Views: 4
nmap — cheat sheet
Network Mapper · Comprehensive Command Reference
Target Specification
8
nmap 192.168.1.1·Scan a single IP
nmap 192.168.1.1-254·Scan IP range
nmap 192.168.1.0/24·Scan CIDR subnet
nmap 10.0.0.1 10.0.0.2·Scan multiple IPs
nmap -iL targets.txt·Read targets from file
nmap –exclude 192.168.1.5·Exclude host(s) from scan
nmap –excludefile exc.txt·Exclude hosts listed in file
nmap -6 ::1·Enable IPv6 scanning
Scan Types
12
nmap -sS <target>·TCP SYN scan (stealth, default root)stealth
nmap -sT <target>·TCP connect scan (full handshake)
nmap -sA <target>·TCP ACK scan — firewall rule mappingfw map
nmap -sW <target>·TCP Window scan
nmap -sM <target>·Maimon scan (FIN/ACK probe)
nmap -sU <target>·UDP scan (slow, combine with -sS)slow
nmap -sN <target>·TCP Null scan — no flags setstealth
nmap -sF <target>·TCP FIN scanstealth
nmap -sX <target>·Xmas scan (FIN+PSH+URG flags)stealth
nmap -sP <target>·Ping scan / host discovery only
nmap -sn <target>·Disable port scan (host discovery only)
nmap -Pn <target>·Skip host discovery (treat all as up)
Port Specification
9
nmap -p 22 <target>·Scan specific port
nmap -p 22,80,443 <target>·Scan multiple ports
nmap -p 1-1024 <target>·Scan port range
nmap -p- <target>·Scan all 65535 portsslow
nmap -p U:53,T:80 <target>·Scan UDP port 53 + TCP port 80
nmap –top-ports 100 <target>·Scan 100 most common ports
nmap –top-ports 1000 <target>·Scan top 1000 ports (default)
nmap -F <target>·Fast mode — top 100 ports only
nmap -r <target>·Scan ports in sequential order
Service & Version Detection
7
nmap -sV <target>·Probe open ports to determine service/version
nmap -sV –version-intensity 0·Light version detection (fast)
nmap -sV –version-intensity 9·Maximum version intensity (thorough)slow
nmap -sV –version-light·Alias for intensity 2
nmap -sV –version-all·Alias for intensity 9
nmap -A <target>·OS detect + version + scripts + traceroute
nmap -sR <target>·RPC scan (identify RPC programs)
OS Detection
5
nmap -O <target>·Enable OS detection
nmap -O –osscan-limit <target>·Only attempt OS detect on promising hosts
nmap -O –osscan-guess <target>·Guess OS more aggressively
nmap -O –max-os-tries 1 <target>·Limit OS detection attempts
nmap -A <target>·OS + version + scripts (all-in-one)
Timing & Performance
12
nmap -T0 <target>·Paranoid — very slow, IDS evasionIDS evade
nmap -T1 <target>·Sneaky — slow, some IDS evasionIDS evade
nmap -T2 <target>·Polite — slows to reduce bandwidth
nmap -T3 <target>·Normal — default timing (balance)
nmap -T4 <target>·Aggressive — faster on reliable networks
nmap -T5 <target>·Insane — very fast, may miss resultsnoisy
nmap –min-rate 1000 <target>·Send no fewer than 1000 pkts/sec
nmap –max-rate 500 <target>·Cap send rate at 500 pkts/sec
nmap –min-parallelism 10·Minimum parallel probes
nmap –max-parallelism 1·Disable parallelism (serial)
nmap –min-hostgroup 64·Minimum hosts per batch
nmap –host-timeout 30s <target>·Give up on host after 30s
Host Discovery
10
nmap -sn 192.168.1.0/24·Ping sweep (no port scan)
nmap -Pn <target>·Skip discovery — assume all hosts up
nmap -PS22,80,443 <target>·TCP SYN ping on specified ports
nmap -PA22,80 <target>·TCP ACK ping on specified ports
nmap -PU53 <target>·UDP ping on port 53
nmap -PE <target>·ICMP echo request ping
nmap -PP <target>·ICMP timestamp ping
nmap -PM <target>·ICMP address mask ping
nmap -PR <target>·ARP ping (local network)
nmap -n <target>·Never do DNS resolution
NSE Scripting Engine
14
nmap -sC <target>·Run default scripts (alias –script=default)
nmap –script=banner <target>·Banner grab on open ports
nmap –script=http-title <target>·Get web page titles
nmap –script=vuln <target>·Run all vulnerability detection scriptsnoisy
nmap –script=auth <target>·Scripts dealing with authentication
nmap –script=brute <target>·Brute force login scriptsnoisy
nmap –script=exploit <target>·Exploitation scriptsdanger
nmap –script=safe <target>·Only safe/non-destructive scripts
nmap –script=smb-vuln* <target>·All SMB vulnerability scripts (EternalBlue, etc.)
