Nmap Cheat Sheet - All Commands
Target Specification
| Switch | Command | Description |
|---|---|---|
| nmap <target> | Scan a single target (IP, hostname, or network). | |
| nmap <target1> <target2> | Scan multiple targets. | |
| nmap 192.168.1.0/24 | Scan an entire subnet. | |
| -iL | nmap -iL <inputfile> | Scan targets from a list in a file. |
| --exclude | nmap --exclude <target> | Exclude a specific target from the scan. |
| --excludefile | nmap --excludefile <excludefile> | Exclude targets listed in a file. |
Host Discovery
| Switch | Command | Description |
|---|---|---|
| -sn | nmap -sn <target> | Ping scan - disable port scan, only discover hosts. |
| -Pn | nmap -Pn <target> | Skip host discovery, treat all hosts as online. |
| -PS | nmap -PS <port> <target> | TCP SYN ping. |
| -PA | nmap -PA <port> <target> | TCP ACK ping. |
| -PU | nmap -PU <port> <target> | UDP ping. |
| -PY | nmap -PY <port> <target> | SCTP INIT ping. |
| -PE | nmap -PE <target> | ICMP echo request ping. |
| -PP | nmap -PP <target> | ICMP timestamp ping. |
| -PM | nmap -PM <target> | ICMP address mask ping. |
| -PO | nmap -PO <protocol> <target> | IP protocol ping. |
Scan Techniques
| Switch | Command | Description |
|---|---|---|
| -sS | nmap -sS <target> | TCP SYN scan (stealth scan). |
| -sT | nmap -sT <target> | TCP connect scan. |
| -sU | nmap -sU <target> | UDP scan. |
| -sA | nmap -sA <target> | TCP ACK scan. |
| -sW | nmap -sW <target> | Window scan. |
| -sM | nmap -sM <target> | Maimon scan. |
| -sN | nmap -sN <target> | TCP NULL scan. |
| -sF | nmap -sF <target> | TCP FIN scan. |
| -sX | nmap -sX <target> | TCP Xmas scan. |
| -sI | nmap -sI <zombie host> <target> | Idle scan (zombie scan). |
| -sO | nmap -sO <target> | IP protocol scan. |
| -b | nmap -b <ftp relay host> <target> | FTP bounce scan. |
Port Specification
| Switch | Command | Description |
|---|---|---|
| -p | nmap -p <port> <target> | Scan specific port(s). |
| -p 1-100 | nmap -p 1-100 <target> | Scan a range of ports. |
| -p U:,T: | nmap -p U:<udp ports>,T:<tcp ports> <target> | Scan specific TCP and UDP ports. |
| -p- | nmap -p- <target> | Scan all 65535 ports. |
| -F | nmap -F <target> | Fast scan - scan fewer ports than the default. |
| --top-ports | nmap --top-ports <number> <target> | Scan the top N most common ports. |
Service/Version Detection
| Switch | Command | Description |
|---|---|---|
| -sV | nmap -sV <target> | Detect service/version information. |
| -sV --version-intensity | nmap -sV --version-intensity <level> <target> | Set version detection intensity (0-9). |
| -sV --version-light | nmap -sV --version-light <target> | Light version detection (intensity 2). |
| -sV --version-all | nmap -sV --version-all <target> | Try every single probe (intensity 9). |
| -A | nmap -A <target> | Enable OS detection, version detection, script scanning, and traceroute. |
OS Detection
| Switch | Command | Description |
|---|---|---|
| -O | nmap -O <target> | Enable OS detection. |
| -O --osscan-limit | nmap -O --osscan-limit <target> | Limit OS detection to promising targets. |
| -O --osscan-guess | nmap -O --osscan-guess <target> | Guess OS more aggressively. |
| -O --max-os-tries | nmap -O --max-os-tries <number> <target> | Set maximum number of OS detection tries. |
Timing and Performance
| Switch | Command | Description |
|---|---|---|
| -T0 | nmap -T0 <target> | Paranoid timing (slowest). |
| -T1 | nmap -T1 <target> | Sneaky timing. |
| -T2 | nmap -T2 <target> | Polite timing. |
| -T3 | nmap -T3 <target> | Normal timing (default). |
| -T4 | nmap -T4 <target> | Aggressive timing. |
| -T5 | nmap -T5 <target> | Insane timing (fastest). |
| --min-hostgroup | nmap --min-hostgroup <size> <target> | Parallel host scan group sizes. |
| --max-hostgroup | nmap --max-hostgroup <size> <target> | Parallel host scan group sizes. |
| --min-parallelism | nmap --min-parallelism <number> <target> | Probe parallelization. |
| --max-parallelism | nmap --max-parallelism <number> <target> | Probe parallelization. |
| --min-rtt-timeout | nmap --min-rtt-timeout <time> <target> | Adjust probe timeouts. |
| --max-rtt-timeout | nmap --max-rtt-timeout <time> <target> | Adjust probe timeouts. |
