Skip to main content

Nmap Cheat Sheet / Nmap Commands with examples

Nmap Cheat Sheet
NMAP Commands

Goal
Command
Example
Scan a Single Target
nmap [target]
nmap 192.168.0.1
Scan Multiple Targets
nmap [target1, target2, etc]
nmap 192.168.0.1 192.168.0.2
Scan a List of Targets
nmap -iL [list.txt]
nmap -iL targets.txt
Scan a Range of Hosts
nmap [range of ip addresses]
nmap 192.168.0.1-10
Scan an Entire Subnet
nmap [ip address/cdir]
nmap 192.168.0.1/24
Scan Random Hosts
nmap -iR [number]
nmap -iR 0
Excluding Targets from a Scan
nmap [targets] --exclude [targets]
nmap 192.168.0.1/24 --exclude 192.168.0.100, 192.168.0.200
Excluding Targets Using a List
nmap [targets] --excludefile [list.txt]
nmap 192.168.0.1/24 --excludefile notargets.txt
Perform an Aggressive Scan
nmap -A [target]
nmap -A 192.168.0.1
Scan an IPv6 Target
nmap -6 [target]
nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe

DISCOVERY OPTIONS
Goal
Command
Example
Perform a Ping Only Scan
nmap -sP [target]
nmap -sP 192.168.0.1
Don’t Ping
nmap -PN [target]
nmap -PN 192.168.0.1
TCP SYN Ping
nmap -PS [target]
nmap -PS 192.168.0.1
TCP ACK Ping
nmap -PA [target]
nmap -PA 192.168.0.1
UDP Ping
nmap -PU [target]
nmap -PU 192.168.0.1
SCTP INIT Ping
nmap -PY [target]
nmap -PY 192.168.0.1
ICMP Echo Ping
nmap -PE [target]
nmap -PE 192.168.0.1
ICMP Timestamp Ping
nmap -PP [target]
nmap -PP 192.168.0.1
ICMP Address Mask Ping
nmap -PM [target]
nmap -PM 192.168.0.1
IP Protocol Ping
nmap -PO [target]
nmap -PO 192.168.0.1
ARP Ping
nmap -PR [target]
nmap -PR 192.168.0.1
Traceroute
nmap --traceroute [target]
nmap --traceroute 192.168.0.1
Force Reverse DNS Resolution
nmap -R [target]
nmap -R 192.168.0.1
Disable Reverse DNS Resolution
nmap -n [target]
nmap -n 192.168.0.1
Alternative DNS Lookup
nmap --system-dns [target]
nmap --system-dns 192.168.0.1
Manually Specify DNS Server(s)
nmap --dns-servers [servers] [target]
nmap --dns-servers 201.56.212.54 192.168.0.1
Create a Host List
nmap -sL [targets]
nmap -sL 192.168.0.1/24



ADVANCED SCANNING OPTIONS
Goal
Command
Example
TCP SYN Scan
nmap -sS [target]
nmap -sS 192.168.0.1
TCP Connect Scan
nmap -sT [target]
nmap -sT 192.168.0.1
UDP Scan
nmap -sU [target]
nmap -sU 192.168.0.1
TCP NULL Scan
nmap -sN [target]
nmap -sN 192.168.0.1
TCP FIN Scan
nmap -sF [target]
nmap -sF 192.168.0.1
Xmas Scan
nmap -sX [target]
nmap -sX 192.168.0.1
TCP ACK Scan
nmap -sA [target]
nmap -sA 192.168.0.1
Custom TCP Scan
nmap --scanflags [flags] [target]
nmap --scanflags SYNFIN 192.168.0.1
IP Protocol Scan
nmap -sO [target]
nmap -sO 192.168.0.1
Send Raw Ethernet Packets
nmap --send-eth [target]
nmap --send-eth 192.168.0.1
Send IP Packets
nmap --send-ip [target]
nmap --send-ip 192.168.0.1



PORT SCANNING OPTIONS
Goal
Command
Example
Perform a Fast Scan
nmap -F [target]
nmap -F 192.168.0.1
Scan Specific Ports
nmap -p [port(s)] [target]
nmap -p 21-25,80,139,8080 192.168.1.1
Scan Ports by Name
nmap -p [port name(s)] [target]
nmap -p ftp,http* 192.168.0.1
Scan Ports by Protocol
nmap -sU -sT -p U:[ports],T:[ports] [target]
nmap -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.0.1
Scan All Ports
nmap -p '*' [target]
nmap -p '*' 192.168.0.1
Scan Top Ports
nmap --top-ports [number] [target]
nmap --top-ports 10 192.168.0.1
Perform a Sequential Port Scan
nmap -r [target]
nmap -r 192.168.0.1



