NMAP Cheatsheet

Nmap TargetingScan a single IPnmap a hostnamenmap www.domain.comScan an IP rangenmap a subnetnmap from a predefined listnmap -iL list.txt

PortsScan a single portnmap -p 22 a range of portsnmap -p 1-20 multiple portsnmap -p 22,80,443 Mixed TCP/UDP portsnmap -p U:53,T:22 100 common portsnmap -F top # portsnmap –top-ports 300 ports linearlynmap -r -p 1-1000 all portsnmap -p-

Scan typesTCP Connect Scannmap -sT SYN scan (Silent scan)nmap -sS scannmap -sU -p 137,139 ping scannmap -Pn Discovery (no ports)nmap -sn Scannmap -sV Detectionnmap -o

OS and Service DiscoveryOS and Servicesnmap -A service discoverynmap -sV service discoverynmap -sV –version-intensity 5 banner grabbingnmap -sV –version-intensity 0

Aggregate TimingParanoid: Very slownmap -t0 Quite slownmap -t1 Slows downnmap -t2 Defaultnmap -t3 Fast and reliablenmap -t4 Very aggressivenmap -t5

Output FormatsStandard Nmap outputnmap -oN output.txt formatnmap -oX output.txt formatnmap -oG output.txt formats outputnmap -oA output.txt

NSE ScriptsDefault scriptsnmap -sV -sC helpnmap –script-help=ssl-heartbleedNSE script scannmap -sV –script=ssl-heartbleed -p 443 with scripts setsnmap -sV –script=smb* –script-help=scriptname

HTTP Service DiscoveryGet page titlenmap –script=http-title HTTP headernmap –script=http-headers web appsnmap –script=http-enum

Fine-Grained TimingParallel host scan group sizes–min-hostgroup/max-hostgroup <size>Probe parallelization–min-parallelism/max-parallelism <numprobes>Specifies probe round trip time–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>Caps number of port scan probe retransmissions–max-retries <tries>Give up on target after time–host-timeout <time>Adjust delay between probes–scan-delay/–max-scan-delay <time>Send packets no slower–min-rate <number>column1–max-rate <number>