NMAP Cheatsheet


Nmap TargetingScan a single IPnmap 192.168.1.1Scan a hostnamenmap www.domain.comScan an IP rangenmap 192.168.1.1-100Scan a subnetnmap 192.168.1.0/24Scan from a predefined listnmap -iL list.txt

PortsScan a single portnmap -p 22 192.168.1.1Scan a range of portsnmap -p 1-20 192.168.1.1Scan multiple portsnmap -p 22,80,443 192.168.1.1Scan Mixed TCP/UDP portsnmap -p U:53,T:22 192.168.1.1Scan 100 common portsnmap -F 192.168.1.1Scan top # portsnmap –top-ports 300 192.168.1.1Scan ports linearlynmap -r -p 1-1000 192.168.1.1Scan all portsnmap -p- 192.168.1.1

Scan typesTCP Connect Scannmap -sT 192.168.1.1TCP SYN scan (Silent scan)nmap -sS 192.168.1.1UDP scannmap -sU -p 137,139 192.168.1.1No ping scannmap -Pn 192.168.1.1Host Discovery (no ports)nmap -sn 192.168.1.1Version Scannmap -sV 192.168.1.1OS Detectionnmap -o 192.168.1.1

OS and Service DiscoveryOS and Servicesnmap -A 192.168.1.1Standard service discoverynmap -sV 192.168.1.1Aggressive service discoverynmap -sV –version-intensity 5 192.168.1.1Light banner grabbingnmap -sV –version-intensity 0 192.168.1.1

Aggregate TimingParanoid: Very slownmap -t0 192.168.1.1Sneaky: Quite slownmap -t1 192.168.1.1Polite: Slows downnmap -t2 192.168.1.1Normal: Defaultnmap -t3 192.168.1.1Aggressive: Fast and reliablenmap -t4 192.168.1.1Insane: Very aggressivenmap -t5 192.168.1.1

Output FormatsStandard Nmap outputnmap -oN output.txt 192.168.1.1XML formatnmap -oX output.txt 192.168.1.1Greppable formatnmap -oG output.txt 192.168.1.1All formats outputnmap -oA output.txt 192.168.1.1

NSE ScriptsDefault scriptsnmap -sV -sC 192.168.1.1Script helpnmap –script-help=ssl-heartbleedNSE script scannmap -sV –script=ssl-heartbleed -p 443 192.168.1.1Scan with scripts setsnmap -sV –script=smb* 192.168.1.1column1nmap –script-help=scriptname

HTTP Service DiscoveryGet page titlenmap –script=http-title 192.168.1.0/24Get HTTP headernmap –script=http-headers 192.168.1.0/24Find web appsnmap –script=http-enum 192.168.1.0/24

Fine-Grained TimingParallel host scan group sizes–min-hostgroup/max-hostgroup <size>Probe parallelization–min-parallelism/max-parallelism <numprobes>Specifies probe round trip time–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>Caps number of port scan probe retransmissions–max-retries <tries>Give up on target after time–host-timeout <time>Adjust delay between probes–scan-delay/–max-scan-delay <time>Send packets no slower–min-rate <number>column1–max-rate <number>