NMAP is a free and open-source security scanner, it is use to discover hosts and services on a computer network, thus building a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

NMAP Features

  • Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
  • Port scanning – Enumerating the open ports on target hosts.
  • Version detection – Interrogating network services on remote devices to determine application name and version number.
  • OS detection – Determining the operating system and hardware characteristics of network devices.
  • Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming language.
  • Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.

Typical uses of Nmap:

  • Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
  • Identifying open ports on a target host in preparation for auditing.
  • Network inventory, network mapping, maintenance and asset management.
  • Auditing the security of a network by identifying new servers.
  • Generating traffic to hosts on a network, response analysis and response time measurement.
  • Finding and exploiting vulnerabilities in a network.
  • DNS queries and subdomain search

NMAP Commands Cheatsheet with Example.

Basic Scanning Commands

GoalCommandExample
Scan a Single Targetnmap [target]nmap 192.168.0.1
Scan Multiple Targetsnmap [target1, target2, etc]nmap 192.168.0.1 192.168.0.2
Scan a List of Targetsnmap -iL [list.txt]nmap -iL targets.txt
Scan a Range of Hostsnmap [range of ip addresses]nmap 192.168.0.1-10
Scan an Entire Subnetnmap [ip address/cdir]nmap 192.168.0.1/24
Scan Random Hostsnmap -iR [number]nmap -iR 0
Excluding Targets from a Scannmap [targets] –exclude [targets]nmap 192.168.0.1/24 –exclude 192.168.0.100, 192.168.0.200
Excluding Targets Using a Listnmap [targets] –excludefile [list.txt]nmap 192.168.0.1/24 –excludefile notargets.txt
Perform an Aggressive Scannmap -A [target]nmap -A 192.168.0.1
Scan an IPv6 Targetnmap -6 [target]nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe

Discovery Options

GoalCommandExample
Perform a Ping Only Scannmap -sP [target]nmap -sP 192.168.0.1
Don’t Pingnmap -PN [target]nmap -PN 192.168.0.1
TCP SYN Pingnmap -PS [target]nmap -PS 192.168.0.1
TCP ACK Pingnmap -PA [target]nmap -PA 192.168.0.1
UDP Pingnmap -PU [target]nmap -PU 192.168.0.1
SCTP INIT Pingnmap -PY [target]nmap -PY 192.168.0.1
ICMP Echo Pingnmap -PE [target]nmap -PE 192.168.0.1
ICMP Timestamp Pingnmap -PP [target]nmap -PP 192.168.0.1
ICMP Address Mask Pingnmap -PM [target]nmap -PM 192.168.0.1
IP Protocol Pingnmap -PO [target]nmap -PO 192.168.0.1
ARP Pingnmap -PR [target]nmap -PR 192.168.0.1
Traceroutenmap –traceroute [target]nmap –traceroute 192.168.0.1
Force Reverse DNS Resolutionnmap -R [target]nmap -R 192.168.0.1
Disable Reverse DNS Resolutionnmap -n [target]nmap -n 192.168.0.1
Alternative DNS Lookupnmap –system-dns [target]nmap –system-dns 192.168.0.1
Manually Specify DNS Server(s)nmap –dns-servers [servers] [target]nmap –dns-servers 201.56.212.54 192.168.0.1
Create a Host Listnmap -sL [targets]nmap -sL 192.168.0.1/24

Advanced Scanning Options

GoalCommandExample
TCP SYN Scannmap -sS [target]nmap -sS 192.168.0.1
TCP Connect Scannmap -sT [target]nmap -sT 192.168.0.1
UDP Scannmap -sU [target]nmap -sU 192.168.0.1
TCP NULL Scannmap -sN [target]nmap -sN 192.168.0.1
TCP FIN Scannmap -sF [target]nmap -sF 192.168.0.1
Xmas Scannmap -sX [target]nmap -sX 192.168.0.1
TCP ACK Scannmap -sA [target]nmap -sA 192.168.0.1
Custom TCP Scannmap –scanflags [flags] [target]nmap –scanflags SYNFIN 192.168.0.1
IP Protocol Scannmap -sO [target]nmap -sO 192.168.0.1
Send Raw Ethernet Packetsnmap –send-eth [target]nmap –send-eth 192.168.0.1
Send IP Packetsnmap –send-ip [target]nmap –send-ip 192.168.0.1

Port Scanning Options

GoalCommandExample
Perform a Fast Scannmap -F [target]nmap -F 192.168.0.1
Scan Specific Portsnmap -p [port(s)] [target]nmap -p 21-25,80,139,8080 192.168.1.1
Scan Ports by Namenmap -p [port name(s)] [target]nmap -p ftp,http* 192.168.0.1
Scan Ports by Protocolnmap -sU -sT -p U:[ports],T:[ports] [target]nmap -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.0.1
Scan All Portsnmap -p ‘*’ [target]nmap -p ‘*’ 192.168.0.1
Scan Top Portsnmap –top-ports [number] [target]nmap –top-ports 10 192.168.0.1
Perform a Sequential Port Scannmap -r [target]nmap -r 192.168.0.1

Version Detection

GoalCommandExample
Operating System Detectionnmap -O [target]nmap -O 192.168.0.1
Submit TCP/IP Fingerprintswww.nmap.org/submit/
Attempt to Guess an Unknown OSnmap -O –osscan-guess [target]nmap -O –osscan-guess 192.168.0.1
Service Version Detectionnmap -sV [target]nmap -sV 192.168.0.1
Troubleshooting Version Scansnmap -sV –version-trace [target]nmap -sV –version-trace 192.168.0.1
Perform a RPC Scannmap -sR [target]nmap -sR 192.168.0.1

