1 -v

Increase the verbosity level (use -vv or more for greater effect)

-d

nmap 192.168.1.1 -d

Increase debugging level (use -dd or more for greater effect)

–reason

nmap 192.168.1.1 –reason

Display the reason a port is in a particular state, same output as -vv

–open

nmap 192.168.1.1 –open

Only show open (or possibly open) ports

–packet-trace

nmap 192.168.1.1 -T4 –packet-trace

Show all packets sent and received

–iflist

nmap –iflist

Shows the host interfaces and routes

–resume

nmap –resume results.file

Resume a scan

Conclusion

I hope I have given all kinds of Nmap commands in this post, let me know through the command section if you know of any commands that are missing.

I hope you find this Nmap cheat sheet useful. I would also like to share this post with your friends.

# Nmap Cheat Sheet # Nmap Cheat Sheet

RELATED ARTICLES

Leave A Reply

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular