Nmap Cheat Sheet

What is Nmap?

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running. It was designed to rapidly scan large networks, but works fine against single hosts.

How to Use Nmap

Nmap can be used in a variety of ways depending on the user’s level of technical expertise.

Technical ExpertiseUsageBeginnerZenmap the graphical user interface for NmapIntermediateCommand lineAdvancedPython scripting with the Python-Nmap package

Command Line

nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }

Basic Scanning Techniques

The -s switch determines the type of scan to perform.

Nmap SwitchDescription-sAACK scan-sFFIN scan-sIIDLE scan-sLDNS scan (a.k.a. list scan)-sNNULL scan-sOProtocol scan-sPPing scan-sRRPC scan-sSSYN scan-sTTCP connect scan-sWWindows scan-sXXMAS scan

Scan a Single Target

nmap [target]

Scan Multiple Targets

nmap [target1, target2, etc]

Scan a List of Targets

nmap -iL [list.txt]

Scan a Range of Hosts

nmap [range of IP addresses]

Scan an Entire Subnet

nmap [ip address/cdir]

Scan Random Hosts

nmap -iR [number]

Exclude Targets From a Scan

nmap [targets] --exclude [targets]

Exclude Targets Using a List

nmap [targets] --excludefile [list.txt]

Perform an Aggresive Scan

nmap -A [target]

Scan an IPv6 Target

nmap -6 [target]

Port Scanning Options

Perform a Fast Scan

nmap -F [target]

Scan Specific Ports

nmap -p [port(s)] [target]

Scan Ports by Name

nmap -p [port name(s)] [target]

Scan Ports by Protocol

nmap -sU -sT -p U:[ports],T:[ports] [target]

Scan All Ports

nmap -p 1-65535 [target]

Scan Top Ports

nmap --top-ports [number] [target]

Perform a Sequential Port Scan

nmap -r [target]

Attempt to Guess an Unknown OS

nmap -O --osscan-guess [target]

Service Version Detection

nmap -sV [target]

Troubleshoot Version Scan

nmap -sV --version-trace [target]

Perform a RPC Scan

nmap -sR [target]

Discovery Options

Host Discovery The -p switch determines the type of ping to perform.

Nmap SwitchDescription-PIICMP ping-PoNo ping-PSSYN ping-PTTCP ping

Perform a Ping Only Scan

nmap -sn [target]

Do Not Ping

nmap -Pn [target]

TCP SYN Ping

nmap -PS [target]

TCP ACK Ping

nmap -PA [target]

UDP Ping

nmap -PU [target]

SCTP INIT Ping

nmap -PY [target]

ICMP Echo Ping

nmap -PE [target]

ICMP Timestamp Ping

nmap -PP [target]

ICMP Address Mask Ping

nmap -PM [target]

IP Protocol Ping

nmap -PO [target]

ARP ping

nmap -PR [target]

Traceroute

nmap --traceroute [target]

Force Reverse DNS Resolution

nmap -R [target]

Disable Reverse DNS Resolution

nmap -n [target]

Alternative DNS Lookup

nmap --system-dns [target]

Manually Specify DNS Server

Can specify a single server or multiple.

nmap --dns-servers [servers] [target]

Create a Host List

nmap -sL [targets]

Port Specification and Scan Order

Nmap SwitchDescription

Service/Version Detection

Nmap SwitchDescription-sVEnumerates software versions

Script Scan

Nmap SwitchDescription-sCRun all default scripts

OS Detection

Nmap SwitchDescription

Timing and Performance

The -t switch determines the speed and stealth performed.

Nmap SwitchDescription-T0Serial, slowest scan-T1Serial, slow scan-T2Serial, normal speed scan-T3Parallel, normal speed scan-T4Parallel, fast scan

Not specifying a T value will default to -T3, or normal speed.