VERSION DETECTION
Goal
Command
Example
Operating System Detection
nmap -O [target]
nmap -O 192.168.0.1
Submit TCP/IP Fingerprints
www.nmap.org/submit/
Attempt to Guess an Unknown OS
nmap -O --osscan-guess [target]
nmap -O --osscan-guess 192.168.0.1
Service Version Detection
nmap -sV [target]
nmap -sV 192.168.0.1
Troubleshooting Version Scans
nmap -sV --version-trace [target]
nmap -sV --version-trace 192.168.0.1
Perform a RPC Scan
nmap -sR [target]
nmap -sR 192.168.0.1



TIMING OPTIONS
Goal
Command
Example
Timing Templates
nmap -T[0-5] [target]
nmap -T3 192.168.0.1
Set the Packet TTL
nmap --ttl [time] [target]
nmap --ttl 64 192.168.0.1
Minimum # of Parallel Operations
nmap --min-parallelism [number] [target]
nmap --min-parallelism 10 192.168.0.1
Maximum # of Parallel Operations
nmap --max-parallelism [number] [target]
nmap --max-parallelism 1 192.168.0.1
Minimum Host Group Size
nmap --min-hostgroup [number] [targets]
nmap --min-hostgroup 50 192.168.0.1
Maximum Host Group Size
nmap --max-hostgroup [number] [targets]
nmap --max-hostgroup 1 192.168.0.1
Maximum RTT Timeout
nmap --initial-rtt-timeout [time] [target]
nmap --initial-rtt-timeout 100ms 192.168.0.1
Initial RTT Timeout
nmap --max-rtt-timeout [TTL] [target]
nmap --max-rtt-timeout 100ms 192.168.0.1
Maximum Retries
nmap --max-retries [number] [target]
nmap --max-retries 10 192.168.0.1
Host Timeout
nmap --host-timeout [time] [target]
nmap --host-timeout 30m 192.168.0.1
Minimum Scan Delay
nmap --scan-delay [time] [target]
nmap --scan-delay 1s 192.168.0.1
Maximum Scan Delay
nmap --max-scan-delay [time] [target]
nmap --max-scan-delay 10s 192.168.0.1
Minimum Packet Rate
nmap --min-rate [number] [target]
nmap --min-rate 50 192.168.0.1
Maximum Packet Rate
nmap --max-rate [number] [target]
nmap --max-rate 100 192.168.0.1
Defeat Reset Rate Limits
nmap --defeat-rst-ratelimit [target]
nmap --defeat-rst-ratelimit 192.168.0.1



FIREWALL EVASION TECHNIQUES
Goal
Command
Example
Fragment Packets
nmap -f [target]
nmap -f 192.168.0.1
Specify a Specific MTU
nmap --mtu [MTU] [target]
nmap --mtu 32 192.168.0.1
Use a Decoy
nmap -D RND:[number] [target]
nmap -D RND:10 192.168.0.1
Idle Zombie Scan
nmap -sI [zombie] [target]
nmap -sI 192.168.0.38 192.168.0.1
Manually Specify a Source Port
nmap --source-port [port] [target]
nmap --source-port 1025 192.168.0.1
Append Random Data
nmap --data-length [size] [target]
nmap --data-length 20 192.168.0.1
Randomize Target Scan Order
nmap --randomize-hosts [target]
nmap --randomize-hosts 192.168.0.1-20
Spoof MAC Address
nmap --spoof-mac [MAC|0|vendor] [target]
nmap --spoof-mac Cisco 192.168.0.1
Send Bad Checksums
nmap --badsum [target]
nmap --badsum 192.168.0.1



OUTPUT OPTIONS
Goal
Command
Example
Save Output to a Text File
nmap -oN [scan.txt] [target]
nmap -oN scan.txt 192.168.0.1
Save Output to a XML File
nmap -oX [scan.xml] [target]
nmap -oX scan.xml 192.168.0.1
Grepable Output
nmap -oG [scan.txt] [targets]
nmap -oG scan.txt 192.168.0.1
Output All Supported File Types
nmap -oA [path/filename] [target]
nmap -oA ./scan 192.168.0.1
Periodically Display Statistics
nmap --stats-every [time] [target]
nmap --stats-every 10s 192.168.0.1
133t Output
nmap -oS [scan.txt] [target]
nmap -oS scan.txt 192.168.0.1


