Nmap Cheat Sheet

Master Nmap, the network mapper tool, with this comprehensive Nmap Cheat Sheet. From basic commands for beginners to advanced techniques for experts, this guide covers target specification, host discovery, scan techniques, and more to help you secure and analyze your network efficiently. Perfect for cybersecurity professionals, network administrators, and ethical hackers.

Begin your journey with the foundational building blocks of Nmap, exploring basic commands that lay the groundwork for more complex network analysis. This Nmap Cheat Sheet is crafted to ease beginners into the process of network mapping, ensuring a solid grasp of fundamental concepts and techniques.

Target Specification

Goal	Command	Example
Scan a single host	nmap [host]	nmap scanme.nmap.org
Scan multiple IPs or subnets	nmap [targets]	nmap 192.168.1.1 10.0.0.1/24
Input from list of hosts/networks	-iL [inputfilename]	nmap -iL targets.txt
Choose random targets	-iR [num hosts]	nmap -iR 100
Exclude specific hosts/networks	–exclude [targets]	nmap –exclude 192.168.1.1
Exclude hosts from a file	–excludefile [file]	nmap –excludefile exclude.txt

Host Discovery

Goal	Command	Example
List Scan – simply list targets to scan	-sL	nmap -sL
Ping Scan – disable port scan	-sn	nmap -sn 192.168.1.0/24
Treat all hosts as online – skip discovery	-Pn	nmap -Pn 192.168.1.1
TCP SYN/ACK, UDP or SCTP discovery	-PS/PA/PU/PY[portlist]	nmap -PS22,80,443 192.168.1.1
ICMP echo, timestamp, and netmask request	-PE/PP/PM	nmap -PE 192.168.1.0/24
IP Protocol Ping	-PO[protocol list]	nmap -PO1 192.168.1.1

Scan Techniques

Goal	Command	Example
TCP SYN scan	-sS	nmap -sS 192.168.1.1
UDP Scan	-sU	nmap -sU 192.168.1.1
TCP Null, FIN, and Xmas scans	-sN/sF/sX	nmap -sN 192.168.1.1
Customize TCP scan flags	–scanflags [flags]	nmap –scanflags URGACKPSHRSTSYN
Idle scan	-sI [zombie host[:probeport]]	nmap -sI zombie.example.com
SCTP INIT/COOKIE ECHO scans	-sY/sZ	nmap -sY 192.168.1.1
IP protocol scan	-sO	nmap -sO 192.168.1.1
FTP bounce scan	-b [FTP relay host]	nmap -b FTP.proxy.example.com

Port Specification and Scan Order

Goal	Command	Example
Only scan specified ports	-p [port ranges]	nmap -p 22,80,443 192.168.1.1
Fast mode – Scan fewer ports	-F	nmap -F 192.168.1.1
Scan ports consecutively	-r	nmap -r 192.168.1.1
Scan <number> most common ports	–top-ports [number]	nmap –top-ports 10 192.168.1.1
Scan ports more common than <ratio>	–port-ratio [ratio]	nmap –port-ratio 0.1 192.168.1.1

Service/Version Detection

Goal	Command	Example
Probe open ports to determine service/info	-sV	nmap -sV 192.168.1.1
Set version detection intensity	–version-intensity [level]	nmap –version-intensity 9 192.168.1.1
Limit to most likely probes (intensity 2)	–version-light	nmap –version-light 192.168.1.1
Try every single probe (intensity 9)	–version-all	nmap –version-all 192.168.1.1
Show detailed version scan activity	–version-trace	nmap –version-trace 192.168.1.1

Script Scan

Goal	Command	Example
Perform script scan (default scripts)	-sC	nmap -sC 192.168.1.1
Perform script scan (specific scripts)	–script=[Lua scripts]	nmap –script=http-enum 192.168.1.1
Provide arguments to scripts	–script-args=[n1=v1,[n2=v2,…]]	nmap –script-args user=guest,pass=guest
Show help about scripts	–script-help=[Lua scripts]	nmap –script-help smb*

OS Detection

Goal	Command	Example
Enable OS detection	-O	nmap -O 192.168.1.1
Limit OS detection to promising targets	–osscan-limit	nmap –osscan-limit 192.168.1.1
Guess OS more aggressively	–osscan-guess	nmap –osscan-guess 192.168.1.1

Timing and Performance

Goal	Command	Example
Set timing template (higher is faster)	-T[0-5]	nmap -T4 192.168.1.1
Adjust delay between probes	–scan-delay/–max-scan-delay [time]	nmap –scan-delay 0.1s 192.168.1.1
Send packets no slower than [number] per second	–min-rate [number]	nmap –min-rate 100 192.168.1.1
Send packets no faster than [number] per second	–max-rate [number]	nmap –max-rate 50 192.168.1.1

Firewall/IDS Evasion and Spoofing

Goal	Command	Example
Fragment packets	-f	nmap -f 192.168.1.1
Cloak a scan with decoys	-D [decoy1,decoy2[,ME],…]	nmap -D RND:10 192.168.1.1
Spoof source address	-S [IP_Address]	nmap -S 192.168.1.2 192.168.1.1
Use a specific interface	-e [iface]	nmap -e eth0 192.168.1.1
Spoof MAC address	–spoof-mac [mac address]	nmap –spoof-mac 00:11:22:33:44:55 192.168.1.1

Output

Goal	Command	Example
Save output in normal format	-oN [file]	nmap -oN output.txt 192.168.1.1
Save output in XML format	-oX [file]	nmap -oX output.xml 192.168.1.1
Save output in s	<rIpt kIddi3 format	-oS [file]
Save output in grepable format	-oG [file]	nmap -oG output.txt 192.168.1.1
Save output in all formats at once	-oA [basename]	nmap -oA scan_output 192.168.1.1

Miscellaneous

Goal	Command	Example
Enable IPv6 scanning	-6	nmap -6 ipv6host.example.com
Enable aggressive scan options	-A	nmap -A 192.168.1.1
Print version number	-V	nmap -V
Print help summary page	-h	nmap -h

Install Nmap to use the Nmap Cheat Sheet

If you want to install Nmap on Ubuntu Linux you can use the following command.

apt install nmap -y