Firewall Evasion Techniques

Firewall/IDS Evasion and Spoofing

Nmap SwitchDescription

Fragment Packets

nmap -f [target]

Specify a Specific MTU

nmap --mtu [MTU] [target]

Use a Decoy

nmap -D RND:[number] [target]

Idle Zombie Scan

nmap -sI [zombie] [target]

Manually Specify a Source Port

nmap --source-port [port] [target]

Append Random Data

nmap --data-length [size] [target]

Randomize Target Scan Order

nmap --randomize-hosts [target]

Spoof MAC Address

nmap --spoof-mac [MAC|0|vendor] [target]

Send Bad Checksums

nmap --badsum [target]

Advanced Scanning Functions

TCP SYN Scan

nmap -sS [target]

TCP Connect Scan

nmap -sT [target]

UDP Scan

nmap -sU [target]

TCP NULL Scan

nmap -sN [target]

TCP FIN Scan

nmap -sF [target]

Xmas Scan

nmap -sA [target]

TCP ACK Scan

nmap -sA [target]

Custom TCP Scan

nmap --scanflags [flags] [target]

IP Protocol Scan

nmap -sO [target]

Send Raw Ethernet Packets

nmap --send-eth [target]

Send IP Packets

nmap --send-ip [target]

Timing Options

Timing Templates

nmap -T[0-5] [target]

Set the Packet TTL

nmap --ttl [time] [target]

Minimum NUmber of Parallel Operations

nmap --min-parallelism [number] [target]

Maximum Number of Parallel Operations

nmap --max-parallelism [number] [target]

Minimum Host Group Size

nmap --min-hostgroup [number] [targets]

Maximum Host Group Size

nmap --max-hostgroup [number] [targets]

Maximum RTT Timeout

nmap --initial-rtt-timeout [time] [target]

Initial RTT Timeout

nmap --max-rtt-timeout [TTL] [target]

Maximum Number of Retries

nmap --max-retries [number] [target]

Host Timeout

nmap --host-timeout [time] [target]

Minimum Scan Delay

nmap --scan-delay [time] [target]

Maxmimum Scan Delay

nmap --max-scan-delay [time] [target]

Minimum Packet Rate

nmap --min-rate [number] [target]

Maximum Packet Rate

nmap --max-rate [number] [target]

Defeat Reset Rate Limits

nmap --defeat-rst-ratelimit [target]

Output Options

Nmap SwitchDescription-oNNormal output-oXXML output-oANormal, XML, and Grepable format all at once

Save Output to a Text File

nmap -oN [scan.txt] [target]

Save Output to a XML File

nmap -oX [scan.xml] [target]

Grepable Output

nmap -oG [scan.txt] [target]

Output All Supported File Types

nmap -oA [path/filename] [target]

Periodically Display Statistics

nmap --stats-every [time] [target]

1337 Output

nmap -oS [scan.txt] [target]

Compare Scans

Comparison Using Ndiff

ndiff [scan1.xml] [scan2.xml]

Ndiff Verbose Mode

ndiff -v [scan1.xml] [scan2.xml]

XML Output Mode

ndiff --xml [scan1.xml] [scan2.xml]

Troubleshooting and Debugging

Get Help

nmap -h

Display Nmap Version

nmap -V

Verbose Output

nmap -v [target]

Debugging

nmap -d [target]

Display Port State Reason

nmap --reason [target]

Only Display Open Ports

nmap --open [target]

Trace Packets

nmap --packet-trace [target]

Display Host Networking

nmap --iflist

Specify a Network Interface

nmap -e [interface] [target]

Nmap Scripting Engine

Execute Individual Scripts

nmap --script [script.nse] [target]

Execute Multiple Scripts

nmap --script [expression] [target]

Execute Scripts by Category

nmap --script [category] [target]

Execute Multiple Script Categories

nmap --script [category1,category2,etc]

Troubleshoot Scripts

nmap --script [script] --script-trace [target]

Update the Script Database

What is Nmap?

