On this page
article
Nmap cheat sheet
Target Specification
nmap [target]
- Scan a single IP or hostname.nmap [target1,target2,etc.]
- Scan multiple targets.nmap -iL [list.txt]
- Scan targets from a list in a file.nmap [range of IP addresses]
- Scan a range of IPs.nmap [IP address/cidr]
- Scan a network using CIDR notation.nmap -iR [number]
- Scan random hosts.nmap [targets] --exclude [targets]
- Exclude listed hosts.nmap [targets] --excludefile [list.txt]
- Exclude targets from a file.
Host Discovery
nmap -sP [target]
- Ping scan (no port scan).nmap -PS [target]
- TCP SYN ping.nmap -PA [target]
- TCP ACK ping.nmap -PU [target]
- UDP ping.nmap -PE [target]
- ICMP echo request ping.nmap -PP [target]
- ICMP timestamp request ping.nmap -PM [target]
- ICMP address mask request ping.nmap -PO [target]
- IP protocol ping.nmap -PR [target]
- ARP ping (local network only).
Scan Techniques
nmap -sS [target]
- TCP SYN scan (default).nmap -sT [target]
- TCP connect scan.nmap -sU [target]
- UDP scan.nmap -sA [target]
- TCP ACK scan.nmap -sW [target]
- TCP Window scan.nmap -sM [target]
- TCP Maimon scan.nmap -sN [target]
- TCP Null scan.nmap -sF [target]
- TCP FIN scan.nmap -sX [target]
- TCP Xmas scan.nmap -sO [target]
- IP protocol scan.
Service and Version Detection
nmap -sV [target]
- Probe open ports to determine service/version info.nmap -sV --version-intensity [0-9] [target]
- Set intensity level of version detection.nmap -sV --version-light [target]
- Enable light mode for version scanning.nmap -sV --version-all [target]
- Enable intense mode for version scanning.
OS Detection
nmap -O [target]
- Enable OS detection.nmap -O --osscan-limit [target]
- Limit OS detection to confirmed open ports.nmap -O --osscan-guess [target]
- Guess more aggressively about OS detection.nmap -O --max-os-tries [number] [target]
- Set the maximum number of OS detection tries.
Timing and Performance
nmap -T0 [target]
- Paranoid (IDS evasion).nmap -T1 [target]
- Sneaky (IDS evasion).nmap -T2 [target]
- Polite (slows down the scan).nmap -T3 [target]
- Normal (default speed).nmap -T4 [target]
- Aggressive (speeds scans).nmap -T5 [target]
- Insane (fastest scans).
Nmap Scripting Engine (NSE)
nmap --script [script.nse] [target]
- Execute specific NSE script.nmap --script [category] [target]
- Execute scripts in a specific category.nmap --script "not intrusive" [target]
- Execute default scripts excluding intrusive ones.
Firewall/IDS Evasion and Spoofing
nmap -f [target]
- Fragment packets to evade firewalls.nmap --mtu [MTU] [target]
- Specify a custom MTU size.nmap -D RND:[number] [target]
- Randomize decoy addresses.nmap -S [IP] [target]
- Spoof source address.nmap -e [interface] [target]
- Use specified network interface.nmap -g [port number] [target]
- Use specified source.nmap --source-port [port number] [target]
- Use given source port.nmap --data-length [number] [target]
- Append random data to packets.nmap --randomize-hosts [target]
- Randomize target scanning order.nmap --spoof-mac [MAC|0|vendor] [target]
- Spoof MAC address. ``nmap --badsum [target]
- Generate packets with a bad checksum.
Output Options
nmap -oN [file] [target]
- Normal output to a file.nmap -oX [file] [target]
- XML output to a file.nmap -oG [file] [target]
- Grepable output to a file.nmap -oA [path/filename] [target]
- Output in all formats.nmap --open [target]
- Show only open ports.nmap --packet-trace [target]
- Show all packets sent and received.nmap --iflist
- List interfaces and routes.nmap --resume [file]
- Resume an interrupted scan.nmap --stylesheet [path] [target]
- Apply XSL stylesheet to XML output.nmap --webxml
- Use default Nmap.org stylesheet for XML.oN [file]
: Standard Nmap output to a file.oG [file]
: Greppable format output to a file.oX [file]
: XML format output to a file.oA [path/filename]
: Generate Nmap, Greppable, and XML output files using basename for files.
Miscellaneous Options
nmap -6 [target]
- Enable IPv6 scanning.nmap --datadir [directory]
- Specify custom Nmap data file location.nmap --send-eth/--send-ip [target]
- Send packets using raw IP packets or Ethernet frames.nmap --privileged
- Assume that the user is fully privileged.nmap --unprivileged
- Assume the user lacks raw socket privileges.
Port Specification and Scan Order
p <port1>-<port2>
: Scans a port range.p <port1>,<port2>,...