Timing Options

GoalCommandExample
Timing Templatesnmap -T[0-5] [target]nmap -T3 192.168.0.1
Set the Packet TTLnmap –ttl [time] [target]nmap –ttl 64 192.168.0.1
Minimum # of Parallel Operationsnmap –min-parallelism [number] [target]nmap –min-parallelism 10 192.168.0.1
Maximum # of Parallel Operationsnmap –max-parallelism [number] [target]nmap –max-parallelism 1 192.168.0.1
Minimum Host Group Sizenmap –min-hostgroup [number] [targets]nmap –min-hostgroup 50 192.168.0.1
Maximum Host Group Sizenmap –max-hostgroup [number] [targets]nmap –max-hostgroup 1 192.168.0.1
Maximum RTT Timeoutnmap –initial-rtt-timeout [time] [target]nmap –initial-rtt-timeout 100ms 192.168.0.1
Initial RTT Timeoutnmap –max-rtt-timeout [TTL] [target]nmap –max-rtt-timeout 100ms 192.168.0.1
Maximum Retriesnmap –max-retries [number] [target]nmap –max-retries 10 192.168.0.1
Host Timeoutnmap –host-timeout [time] [target]nmap –host-timeout 30m 192.168.0.1
Minimum Scan Delaynmap –scan-delay [time] [target]nmap –scan-delay 1s 192.168.0.1
Maximum Scan Delaynmap –max-scan-delay [time] [target]nmap –max-scan-delay 10s 192.168.0.1
Minimum Packet Ratenmap –min-rate [number] [target]nmap –min-rate 50 192.168.0.1
Maximum Packet Ratenmap –max-rate [number] [target]nmap –max-rate 100 192.168.0.1
Defeat Reset Rate Limitsnmap –defeat-rst-ratelimit [target]nmap –defeat-rst-ratelimit 192.168.0.1

Firewall Evasion Techniques

GoalCommandExample
Fragment Packetsnmap -f [target]nmap -f 192.168.0.1
Specify a Specific MTUnmap –mtu [MTU] [target]nmap –mtu 32 192.168.0.1
Use a Decoynmap -D RND:[number] [target]nmap -D RND:10 192.168.0.1
Idle Zombie Scannmap -sI [zombie] [target]nmap -sI 192.168.0.38 192.168.0.1
Manually Specify a Source Portnmap –source-port [port] [target]nmap –source-port 1025 192.168.0.1
Append Random Datanmap –data-length [size] [target]nmap –data-length 20 192.168.0.1
Randomize Target Scan Ordernmap –randomize-hosts [target]nmap –randomize-hosts 192.168.0.1-20
Spoof MAC Addressnmap –spoof-mac [MAC|0|vendor] [target]nmap –spoof-mac Cisco 192.168.0.1
Send Bad Checksumsnmap –badsum [target]nmap –badsum 192.168.0.1

Output options

GoalCommandExample
Save Output to a Text Filenmap -oN [scan.txt] [target]nmap -oN scan.txt 192.168.0.1
Save Output to a XML Filenmap -oX [scan.xml] [target]nmap -oX scan.xml 192.168.0.1
Grepable Outputnmap -oG [scan.txt] [targets]nmap -oG scan.txt 192.168.0.1
Output All Supported File Typesnmap -oA [path/filename] [target]nmap -oA ./scan 192.168.0.1
Periodically Display Statisticsnmap –stats-every [time] [target]nmap –stats-every 10s 192.168.0.1
133t Outputnmap -oS [scan.txt] [target]nmap -oS scan.txt 192.168.0.1

Troubleshooting And Debugging

GoalCommandExample
Getting Helpnmap -hnmap -h
Display Nmap Versionnmap -Vnmap -V
Verbose Outputnmap -v [target]nmap -v 192.168.0.1
Debuggingnmap -d [target]nmap -d 192.168.0.1
Display Port State Reasonnmap –reason [target]nmap –reason 192.168.0.1
Only Display Open Portsnmap –open [target]nmap –open 192.168.0.1
Trace Packetsnmap –packet-trace [target]nmap –packet-trace 192.168.0.1
Display Host Networkingnmap –iflistnmap –iflist
Specify a Network Interfacenmap -e [interface] [target]nmap -e eth0 192.168.0.1

NMAP Scripting Engine

GoalCommandExample
Execute Individual Scriptsnmap –script [script.nse] [target]nmap –script banner.nse 192.168.0.1
Execute Multiple Scriptsnmap –script [expression] [target]nmap –script ‘http-*’ 192.168.0.1
Script Categoriesall, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Categorynmap –script [category] [target]nmap –script ‘not intrusive’ 192.168.0.1
Execute Multiple Script Categoriesnmap –script [category1,category2,etc]nmap –script ‘default or safe’ 192.168.0.1
Troubleshoot Scriptsnmap –script [script] –script-trace [target]nmap –script banner.nse –script-trace 192.168.0.1
Update the Script Databasenmap –script-updatedbnmap –script-updatedb
Categories: Cheatsheet

Leave a Reply

Your email address will not be published. Required fields are marked *

en_USEnglish
si_LKSinhala en_USEnglish