nmap –script=http-enum <target>·Enumerate HTTP paths/directories
nmap –script=ssl-cert <target>·Retrieve SSL certificate information
nmap –script=dns-brute <target>·DNS subdomain brute force
nmap –script-args=user=admin,pass=s3cr3t·Pass arguments to scripts
nmap –script-updatedb·Update the NSE script database
Output Formats
9
nmap -oN output.txt <target>·Normal output (human readable)
nmap -oX output.xml <target>·XML output
nmap -oG output.gnmap <target>·Grepable output
nmap -oA output <target>·All three formats simultaneously
nmap -oS output.txt <target>·Script kiddie output (l33t speak)
nmap -v <target>·Verbose — show results as discovered
nmap -vv <target>·Very verbose output
nmap -d <target>·Debugging output
nmap –reason <target>·Show reason for port state
Firewall / IDS Evasion
13
nmap -f <target>·Fragment packets (8-byte fragments)evade
nmap -ff <target>·Fragment into 16-byte fragmentsevade
nmap –mtu 32 <target>·Set custom MTU (must be multiple of 8)
nmap -D RND:10 <target>·Decoy scan — 10 random decoy IPsevade
nmap -D 1.2.3.4,ME <target>·Decoy with specific IPs (ME = your IP)
nmap -S 1.2.3.4 <target>·Spoof source addresscaution
nmap -e eth0 <target>·Use specific network interface
nmap –source-port 53 <target>·Spoof source port (bypass FW rules)
nmap –proxies socks4://<ip>:1080·Route scan through SOCKS proxy
nmap –data-length 200 <target>·Append random data to packets
nmap –ip-options “L 192.168.1.1”·Set IP options (e.g. loose routing)
nmap –ttl 64 <target>·Set IP time-to-live field
nmap –randomize-hosts <targets>·Randomize host scan orderevade
Common One-Liners & Combos
12
nmap -sV -sC -O -p- –open -oA full <target>·Full recon: version+scripts+OS, all ports
nmap -sS -T4 –top-ports 1000 -oA quick <target>·Quick stealth SYN scan, top 1000 ports
nmap -sU -sS -p U:53,111,137,T:21-25,80,139,8080 <target>·Combined UDP+TCP common ports
nmap -sn 192.168.1.0/24 | grep “Nmap scan” | awk ‘{print $5}’·Extract live IPs from ping sweep
nmap -sV –script=banner -p 21,22,25,80,443,3306,3389 <target>·Banner grab on common service ports
nmap -sS -sV –script=vuln -T4 -p- <target>·Full vuln scan all ports (pentest)noisy
nmap -p 445 –script=smb-vuln-ms17-010 <target>·Check for EternalBlue (MS17-010)
nmap -p 3389 –script=rdp-vuln-ms12-020 <target>·Check for RDP vuln MS12-020
nmap -sV -p 443 –script=ssl-heartbleed <target>·Check for Heartbleed (CVE-2014-0160)
nmap -T2 -f -D RND:5 –source-port 53 <target>·Evasive scan — fragments + decoys + spoofed portevade
nmap –script=http-enum,http-headers,http-methods -p 80,443 <target>·HTTP enumeration combo
nmap -iL hosts.txt -sS -sV -oX results.xml -T4·Batch scan from file → XML output
DNS & Network Options
7
nmap -n <target>·No DNS resolution (faster)
nmap -R <target>·Always resolve DNS for all hosts
nmap –dns-servers 8.8.8.8 <target>·Use custom DNS server
nmap –system-dns <target>·Use system DNS resolver
nmap –traceroute <target>·Trace hop path to host
nmap -e eth0 <target>·Use specific network interface
nmap –packet-trace <target>·Show all packets sent/received
Misc & Utility
9
nmap –open <target>·Only show open (or open|filtered) ports
nmap –iflist·Print host interfaces and routes
nmap –resume output.gnmap·Resume aborted scan from grepable file
nmap –append-output -oN out.txt <target>·Append results to existing file
nmap –privileged <target>·Assume user is fully privileged
nmap –unprivileged <target>·Assume user lacks raw socket privs
nmap –badsum <target>·Send packets with bogus TCP/UDP checksum
nmap –send-eth <target>·Send raw ethernet frames
nmap -6 –script=ipv6-node-info <target>·Query IPv6 node information
∅
no commands match ““
copied to clipboard ✓
