Nmap cheat sheet – We saw aboutย Nmapย scanning in theย previous post,ย if you have not read that post yet read that post first. In this post, I am going to divide all the commands that we can use inย Nmapย into sections and give them for you to understand.
What is Nmap?
The full name of Nmap isย network mapper. Using this Nmap tool you can know the complete details about a network and also about that networking security. Simply put, Nmap is an information-gathering tool.
How to use Nmap?
Nmap can be used in a variety of ways depending on the user’s level of technical expertise.
Beginner – Zenmap the graphical user interface for Nmap
Intermediate – Command Line
Advanced – Python scripting with theย Python-Nmapย package
Nmap cheat sheet
Basic Scanning Techniques
The -s switch determines the type of scan to perform.
-sA – ACK scan
-sF – FIN scan
-sI – IDLE scan
-sL – DNS scan (a.k.a. list scan)
-sN – NULL scan
-sO – Protocol scan
-sP – Ping scan
-sR – RPC scan
-sS – SYN scan
-sT – TCP connect scan
-sW – Windows scan
-sX – XMAS scan
Scan a Single Target >> nmap [target]
Scan Multiple Targets >> nmap [target1, target2, etc]
Scan a List of Targets >> nmap -iL [list.txt]
Scan a Range of Hosts >> nmap [range of IP addresses]
Scan an Entire Subnet >> nmap [ip address/cdir]
Scan Random Hosts >> nmap -iR [number]
Exclude Targets From a Scan >>nmap [targets] --exclude [targets]
Exclude Targets Using a List >> nmap [targets] --excludefile [list.txt]
Perform an Aggressive Scan >> nmap -A [target]
Scan an IPv6 Target >> nmap -6 [target]
Port Scanning Options
The Nmap tool will scan the port first but the default setting will scan the open TCP port. If you want to scan the other port you have to do it manually. All port scanning commands are given below.
Perform a Fast Scan >> nmap -F [target]
Scan Specific Ports >> nmap -p [port(s)] [target]
Scan Ports by Name >> nmap -p [port name(s)] [target]
Scan Ports by Protocol >> nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan All Ports >> nmap -p 1-65535 [target]
Scan Top Ports >> nmap --top-ports [number] [target]
Perform a Sequential Port Scan >> nmap -r [target]
Attempt to Guess an Unknown OS >> nmap -O --osscan-guess [target]
Service Version Detection >> nmap -sV [target]
Troubleshoot Version Scan >> nmap -sV --version-trace [target]
Perform a RPC Scan >> nmap -sR [target]
Discovery options
Host Discovery The -p switch determines the type of ping to perform.
-PIย – ICMP ping
-Poย – No ping
-PSย – SYN ping
-PTย – TCP ping
Perform a Ping Only Scan
Do Not Ping
TCP SYN Ping
TCP ACK Ping
UDP Ping
SCTP INIT Ping
ICMP Echo Ping
ICMP Timestamp Ping
ICMP Address Mask Ping
IP Protocol Ping
ARP ping
Traceroute
Force Reverse DNS Resolution
Disable Reverse DNS Resolution
Alternative DNS Lookup
Manually Specify DNS Server
Create a Host List
nmap -sn [target]
nmap -Pn [target]
nmap -PS [target]
nmap -PA [target]
nmap -PU [target]
nmap -PY [target]
nmap -PE [target]
nmap -PP [target]
nmap -PM [target]
nmap -PO [target]
nmap -PR [target]
nmap –traceroute [target]
nmap -R [target]
nmap -n [target]
nmap –system-dns [target]
nmap –dns-servers [servers] [target]
nmap -sL [targets]
Timing and Performance
Switch | Example | Description |
|---|---|---|
-T0 | nmap 192.168.1.1 -T0 | Paranoid (0) Intrusion Detection |
-T1 | nmap 192.168.1.1 -T1 | Sneaky (1) Intrusion Detection System |
-T2 | nmap 192.168.1.1 -T2 | Polite (2) slows down the scan to use |
-T3 | nmap 192.168.1.1 -T3 | Normal (3) which is default speed |
-T4 | nmap 192.168.1.1 -T4 | Aggressive (4) speeds scans; assumes |
-T5 | nmap 192.168.1.1 -T5 | Insane (5) speeds scan; assumes you |
| ย | ย | ย |
Switch | Example input | Description |
|---|---|---|
–host-timeoutย <time> | 1s; 4m; 2h | Give up on target after this long |
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeoutย <time> | 1s; 4m; 2h | Specifies probe round trip time |
–min-hostgroup/max-hostgroupย <size<size> | 50; 1024 | Parallel host scan group |
–min-parallelism/max-parallelismย <numprobes> | 10; 1 | Probe parallelization |
–scan-delay/–max-scan-delayย <time> | 20ms; 2s; 4m; 5h | Adjust delay between probes |
–max-retries <tries> | 3 | Specify the maximum number |
–min-rateย <number> | 100 | Send packets no slower thanย <numberr> per second |
–max-rate <number> | 100 | Send packets no faster thanย <number> per second |
OS Detection
Switch | Example | Description |
|---|---|---|
-O | nmap 192.168.1.1 -O | Remote OS detection using TCP/IP |
-O –osscan-limit | nmap 192.168.1.1 -O –osscan-limit | If at least one open and one closed |
-O –osscan-guess | nmap 192.168.1.1 -O –osscan-guess | Makes Nmap guess more aggressively |
-O –max-os-tries | nmap 192.168.1.1 -O –max-os-tries 1 | Set the maximum number x of OS |
-A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
Output
Switch | Example | Description |
|---|---|---|
-oN | nmap 192.168.1.1 -oN normal.file | Normal output to the file normal.file |
-oX | nmap 192.168.1.1 -oX xml.file | XML output to the file xml.file |
-oG | nmap 192.168.1.1 -oG grep.file | Grepable output to the file grep.file |
-oA | nmap 192.168.1.1 -oA results | Output in the three major formats at once |
-oG – | nmap 192.168.1.1 -oG – | Grepable output to screen. -oN -, -oX – also usable |
–append-output | nmap 192.168.1.1 -oN file.file –append-output | Append a scan to a previous scan file |
-v | nmap 192.168.1.1 -v | Increase the verbosity level (use -vv or more for greater effect) |
-d | nmap 192.168.1.1 -d | Increase debugging level (use -dd or more for greater effect) |
–reason | nmap 192.168.1.1 –reason | Display the reason a port is in a particular state, same output as -vv |
–open | nmap 192.168.1.1 –open | Only show open (or possibly open) ports |
–packet-trace | nmap 192.168.1.1 -T4 –packet-trace | Show all packets sent and received |
–iflist | nmap –iflist | Shows the host interfaces and routes |
–resume | nmap –resume results.file | Resume a scan |
Conclusion
I hope I have given all kinds of Nmap commands in this post, let me know through the command section if you know of any commands that are missing.
I hope you find this Nmap cheat sheet useful. I would also like to share this post with your friends.
# Nmap Cheat Sheet # Nmap Cheat Sheet