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running. It was designed to rapidly scan large networks, but works fine against single hosts.

How to Use Nmap

Nmap can be used in a variety of ways depending on the user's level of technical expertise.

Technical ExpertiseUsageBeginnerZenmap the graphical user interface for NmapIntermediateCommand lineAdvancedPython scripting with the Python-Nmap package

Command Line

nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }

Basic Scanning Techniques

The -s switch determines the type of scan to perform.

Nmap SwitchDescription-sAACK scan-sFFIN scan-sIIDLE scan-sLDNS scan (a.k.a. list scan)-sNNULL scan-sOProtocol scan-sPPing scan-sRRPC scan-sSSYN scan-sTTCP connect scan-sWWindows scan-sXXMAS scan

Scan a Single Target

nmap [target]

Scan Multiple Targets

nmap [target1, target2, etc]

Scan a List of Targets

nmap -iL [list.txt]

Scan a Range of Hosts

nmap [range of IP addresses]

Scan an Entire Subnet

nmap [ip address/cdir]

Scan Random Hosts

nmap -iR [number]

Exclude Targets From a Scan

nmap [targets] --exclude [targets]

Exclude Targets Using a List

nmap [targets] --excludefile [list.txt]

Perform an Aggresive Scan

nmap -A [target]

Scan an IPv6 Target

nmap -6 [target]

Port Scanning Options

Perform a Fast Scan

nmap -F [target]

Scan Specific Ports

nmap -p [port(s)] [target]

Scan Ports by Name

nmap -p [port name(s)] [target]

Scan Ports by Protocol

nmap -sU -sT -p U:[ports],T:[ports] [target]

Scan All Ports

nmap -p 1-65535 [target]

Scan Top Ports

nmap --top-ports [number] [target]

Perform a Sequential Port Scan

nmap -r [target]

Attempt to Guess an Unknown OS

nmap -O --osscan-guess [target]

Service Version Detection

nmap -sV [target]

Troubleshoot Version Scan

nmap -sV --version-trace [target]

Perform a RPC Scan

nmap -sR [target]

Discovery Options

Host Discovery The -p switch determines the type of ping to perform.

Nmap SwitchDescription-PIICMP ping-PoNo ping-PSSYN ping-PTTCP ping

Perform a Ping Only Scan

nmap -sn [target]

Do Not Ping

nmap -Pn [target]

TCP SYN Ping

nmap -PS [target]

TCP ACK Ping

nmap -PA [target]

UDP Ping

nmap -PU [target]

SCTP INIT Ping

nmap -PY [target]

ICMP Echo Ping

nmap -PE [target]

ICMP Timestamp Ping

nmap -PP [target]

ICMP Address Mask Ping

nmap -PM [target]

IP Protocol Ping

nmap -PO [target]

ARP ping

nmap -PR [target]

Traceroute

nmap --traceroute [target]

Force Reverse DNS Resolution

nmap -R [target]

Disable Reverse DNS Resolution

nmap -n [target]

Alternative DNS Lookup

nmap --system-dns [target]

Manually Specify DNS Server

Can specify a single server or multiple.

nmap --dns-servers [servers] [target]

Create a Host List

nmap -sL [targets]

Port Specification and Scan Order

Nmap SwitchDescription

Service/Version Detection

Nmap SwitchDescription-sVEnumerates software versions

Script Scan

Nmap SwitchDescription-sCRun all default scripts

OS Detection

Nmap SwitchDescription

Timing and Performance

The -t switch determines the speed and stealth performed.

Nmap SwitchDescription-T0Serial, slowest scan-T1Serial, slow scan-T2Serial, normal speed scan-T3Parallel, normal speed scan-T4Parallel, fast scan

Not specifying a T value will default to -T3, or normal speed.

