Nmap Cheat Sheet

Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.

Useful NSE Script Examples

nmap -Pn -script=http-sitemap-generator scanme.nmap.org http site map generator
nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 Fast search for random web servers
nmap -Pn -script=dns-brute domain.com Brute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv Safe SMB scripts to run
nmap -script whois* domain.com Whois query
nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org Detect cross site scripting vulnerabilities
nmap -p80 -script http-sql-injection scanme.nmap.org Check for SQL injections

NSE Scripts

-sC nmap -sC Scan with default NSE scripts. Considered useful for discovery and safe
-script default nmap -script default Scan with default NSE scripts. Considered useful for discovery and safe
-script nmap -script=banner Scan with a single script. Example banner
-script nmap -script=http* Scan with a wildcard. Example http
-script nmap -script=http,banner Scan with two scripts. Example http and banner
-script nmap -script "not intrusive" Scan default, but remove intrusive scripts
-script-args nmap -script snmp-sysdescr -script-args snmpcommunity=admin NSE script with arguments

Timing and Performance Switches

-host-timeout \ 1s; 4m; 2h Give up on target after this long
-min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout \ 1s; 4m; 2h Specifies probe round trip time
-min-hostgroup/max-hostgroup \ 50; 1024 Parallel host scan group sizes
-min-parallelism/max-parallelism \ 10; 1 Probe parallelization
-max-retries \ 3 Specify the maximum number of port scan probe retransmissions
-min-rate \ 100 Send packets no slower than \ per second
-max-rate \ 100 Send packets no faster than \ per second

Timing and Performance

-T0 nmap -T0 Paranoid (0) Intrusion Detection System evasion
-T1 nmap -T1 Sneaky (1) Intrusion Detection System evasion
-T2 nmap -T2 Polite (2) slows down the scan to use less bandwidth and use less target machine resources
-T3 nmap -T3 Normal (3) which is default speed
-T4 nmap -T4 Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
-T5 nmap -T5 Insane (5) speeds scan; assumes you are on an extraordinarily fast network

OS Detection

-O nmap -O Remote OS detection using TCP/IP stack fingerprinting
-O -osscan-limit nmap -O -osscan-limit If at least one open and one closed TCP port are not found it will not try OS detection against host
-O -osscan-guess nmap -O -osscan-guess Makes Nmap guess more aggressively
-O -max-os-tries nmap -O -max-os-tries 1 Set the maximum number x of OS detection tries against a target
-A nmap -A Enables OS detection, version detection, script scanning, and traceroute

Service and Version Detection

-sV nmap -sV Attempts to determine the version of the service running on port
-sV -version-intensity nmap -sV -version-intensity 8 Intensity level 0 to 9. Higher number increases possibility of correctness
-sV -version-light nmap -sV -version-light Enable light mode. Lower possibility of correctness. Faster
-sV -version-all nmap -sV -version-all Enable intensity level 9. Higher possibility of correctness. Slower
-A nmap -A Enables OS detection, version detection, script scanning, and traceroute

Port Specification

-p nmap -p 21 Port scan for port x
-p nmap -p 21-100 Port range
-p nmap -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports
-p nmap -p- Port scan all ports
-p nmap -p http,https Port scan from service name
-F nmap -F Fast port scan (100 ports)
-top-ports nmap -top-ports 2000 Port scan the top x ports
-p-65535 nmap -p-65535 Leaving off initial port in range makes the scan start at port 1
-p0- nmap -p0- Leaving off end port in range
makes the scan go through to port 65535

Host Discovery

-sL nmap -sL No Scan. List targets only
-sn nmap -sn Disable port scanning. Host discovery only.
-Pn nmap -Pn Disable host discovery. Port scan only.
-PS nmap -PS22-25,80 TCP SYN discovery on port x.
Port 80 by default
-PA nmap -PA22-25,80 TCP ACK discovery on port x.
Port 80 by default
-PU nmap -PU53 UDP discovery on port x.
Port 40125 by default
-PR nmap -PR ARP discovery on local network
-n nmap -n Never do DNS resolution

Nmap Scan Techniques

-sS nmap -sS TCP SYN port scan (Default)
-sT nmap -sT TCP connect port scan (Default without root privilege)
-sU nmap -sU UDP port scan
-sA nmap -sA TCP ACK port scan
-sW nmap -sW TCP Window port scan
-sM nmap -sM TCP Maimon port scan

Target Specification

  nmap Scan a single IP
  nmap Scan specific IPs
  nmap Scan a range
  nmap scanme.nmap.org Scan a domain
  nmap Scan using CIDR notation
-iL nmap -iL targets.txt Scan targets from a file
-iR nmap -iR 100 Scan 100 random hosts
-exclude nmap -exclude Exclude listed hosts

Other Useful Nmap Commands

nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn Discovery only on ports x, no port scan
nmap -PR -sn -vv Arp discovery only on local network, no port scan
nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan
nmap -sL -dns-server Query the Internal DNS for hosts, list targets only
nmap --packet-trace Show the details of the packets that are sent and received during a scan and capture the traffic.

Miscellaneous Nmap Flags

-6 nmap -6 2607:f0d0:1002:51::4 Enable IPv6 scanning
-h nmap -h nmap help screen

Helpful Nmap Output examples

nmap -p80 -sV -oG - -open grep open
nmap -iR 10 -n -oX out.xml grep "Nmap"
nmap -iR 10 -n -oX out2.xml grep "Nmap"
ndiff scanl.xml scan2.xml Compare output from nmap using the ndif
xsltproc nmap.xml -o nmap.html Convert nmap xml files to html files
grep " open " results.nmap sed -r ‘s/ +/ /g’


-oN nmap -oN normal.file Normal output to the file normal.file
-oX nmap -oX xml.file XML output to the file xml.file
-oG nmap -oG grep.file Grepable output to the file grep.file
-oA nmap -oA results Output in the three major formats at once
-oG - nmap -oG - Grepable output to screen. -oN -, -oX - also usable
-append-output nmap -oN file.file -append-output Append a scan to a previous scan file
-v nmap -v Increase the verbosity level (use -vv or more for greater effect)
-d nmap -d Increase debugging level (use -dd or more for greater effect)
-reason nmap -reason Display the reason a port is in a particular state, same output as -vv
-open nmap -open Only show open (or possibly open) ports
-packet-trace nmap -T4 -packet-trace Show all packets sent and received
-iflist nmap -iflist Shows the host interfaces and routes
-resume nmap -resume results.file Resume a scan

Firewall / IDS Evasion and Spoofing

-f nmap -f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
-mtu nmap -mtu 32 Set your own offset size
-D nmap -D,,, Send scans from spoofed IPs
-D nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip Above example explained
-S nmap -S www.microsoft.com www.facebook.com Scan Facebook from Microsoft (-e eth0 -Pn may be required)
-g nmap -g 53 Use given source port number
-proxies nmap -proxies, Relay connections through HTTP/SOCKS4 proxies
-data-length nmap -data-length 200 Appends random data to sent packets