| --initial-rtt-timeout | nmap --initial-rtt-timeout <time> <target> | Adjust probe timeouts. |
| --host-timeout | nmap --host-timeout <time> <target> | Give up on slow targets. |
| --scan-delay | nmap --scan-delay <time> <target> | Adjust delay between probes. |
| --max-scan-delay | nmap --max-scan-delay <time> <target> | Adjust delay between probes. |
| --min-rate | nmap --min-rate <number> <target> | Send packets no slower than specified rate. |
| --max-rate | nmap --max-rate <number> <target> | Send packets no faster than specified rate. |
Firewall/IDS Evasion
| Switch | Command | Description |
|---|---|---|
| -f | nmap -f <target> | Fragment packets (split into smaller pieces). |
| --mtu | nmap --mtu <size> <target> | Set custom MTU size for packet fragmentation. |
| -D | nmap -D <decoy1,decoy2> <target> | Use decoy IP addresses to hide your scan. |
| -S | nmap -S <source IP> <target> | Spoof source IP address. |
| -e | nmap -e <interface> <target> | Specify network interface to use. |
| --source-port | nmap --source-port <port> <target> | Spoof source port number. |
| --data-length | nmap --data-length <length> <target> | Append random data to packets. |
| --randomize-hosts | nmap --randomize-hosts <target> | Randomize target host order. |
| --spoof-mac | nmap --spoof-mac <MAC address> <target> | Spoof MAC address. |
| --badsum | nmap --badsum <target> | Send packets with invalid checksums. |
Output Formats
| Switch | Command | Description |
|---|---|---|
| -oN | nmap -oN <outputfile> <target> | Save output in normal format. |
| -oX | nmap -oX <outputfile> <target> | Save output in XML format. |
| -oG | nmap -oG <outputfile> <target> | Save output in grepable format. |
| -oA | nmap -oA <basename> <target> | Save output in all formats (normal, XML, grepable). |
| -oS | nmap -oS <outputfile> <target> | Save output in script kiddie format. |
| -v | nmap -v <target> | Increase verbosity level. |
| -v2 | nmap -v2 <target> | Even more verbose output. |
| -d | nmap -d <target> | Increase debugging level. |
| -d2 | nmap -d2 <target> | Even more debugging output. |
| --reason | nmap --reason <target> | Display reason for port states. |
| --stats-every | nmap --stats-every <time> <target> | Print scan progress periodically. |
| --packet-trace | nmap --packet-trace <target> | Trace packets sent and received. |
| --iflist | nmap --iflist | List interfaces and routes. |
Scripting Engine
| Switch | Command | Description |
|---|---|---|
| -sC | nmap -sC <target> | Run default NSE scripts. |
| --script | nmap --script <script> <target> | Run specific NSE script(s). |
| --script-args | nmap --script-args <args> <target> | Pass arguments to NSE scripts. |
| --script-trace | nmap --script-trace <target> | Show all data sent and received by scripts. |
| --script-updatedb | nmap --script-updatedb | Update the script database. |
| --script-help | nmap --script-help <script> | Display help for a specific script. |
Miscellaneous
| Switch | Command | Description |
|---|---|---|
| -6 | nmap -6 <target> | Enable IPv6 scanning. |
| --resume | nmap --resume <logfile> | Resume a previously saved scan. |
| --unprivileged | nmap --unprivileged <target> | Assume lack of raw socket privileges. |
| --privileged | nmap --privileged <target> | Assume raw socket privileges. |
| --send-eth | nmap --send-eth <target> | Send packets at the raw Ethernet layer. |
| --send-ip | nmap --send-ip <target> | Send packets using raw IP sockets. |
| --append-output | nmap --append-output <target> | Append output to existing files. |
| --datadir | nmap --datadir <directory> | Specify custom Nmap data directory. |
| --servicedb | nmap --servicedb <file> | Specify custom services file. |
| --versiondb | nmap --versiondb <file> | Specify custom version detection file. |
| --system-dns | nmap --system-dns <target> | Use system DNS resolver. |
| --dns-servers | nmap --dns-servers <servers> <target> | Use custom DNS servers. |
| --traceroute | nmap --traceroute <target> | Perform traceroute to target. |
| --version | nmap --version | Display Nmap version. |
| -h | nmap -h | Display help and usage information. |
Post a Comment