nmap cheat sheet
TARGET SPECIFICATION
SWITCH EXAMPLE DESCRIPTION
nmap 192.168.1.1 Scan a single IP
nmap 192.168.1.1 192.168.2.1 Scan specific IPs
nmap 192.168.1.1-254 Scan a range
nmap scanme.nmap.org Scan a domain
nmap 192.168.1.0/24 Scan using CIDR notation
-iL nmap -iL targets.txt Scan targets from a file
-iR nmap -iR 100 Scan 100 random hosts
-exclude nmap -exclude 192.168.1.1 Exclude listed hosts
SCAN TECHNIQUES
SWITCH EXAMPLE DESCRIPTION
-sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)
-sT nmap 192.168.1.1 -sT TCP connect port scan (Default without root privilege)
-sU nmap 192.168.1.1 -sU UDP port scan
-sA nmap 192.168.1.1 -sA TCP ACK port scan
-sW nmap 192.168.1.1 -sW TCP Window port scan
-sM nmap 192.168.1.1 -sM TCP Maimon port scan
HOST DISCOVERY
SWITCH EXAMPLE DESCRIPTION
-sL nmap 192.168.1.1-3 -sL No Scan. List targets only
-sn nmap 192.168.1.1/24 -sn Disable port scanning. Host discovery only.
-Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only.
-PS nmap 192.168.1.1-5 -PS22-25,80 TCP SYN discovery on port x. Port 80 by default
-PA nmap 192.168.1.1-5 -PA22-25,80 TCP ACK discovery on port x. Port 80 by default
-PU nmap 192.168.1.1-5 -PU53 UDP discovery on port x. Port 40125 by default
-PR nmap 192.168.1.1-1/24 -PR ARP discovery on local network
-n nmap 192.168.1.1 -n Never do DNS resolution
NSE SCRIPTS
SWITCH EXAMPLE DESCRIPTION
-sC nmap 192.168.1.1 -sC Scan with default NSE scripts. Considered useful for discovery and safe
-script default nmap 192.168.1.1 -script default Scan with default NSE scripts. Considered useful for discovery and safe
-script nmap 192.168.1.1 -script=banner Scan with a single script. Example banner
-script nmap 192.168.1.1 -script=http* Scan with a wildcard. Example http
-script nmap 192.168.1.1 -script=http,banner Scan with two scripts. Example http and banner
-script nmap 192.168.1.1 -script "not intrusive" Scan default, but remove intrusive scripts
-script-args nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1 NSE script with arguments
USEFUL NSE SCRIPT EXAMPLES
COMMAND DESCRIPTION
nmap -Pn -script=http-sitemap-generator scanme.nmap.org http site map generator
nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 Fast search for random web servers
nmap -Pn -script=dns-brute domain.com Brute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 Safe SMB scripts to run
nmap -script whois* domain.com Whois query
nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org Detect cross site scripting vulnerabilities
nmap -p80 -script http-sql-injection scanme.nmap.org Check for SQL injections
FIREWALL / IDS EVASION AND SPOOFING
SWITCH EXAMPLE DESCRIPTION
-f nmap 192.168.1.1 -f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
-mtu nmap 192.168.1.1 -mtu 32 Set your own offset size
-D nmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1 Send scans from spoofed IPs
-D nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip Above example explained
-g nmap -g 53 192.168.1.1 Use given source port number
-data-length nmap -data-length 200 192.168.1.1 Appends random data to sent packets
MISCELLANEOUS NMAP FLAGS
SWITCH EXAMPLE DESCRIPTION
-6 nmap -6 2607:f0d0:1002:51::4 Enable IPv6 scanning
-h nmap -h nmap help screen
OTHER USEFUL NMAP COMMANDS
COMMAND DESCRIPTION
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn Discovery only on ports x, no port scan
nmap 192.168.1.1-1/24 -PR -sn -vv ARP discovery only on local network, no port scan
nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan
nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1 Query the Internal DNS for hosts, list targets only
nmap 192.168.1.1 --packet-trace Show the details of the packets that are sent and received during a scan and capture the traffic.