NMAP Commands Cheatsheet 2024

NMAP Commands Cheatsheet
NMAP Commands Cheatsheet

NMAP is a free and open-source security scanner.

It is use to discover hosts and services on a computer network, thus building a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

NMAP Tutorial for Beginners – How To Use NMAP- A Valuable Open Source Network Security Scanner

NMAP Features

  • Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
  • Port scanning – Enumerating the open ports on target hosts.
  • Version detection – Interrogating network services on remote devices to determine application name and version number.
  • OS detection – Determining the operating system and hardware characteristics of network devices.
  • Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming language.
  • Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.

Typical uses of Nmap:

  • Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
  • Identifying open ports on a target host in preparation for auditing.
  • Network inventory, network mapping, maintenance and asset management.
  • Auditing the security of a network by identifying new servers.
  • Generating traffic to hosts on a network, response analysis and response time measurement.
  • Finding and exploiting vulnerabilities in a network.
  • DNS queries and subdomain search

Also See: The Complete Ethical Hacking Course

NMAP Commands Cheatsheet with Example.

Basic Scanning Commands

Goal Command Example
Scan a Single Target nmap [target] nmap
Scan Multiple Targets nmap [target1, target2, etc] nmap
Scan a List of Targets nmap -iL [list.txt] nmap -iL targets.txt
Scan a Range of Hosts nmap [range of ip addresses] nmap
Scan an Entire Subnet nmap [ip address/cdir] nmap
Scan Random Hosts nmap -iR [number] nmap -iR 0
Excluding Targets from a Scan nmap [targets] –exclude [targets] nmap –exclude,
Excluding Targets Using a List nmap [targets] –excludefile [list.txt] nmap –excludefile notargets.txt
Perform an Aggressive Scan nmap -A [target] nmap -A
Scan an IPv6 Target nmap -6 [target] nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe

Also See- How to use PING command?

Discovery Options

Goal Command Example
Perform a Ping Only Scan nmap -sP [target] nmap -sP
Don’t Ping nmap -PN [target] nmap -PN
TCP SYN Ping nmap -PS [target] nmap -PS
TCP ACK Ping nmap -PA [target] nmap -PA
UDP Ping nmap -PU [target] nmap -PU
SCTP INIT Ping nmap -PY [target] nmap -PY
ICMP Echo Ping nmap -PE [target] nmap -PE
ICMP Timestamp Ping nmap -PP [target] nmap -PP
ICMP Address Mask Ping nmap -PM [target] nmap -PM
IP Protocol Ping nmap -PO [target] nmap -PO
ARP Ping nmap -PR [target] nmap -PR
Traceroute nmap –traceroute [target] nmap –traceroute
Force Reverse DNS Resolution nmap -R [target] nmap -R
Disable Reverse DNS Resolution nmap -n [target] nmap -n
Alternative DNS Lookup nmap –system-dns [target] nmap –system-dns
Manually Specify DNS Server(s) nmap –dns-servers [servers] [target] nmap –dns-servers
Create a Host List nmap -sL [targets] nmap -sL

Advanced Scanning Options

Goal Command Example
TCP SYN Scan nmap -sS [target] nmap -sS
TCP Connect Scan nmap -sT [target] nmap -sT
UDP Scan nmap -sU [target] nmap -sU
TCP NULL Scan nmap -sN [target] nmap -sN
TCP FIN Scan nmap -sF [target] nmap -sF
Xmas Scan nmap -sX [target] nmap -sX
TCP ACK Scan nmap -sA [target] nmap -sA
Custom TCP Scan nmap –scanflags [flags] [target] nmap –scanflags SYNFIN
IP Protocol Scan nmap -sO [target] nmap -sO
Send Raw Ethernet Packets nmap –send-eth [target] nmap –send-eth
Send IP Packets nmap –send-ip [target] nmap –send-ip

Port Scanning Options

Goal Command Example
Perform a Fast Scan nmap -F [target] nmap -F
Scan Specific Ports nmap -p [port(s)] [target] nmap -p 21-25,80,139,8080
Scan Ports by Name nmap -p [port name(s)] [target] nmap -p ftp,http*
Scan Ports by Protocol nmap -sU -sT -p U:[ports],T:[ports] [target] nmap -sU -sT -p U:53,111,137,T:21-25,80,139,8080
Scan All Ports nmap -p ‘*’ [target] nmap -p ‘*’
Scan Top Ports nmap –top-ports [number] [target] nmap –top-ports 10
Perform a Sequential Port Scan nmap -r [target] nmap -r

