Nmap Cheat Sheet
What is Nmap?
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running. It was designed to rapidly scan large networks, but works fine against single hosts.
How to Use Nmap
Nmap can be used in a variety of ways depending on the user’s level of technical expertise.
Technical ExpertiseUsageBeginnerZenmap the graphical user interface for NmapIntermediateCommand lineAdvancedPython scripting with the Python-Nmap package
Command Line
nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }
Basic Scanning Techniques
The -s
switch determines the type of scan to perform.
Nmap SwitchDescription-sAACK scan-sFFIN scan-sIIDLE scan-sLDNS scan (a.k.a. list scan)-sNNULL scan-sOProtocol scan-sPPing scan-sRRPC scan-sSSYN scan-sTTCP connect scan-sWWindows scan-sXXMAS scan
Scan a Single Target
nmap [target]
Scan Multiple Targets
nmap [target1, target2, etc]
Scan a List of Targets
nmap -iL [list.txt]
Scan a Range of Hosts
nmap [range of IP addresses]
Scan an Entire Subnet
nmap [ip address/cdir]
Scan Random Hosts
nmap -iR [number]
Exclude Targets From a Scan
nmap [targets] --exclude [targets]
Exclude Targets Using a List
nmap [targets] --excludefile [list.txt]
Perform an Aggresive Scan
nmap -A [target]
Scan an IPv6 Target
nmap -6 [target]
Port Scanning Options
Perform a Fast Scan
nmap -F [target]
Scan Specific Ports
nmap -p [port(s)] [target]
Scan Ports by Name
nmap -p [port name(s)] [target]
Scan Ports by Protocol
nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan All Ports
nmap -p 1-65535 [target]
Scan Top Ports
nmap --top-ports [number] [target]
Perform a Sequential Port Scan
nmap -r [target]
Attempt to Guess an Unknown OS
nmap -O --osscan-guess [target]
Service Version Detection
nmap -sV [target]
Troubleshoot Version Scan
nmap -sV --version-trace [target]
Perform a RPC Scan
nmap -sR [target]
Discovery Options
Host Discovery The -p
switch determines the type of ping to perform.
Nmap SwitchDescription-PIICMP ping-PoNo ping-PSSYN ping-PTTCP ping
Perform a Ping Only Scan
nmap -sn [target]
Do Not Ping
nmap -Pn [target]
TCP SYN Ping
nmap -PS [target]
TCP ACK Ping
nmap -PA [target]
UDP Ping
nmap -PU [target]
SCTP INIT Ping
nmap -PY [target]
ICMP Echo Ping
nmap -PE [target]
ICMP Timestamp Ping
nmap -PP [target]
ICMP Address Mask Ping
nmap -PM [target]
IP Protocol Ping
nmap -PO [target]
ARP ping
nmap -PR [target]
Traceroute
nmap --traceroute [target]
Force Reverse DNS Resolution
nmap -R [target]
Disable Reverse DNS Resolution
nmap -n [target]
Alternative DNS Lookup
nmap --system-dns [target]
Manually Specify DNS Server
Can specify a single server or multiple.
nmap --dns-servers [servers] [target]
Create a Host List
nmap -sL [targets]
Port Specification and Scan Order
Nmap SwitchDescription
Service/Version Detection
Nmap SwitchDescription-sVEnumerates software versions
Script Scan
Nmap SwitchDescription-sCRun all default scripts
OS Detection
Nmap SwitchDescription
Timing and Performance
The -t
switch determines the speed and stealth performed.
Nmap SwitchDescription-T0Serial, slowest scan-T1Serial, slow scan-T2Serial, normal speed scan-T3Parallel, normal speed scan-T4Parallel, fast scan
Not specifying a T
value will default to -T3
, or normal speed.