TROUBLESHOOTING AND DEBUGGING
Goal
Command
Example
Getting Help
nmap -h
nmap -h
Display Nmap Version
nmap -V
nmap -V
Verbose Output
nmap -v [target]
nmap -v 192.168.0.1
Debugging
nmap -d [target]
nmap -d 192.168.0.1
Display Port State Reason
nmap --reason [target]
nmap --reason 192.168.0.1
Only Display Open Ports
nmap --open [target]
nmap --open 192.168.0.1
Trace Packets
nmap --packet-trace [target]
nmap --packet-trace 192.168.0.1
Display Host Networking
nmap --iflist
nmap --iflist
Specify a Network Interface
nmap -e [interface] [target]
nmap -e eth0 192.168.0.1


NMAP SCRIPTING ENGINE
Goal
Command
Example
Execute Individual Scripts
nmap --script [script.nse] [target]
nmap --script banner.nse 192.168.0.1
Execute Multiple Scripts
nmap --script [expression] [target]
nmap --script 'http-*' 192.168.0.1
Script Categories
all, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Category
nmap --script [category] [target]
nmap --script 'not intrusive' 192.168.0.1
Execute Multiple Script Categories
nmap --script [category1,category2,etc]
nmap --script 'default or safe' 192.168.0.1
Troubleshoot Scripts
nmap --script [script] --script-trace [target]
nmap --script banner.nse --script-trace 192.168.0.1
Update the Script Database
nmap --script-updatedb
nmap --script-updatedb


Comments

  1. Zeppelin29 November 2019 at 02:35

    Very Good Blog. Highly valuable information have been shared.Great information has been shared. We expect many more blogs from the author. Special thanks for sharing..
    software testing services
    software testing companies
    Regression testing services
    Performance testing Services
    Test automation services

    ReplyDelete
  2. cathyouellette15 September 2020 at 23:09

    It's great to be here and to learn more about software testing. I'm a software tester in a leading
    Software testing companies. This a great knowledge for all beginners. Appreciate your effort to write about this.

    ReplyDelete
  3. Nila dharshan8 March 2022 at 03:33

    Useful blog, keep sharing with us.

    How Does Google Flutter Work
    Why Google Flutter

    ReplyDelete

Post a Comment

Popular posts from this blog

Drozer Commands - A Security & Attack Framework for Android

What is Drozer? Drozer is a Security & Attack Framework for Android Application Testing. Drozer is a tool that can be used for Mobile device review , Secure development of applications, BYOD approval and Mobile application testing. There are 2 Versions of Drozer an Open Source and other one Pro version having following features Gathering the information about the application Find the attack surface Test your Exposure to Public Exploits Execute dynamic code on a device, to avoid the need to compile and install small test scripts. Start Android emulators, provisioned with the drozer Agent and the app you want to investigate. Simulate sensor input, such as GPS, to emulators to test the full attack surface. View the attack surface as a graph. this will be helpful for the risk assessment reporting. Drozer is having agent & server architecture so to start with assessment we have to install the agent in the emulator or connected device. Command to install the Dr
6 comments
Read more

Android Damn Vulnerable App by Security Compass

Tutorial of Android Damn Vulnerable App by Security Compass Introduction: Hi folks, today I am gonna show you some hands on or tutorial of the android app testing which I done during my R&D of android app security testing. Here I will show you from scratch setting up of Lab Server to testing of application. In this you will learn on below topics: 1)Insecure Connection (Traffic over HTTP) 2)Server Side Authorization Issue 3)Insecure File Storage 4)Insecure Logging 5)Encryption of data on device 6)Memory Protection Setting-up of lab (App & Server) First of all you have to download the base app which is damn vulnerable from here . After downloading zip and extracting it you have to build it in .apk format using Eclipse IDE. Now you have to install the app in the emulator before that you have to make sure that you installed SDK and its packages. To install the app you have to start emulator using AVD and clicking on "Start" or by command line emul
25 comments
Read more

OWASP IoT (Internet of Things) Top 10 - A Walkthrough

OWASP IoT (Internet of Things) Top 10 - 2014 Introductions: In Todays world things of everyday are becoming smart, every hour hundreds and thousands of smart devices are being added to the Internet whether it is a Toaster, Camera, Refrigerator, T.Vs, Cars etc. So it can be a target of attackers easily, here comes OWASP IoT Top 10 to address this issue. OWASP IoT Top 10 is designed to make the everyday devices secure on same lines of guidelines by OWASP TOP 10 for applications. The OWASP Internet of Things Top 10 - 2014 is as follows: I1 – Insecure Web Interface I2 – Insufficient Authentication/Authorization I3 – Insecure Network Services I4 – Lack of Transport Encryption I5 – Privacy Concerns I6 – Insecure Cloud Interface I7 – Insecure Mobile Interface I8 – Insufficient Security Configurability I9 – Insecure Software/Firmware I10 – Poor Physical Security  How to test for OWASP IoT Top 10   I1 – Insecure Web Interface: Everyday devices have web ser
Post a Comment
Read more