Version Detection

Goal Command Example
Operating System Detection nmap -O [target] nmap -O
Submit TCP/IP Fingerprints www.nmap.org/submit/
Attempt to Guess an Unknown OS nmap -O –osscan-guess [target] nmap -O –osscan-guess
Service Version Detection nmap -sV [target] nmap -sV
Troubleshooting Version Scans nmap -sV –version-trace [target] nmap -sV –version-trace
Perform a RPC Scan nmap -sR [target] nmap -sR

Timing Options

Goal Command Example
Timing Templates nmap -T[0-5] [target] nmap -T3
Set the Packet TTL nmap –ttl [time] [target] nmap –ttl 64
Minimum # of Parallel Operations nmap –min-parallelism [number] [target] nmap –min-parallelism 10
Maximum # of Parallel Operations nmap –max-parallelism [number] [target] nmap –max-parallelism 1
Minimum Host Group Size nmap –min-hostgroup [number] [targets] nmap –min-hostgroup 50
Maximum Host Group Size nmap –max-hostgroup [number] [targets] nmap –max-hostgroup 1
Maximum RTT Timeout nmap –initial-rtt-timeout [time] [target] nmap –initial-rtt-timeout 100ms
Initial RTT Timeout nmap –max-rtt-timeout [TTL] [target] nmap –max-rtt-timeout 100ms
Maximum Retries nmap –max-retries [number] [target] nmap –max-retries 10
Host Timeout nmap –host-timeout [time] [target] nmap –host-timeout 30m
Minimum Scan Delay nmap –scan-delay [time] [target] nmap –scan-delay 1s
Maximum Scan Delay nmap –max-scan-delay [time] [target] nmap –max-scan-delay 10s
Minimum Packet Rate nmap –min-rate [number] [target] nmap –min-rate 50
Maximum Packet Rate nmap –max-rate [number] [target] nmap –max-rate 100
Defeat Reset Rate Limits nmap –defeat-rst-ratelimit [target] nmap –defeat-rst-ratelimit

Firewall Evasion Techniques

Goal Command Example
Fragment Packets nmap -f [target] nmap -f
Specify a Specific MTU nmap –mtu [MTU] [target] nmap –mtu 32
Use a Decoy nmap -D RND:[number] [target] nmap -D RND:10
Idle Zombie Scan nmap -sI [zombie] [target] nmap -sI
Manually Specify a Source Port nmap –source-port [port] [target] nmap –source-port 1025
Append Random Data nmap –data-length [size] [target] nmap –data-length 20
Randomize Target Scan Order nmap –randomize-hosts [target] nmap –randomize-hosts
Spoof MAC Address nmap –spoof-mac [MAC|0|vendor] [target] nmap –spoof-mac Cisco
Send Bad Checksums nmap –badsum [target] nmap –badsum

Output options

Goal Command Example
Save Output to a Text File nmap -oN [scan.txt] [target] nmap -oN scan.txt
Save Output to a XML File nmap -oX [scan.xml] [target] nmap -oX scan.xml
Grepable Output nmap -oG [scan.txt] [targets] nmap -oG scan.txt
Output All Supported File Types nmap -oA [path/filename] [target] nmap -oA ./scan
Periodically Display Statistics nmap –stats-every [time] [target] nmap –stats-every 10s
133t Output nmap -oS [scan.txt] [target] nmap -oS scan.txt

Troubleshooting And Debugging

Goal Command Example
Getting Help nmap -h nmap -h
Display Nmap Version nmap -V nmap -V
Verbose Output nmap -v [target] nmap -v
Debugging nmap -d [target] nmap -d
Display Port State Reason nmap –reason [target] nmap –reason
Only Display Open Ports nmap –open [target] nmap –open
Trace Packets nmap –packet-trace [target] nmap –packet-trace
Display Host Networking nmap –iflist nmap –iflist
Specify a Network Interface nmap -e [interface] [target] nmap -e eth0

NMAP Scripting Engine

Goal Command Example
Execute Individual Scripts nmap –script [script.nse] [target] nmap –script banner.nse
Execute Multiple Scripts nmap –script [expression] [target] nmap –script ‘http-*’
Script Categories all, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Category nmap –script [category] [target] nmap –script ‘not intrusive’
Execute Multiple Script Categories nmap –script [category1,category2,etc] nmap –script ‘default or safe’
Troubleshoot Scripts nmap –script [script] –script-trace [target] nmap –script banner.nse –script-trace
Update the Script Database nmap –script-updatedb nmap –script-updatedb

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Leave a Reply
Previous Article
DNS Rebinding Attack

What is DNS Rebinding Attack?

Next Article
Kali Linux HOC

7 Best Hacking Tools For Kali Linux

Related Posts