Firewall Evasion Techniques
Firewall/IDS Evasion and Spoofing
Nmap SwitchDescription
Fragment Packets
nmap -f [target]
Specify a Specific MTU
nmap --mtu [MTU] [target]
Use a Decoy
nmap -D RND:[number] [target]
Idle Zombie Scan
nmap -sI [zombie] [target]
Manually Specify a Source Port
nmap --source-port [port] [target]
Append Random Data
nmap --data-length [size] [target]
Randomize Target Scan Order
nmap --randomize-hosts [target]
Spoof MAC Address
nmap --spoof-mac [MAC|0|vendor] [target]
Send Bad Checksums
nmap --badsum [target]
Advanced Scanning Functions
TCP SYN Scan
nmap -sS [target]
TCP Connect Scan
nmap -sT [target]
UDP Scan
nmap -sU [target]
TCP NULL Scan
nmap -sN [target]
TCP FIN Scan
nmap -sF [target]
Xmas Scan
nmap -sA [target]
TCP ACK Scan
nmap -sA [target]
Custom TCP Scan
nmap --scanflags [flags] [target]
IP Protocol Scan
nmap -sO [target]
Send Raw Ethernet Packets
nmap --send-eth [target]
Send IP Packets
nmap --send-ip [target]
Timing Options
Timing Templates
nmap -T[0-5] [target]
Set the Packet TTL
nmap --ttl [time] [target]
Minimum NUmber of Parallel Operations
nmap --min-parallelism [number] [target]
Maximum Number of Parallel Operations
nmap --max-parallelism [number] [target]
Minimum Host Group Size
nmap --min-hostgroup [number] [targets]
Maximum Host Group Size
nmap --max-hostgroup [number] [targets]
Maximum RTT Timeout
nmap --initial-rtt-timeout [time] [target]
Initial RTT Timeout
nmap --max-rtt-timeout [TTL] [target]
Maximum Number of Retries
nmap --max-retries [number] [target]
Host Timeout
nmap --host-timeout [time] [target]
Minimum Scan Delay
nmap --scan-delay [time] [target]
Maxmimum Scan Delay
nmap --max-scan-delay [time] [target]
Minimum Packet Rate
nmap --min-rate [number] [target]
Maximum Packet Rate
nmap --max-rate [number] [target]
Defeat Reset Rate Limits
nmap --defeat-rst-ratelimit [target]
Output Options
Nmap SwitchDescription-oN
Normal output-oX
XML output-oA
Normal, XML, and Grepable format all at once
Save Output to a Text File
nmap -oN [scan.txt] [target]
Save Output to a XML File
nmap -oX [scan.xml] [target]
Grepable Output
nmap -oG [scan.txt] [target]
Output All Supported File Types
nmap -oA [path/filename] [target]
Periodically Display Statistics
nmap --stats-every [time] [target]
1337 Output
nmap -oS [scan.txt] [target]
Compare Scans
Comparison Using Ndiff
ndiff [scan1.xml] [scan2.xml]
Ndiff Verbose Mode
ndiff -v [scan1.xml] [scan2.xml]
XML Output Mode
ndiff --xml [scan1.xml] [scan2.xml]
Troubleshooting and Debugging
Get Help
nmap -h
Display Nmap Version
nmap -V
Verbose Output
nmap -v [target]
Debugging
nmap -d [target]
Display Port State Reason
nmap --reason [target]
Only Display Open Ports
nmap --open [target]
Trace Packets
nmap --packet-trace [target]
Display Host Networking
nmap --iflist
Specify a Network Interface
nmap -e [interface] [target]
Nmap Scripting Engine
Execute Individual Scripts
nmap --script [script.nse] [target]
Execute Multiple Scripts
nmap --script [expression] [target]
Execute Scripts by Category
nmap --script [category] [target]
Execute Multiple Script Categories
nmap --script [category1,category2,etc]
Troubleshoot Scripts
nmap --script [script] --script-trace [target]
Update the Script Database
What is Nmap?
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running. It was designed to rapidly scan large networks, but works fine against single hosts.
How to Use Nmap
Nmap can be used in a variety of ways depending on the user's level of technical expertise.
Technical ExpertiseUsageBeginnerZenmap the graphical user interface for NmapIntermediateCommand lineAdvancedPython scripting with the Python-Nmap package
Command Line
nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }
Basic Scanning Techniques
The -s
switch determines the type of scan to perform.
Nmap SwitchDescription-sAACK scan-sFFIN scan-sIIDLE scan-sLDNS scan (a.k.a. list scan)-sNNULL scan-sOProtocol scan-sPPing scan-sRRPC scan-sSSYN scan-sTTCP connect scan-sWWindows scan-sXXMAS scan
Scan a Single Target
nmap [target]
Scan Multiple Targets
nmap [target1, target2, etc]
Scan a List of Targets
nmap -iL [list.txt]
Scan a Range of Hosts
nmap [range of IP addresses]
Scan an Entire Subnet
nmap [ip address/cdir]
Scan Random Hosts
nmap -iR [number]
Exclude Targets From a Scan
nmap [targets] --exclude [targets]
Exclude Targets Using a List
nmap [targets] --excludefile [list.txt]
Perform an Aggresive Scan
nmap -A [target]
Scan an IPv6 Target
nmap -6 [target]
Port Scanning Options
Perform a Fast Scan
nmap -F [target]
Scan Specific Ports
nmap -p [port(s)] [target]
Scan Ports by Name
nmap -p [port name(s)] [target]
Scan Ports by Protocol
nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan All Ports
nmap -p 1-65535 [target]
Scan Top Ports
nmap --top-ports [number] [target]
Perform a Sequential Port Scan
nmap -r [target]
Attempt to Guess an Unknown OS
nmap -O --osscan-guess [target]
Service Version Detection
nmap -sV [target]
Troubleshoot Version Scan
nmap -sV --version-trace [target]
Perform a RPC Scan
nmap -sR [target]
Discovery Options
Host Discovery The -p
switch determines the type of ping to perform.