: Scans a list of ports.pU:53,U:110,T20-445
: Mix TCP and UDP.r
: Scans linearly (does not randomize ports).-top-ports <n>
: Scan the n most popular ports.p-65535
: Leaving off the initial port in range makes Nmap scan start at port 1.p-
: Leaving off the end port in range makes Nmap scan all ports.F
: Fast (limited port) scan.
Port Status
- Open: An application is listening for connections on this port.
- Closed: Probes were received but no application is listening on this port.
- Filtered: Probes were not received, indicating that they are being dropped by some kind of filtering.
- Unfiltered: Probes were received but a state could not be established.
- Open/Filtered: The port was filtered or open but Nmap couldn’t establish the state.
- Closed/Filtered: The port was filtered or closed but Nmap couldn’t establish the state.
Fine-Grained Timing Options
-min-hostgroup/max-hostgroup <size>
: Parallel host scan group sizes.-min-parallelism/max-parallelism <numprobes>
: Probes parallelization.-min-rtt-timeout/max-rtttimeout/initial-rtt-timeout <time>
: Specifies probe round trip time.-max-retries <tries>
: Caps number of port scan probe retransmissions.-host-timeout <time>
: Gives up on target after this time.-scan-delay/--max-scan-delay <time>
: Adjusts delay between probes.-min-rate <number>
: Send packets no slower than this number per second.-max-rate <number>
: Send packets no faster than this number per second.
Nmap Scripting Engine Categories
- auth: Utilize credentials or bypass authentication on target hosts.
- broadcast: Discover hosts by broadcasting on the local network.
- brute: Attempt to guess passwords for a variety of protocols.
- default: Scripts run automatically with -sC or -A.
- discovery: Learn more information about target hosts through various methods.
- dos: May cause denial of service conditions in target hosts.
- exploit: Attempt to exploit target systems.
- external: Interact with third-party systems.
- fuzzer: Send unexpected input in network protocol fields
- intrusive: May impact target machines in a malicious fashion.
- malware: Look for signs of malware infection on target hosts.
- safe: Designed not to impact target negatively.
- version: Measure the version of software or protocols on the target hosts
- vuln: Measure whether target systems have a known vulnerability.
Additional Options
n
: Disables reverse IP address lookups.-reason
: Displays the reason Nmap thinks that the port is open, closed, or filtered.A
: Enables several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute.6
: Use IPv6 only.-reason
: Displays the reason Nmap thinks that the port is open, closed, or filtered.
Probing Options
Pn
: Don’t probe (assume all hosts are up).PB
: Default probe (TCP 80, 445 & ICMP).PS<portlist>
: Check if systems are online by probing TCP ports.PE
: Use ICMP Echo Request for probing.PP
: Use ICMP Timestamp Request for probing.PM
: Use ICMP Netmask Request for probing.
Scan Types
sn
: Probe only (host discovery, not port scan).sS
: SYN Scan.sT
: TCP Connect Scan.sU
: UDP Scan.sV
: Version Scan.O
: Used for OS Detection/fingerprinting.-scanflags
: Sets a custom list of TCP using URG ACK PSH RST SYN FIN in any order.
Timing Options
T0
(Paranoid): Very slow, used for IDS evasion.T1
(Sneaky): Quite slow, used for IDS evasion.T2
(Polite): Slows down to consume less bandwidth, runs ~10 times slower than default.T3
(Normal): Default, a dynamic timing model based on target responsiveness.T4
(Aggressive): Assumes a fast and reliable network and may overwhelm targets.T5
(Insane): Very aggressive; will likely overwhelm targets or miss open ports.
Nmap Scripting Engine (NSE) - Specific Scripts
dns-zone-transfer
: Attempts a zone file (AXFR) from a DNS server.$ nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain=<domain> -p53 <hosts>
http-robots.txt
: Harvests robots.txt files from discovered web servers.$ nmap --script http-robots.txt <hosts>
smb-brute
: Attempts to determine valid username and password combinations via automated guessing.$ nmap --script smb-brute.nse -p445 <hosts>
smb-psexec
: Attempts to run a series of programs on the target machine, using provided credentials as script arguments.$ nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>
A
: Enables several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute.6
: Use IPv6 only.-reason
: Displays the reason Nmap thinks that the port is open, closed, or filtered.
The full list of Nmap Scripting Engine scripts can be found at the official Nmap website: Nmap Scripting Engine Documentation.
Running individual or groups of scripts: nmap --script=<ScriptName>|<ScriptCategory>|<ScriptDir>
Using the list of script arguments: nmap --script-args=<Name1=Value1,...>
Updating the script database: nmap --script-updatedb
Useful Scripts Examples
dns-zone-transfer
:$ nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain=<domain> -p53 <hosts>
http-robots.txt
:$ nmap --script http-robots.txt <hosts>
smb-brute
:$ nmap --script smb-brute.nse -p445 <hosts>
smb-psexec
:$ nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>
Last updated 26 Apr 2024, 15:18 +0530 .