Firewall Evasion Techniques

Firewall/IDS Evasion and Spoofing

Nmap SwitchDescription

Fragment Packets

nmap -f [target]

Specify a Specific MTU

nmap --mtu [MTU] [target]

Use a Decoy

nmap -D RND:[number] [target]

Idle Zombie Scan

nmap -sI [zombie] [target]

Manually Specify a Source Port

nmap --source-port [port] [target]

Append Random Data

nmap --data-length [size] [target]

Randomize Target Scan Order

nmap --randomize-hosts [target]

Spoof MAC Address

nmap --spoof-mac [MAC|0|vendor] [target]

Send Bad Checksums

nmap --badsum [target]

Advanced Scanning Functions

TCP SYN Scan

nmap -sS [target]

TCP Connect Scan

nmap -sT [target]

UDP Scan

nmap -sU [target]

TCP NULL Scan

nmap -sN [target]

TCP FIN Scan

nmap -sF [target]

Xmas Scan

nmap -sA [target]

TCP ACK Scan

nmap -sA [target]

Custom TCP Scan

nmap --scanflags [flags] [target]

IP Protocol Scan

nmap -sO [target]

Send Raw Ethernet Packets

nmap --send-eth [target]

Send IP Packets

nmap --send-ip [target]

Timing Options

Timing Templates

nmap -T[0-5] [target]

Set the Packet TTL

nmap --ttl [time] [target]

Minimum NUmber of Parallel Operations

nmap --min-parallelism [number] [target]

Maximum Number of Parallel Operations

nmap --max-parallelism [number] [target]

Minimum Host Group Size

nmap --min-hostgroup [number] [targets]

Maximum Host Group Size

nmap --max-hostgroup [number] [targets]

Maximum RTT Timeout

nmap --initial-rtt-timeout [time] [target]

Initial RTT Timeout

nmap --max-rtt-timeout [TTL] [target]

Maximum Number of Retries

nmap --max-retries [number] [target]

Host Timeout

nmap --host-timeout [time] [target]

Minimum Scan Delay

nmap --scan-delay [time] [target]

Maxmimum Scan Delay

nmap --max-scan-delay [time] [target]

Minimum Packet Rate

nmap --min-rate [number] [target]

Maximum Packet Rate

nmap --max-rate [number] [target]

Defeat Reset Rate Limits

nmap --defeat-rst-ratelimit [target]

Output Options

Nmap SwitchDescription-oNNormal output-oXXML output-oANormal, XML, and Grepable format all at once

Save Output to a Text File

nmap -oN [scan.txt] [target]

Save Output to a XML File

nmap -oX [scan.xml] [target]

Grepable Output

nmap -oG [scan.txt] [target]

Output All Supported File Types

nmap -oA [path/filename] [target]

Periodically Display Statistics

nmap --stats-every [time] [target]

1337 Output

nmap -oS [scan.txt] [target]

Compare Scans

Comparison Using Ndiff

ndiff [scan1.xml] [scan2.xml]

Ndiff Verbose Mode

ndiff -v [scan1.xml] [scan2.xml]

XML Output Mode

ndiff --xml [scan1.xml] [scan2.xml]

Troubleshooting and Debugging

Get Help

nmap -h

Display Nmap Version

nmap -V

Verbose Output

nmap -v [target]

Debugging

nmap -d [target]

Display Port State Reason

nmap --reason [target]

Only Display Open Ports

nmap --open [target]

Trace Packets

nmap --packet-trace [target]

Display Host Networking

nmap --iflist

Specify a Network Interface

nmap -e [interface] [target]

Nmap Scripting Engine

Execute Individual Scripts

nmap --script [script.nse] [target]

Execute Multiple Scripts

nmap --script [expression] [target]

Execute Scripts by Category

nmap --script [category] [target]

Execute Multiple Script Categories

nmap --script [category1,category2,etc]

Troubleshoot Scripts

nmap --script [script] --script-trace [target]

Update the Script Database

nmap --script-updatedb

--script-updatedb

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store