Nmap SwitchDescription-PIICMP ping-PoNo ping-PSSYN ping-PTTCP ping
Perform a Ping Only Scan
nmap -sn [target]
Do Not Ping
nmap -Pn [target]
TCP SYN Ping
nmap -PS [target]
TCP ACK Ping
nmap -PA [target]
UDP Ping
nmap -PU [target]
SCTP INIT Ping
nmap -PY [target]
ICMP Echo Ping
nmap -PE [target]
ICMP Timestamp Ping
nmap -PP [target]
ICMP Address Mask Ping
nmap -PM [target]
IP Protocol Ping
nmap -PO [target]
ARP ping
nmap -PR [target]
Traceroute
nmap --traceroute [target]
Force Reverse DNS Resolution
nmap -R [target]
Disable Reverse DNS Resolution
nmap -n [target]
Alternative DNS Lookup
nmap --system-dns [target]
Manually Specify DNS Server
Can specify a single server or multiple.
nmap --dns-servers [servers] [target]
Create a Host List
nmap -sL [targets]
Port Specification and Scan Order
Nmap SwitchDescription
Service/Version Detection
Nmap SwitchDescription-sVEnumerates software versions
Script Scan
Nmap SwitchDescription-sCRun all default scripts
OS Detection
Nmap SwitchDescription
Timing and Performance
The -t
switch determines the speed and stealth performed.
Nmap SwitchDescription-T0Serial, slowest scan-T1Serial, slow scan-T2Serial, normal speed scan-T3Parallel, normal speed scan-T4Parallel, fast scan
Not specifying a T
value will default to -T3
, or normal speed.
Firewall Evasion Techniques
Firewall/IDS Evasion and Spoofing
Nmap SwitchDescription
Fragment Packets
nmap -f [target]
Specify a Specific MTU
nmap --mtu [MTU] [target]
Use a Decoy
nmap -D RND:[number] [target]
Idle Zombie Scan
nmap -sI [zombie] [target]
Manually Specify a Source Port
nmap --source-port [port] [target]
Append Random Data
nmap --data-length [size] [target]
Randomize Target Scan Order
nmap --randomize-hosts [target]
Spoof MAC Address
nmap --spoof-mac [MAC|0|vendor] [target]
Send Bad Checksums
nmap --badsum [target]
Advanced Scanning Functions
TCP SYN Scan
nmap -sS [target]
TCP Connect Scan
nmap -sT [target]
UDP Scan
nmap -sU [target]
TCP NULL Scan
nmap -sN [target]
TCP FIN Scan
nmap -sF [target]
Xmas Scan
nmap -sA [target]
TCP ACK Scan
nmap -sA [target]
Custom TCP Scan
nmap --scanflags [flags] [target]
IP Protocol Scan
nmap -sO [target]
Send Raw Ethernet Packets
nmap --send-eth [target]
Send IP Packets
nmap --send-ip [target]
Timing Options
Timing Templates
nmap -T[0-5] [target]
Set the Packet TTL
nmap --ttl [time] [target]
Minimum NUmber of Parallel Operations
nmap --min-parallelism [number] [target]
Maximum Number of Parallel Operations
nmap --max-parallelism [number] [target]
Minimum Host Group Size
nmap --min-hostgroup [number] [targets]
Maximum Host Group Size
nmap --max-hostgroup [number] [targets]
Maximum RTT Timeout
nmap --initial-rtt-timeout [time] [target]
Initial RTT Timeout
nmap --max-rtt-timeout [TTL] [target]
Maximum Number of Retries
nmap --max-retries [number] [target]
Host Timeout
nmap --host-timeout [time] [target]
Minimum Scan Delay
nmap --scan-delay [time] [target]
Maxmimum Scan Delay
nmap --max-scan-delay [time] [target]
Minimum Packet Rate
nmap --min-rate [number] [target]
Maximum Packet Rate
nmap --max-rate [number] [target]
Defeat Reset Rate Limits
nmap --defeat-rst-ratelimit [target]
Output Options
Nmap SwitchDescription-oN
Normal output-oX
XML output-oA
Normal, XML, and Grepable format all at once
Save Output to a Text File
nmap -oN [scan.txt] [target]
Save Output to a XML File
nmap -oX [scan.xml] [target]
Grepable Output
nmap -oG [scan.txt] [target]
Output All Supported File Types
nmap -oA [path/filename] [target]
Periodically Display Statistics
nmap --stats-every [time] [target]
1337 Output
nmap -oS [scan.txt] [target]
Compare Scans
Comparison Using Ndiff
ndiff [scan1.xml] [scan2.xml]
Ndiff Verbose Mode
ndiff -v [scan1.xml] [scan2.xml]
XML Output Mode
ndiff --xml [scan1.xml] [scan2.xml]
Troubleshooting and Debugging
Get Help
nmap -h
Display Nmap Version
nmap -V
Verbose Output
nmap -v [target]
Debugging
nmap -d [target]
Display Port State Reason
nmap --reason [target]
Only Display Open Ports
nmap --open [target]
Trace Packets
nmap --packet-trace [target]
Display Host Networking
nmap --iflist
Specify a Network Interface
nmap -e [interface] [target]
Nmap Scripting Engine
Execute Individual Scripts
nmap --script [script.nse] [target]
Execute Multiple Scripts
nmap --script [expression] [target]
Execute Scripts by Category
nmap --script [category] [target]
Execute Multiple Script Categories
nmap --script [category1,category2,etc]
Troubleshoot Scripts
nmap --script [script] --script-trace [target]
Update the Script Database
nmap --script-updatedb
--script-updatedb