NMAP Cheatsheet

Nmap Targeting

Scan a single IP nmap
Scan a hostname nmap
Scan an IP range nmap
Scan a subnet nmap
Scan from a predefined list nmap -iL list.txt


Scan a single port nmap -p 22
Scan a range of ports nmap -p 1-20
Scan multiple ports nmap -p 22,80,443
Scan Mixed TCP/UDP ports nmap -p U:53,T:22
Scan 100 common ports nmap -F
Scan top # ports nmap –top-ports 300
Scan ports linearly nmap -r -p 1-1000
Scan all ports nmap -p-

Scan types

TCP Connect Scan nmap -sT
TCP SYN scan (Silent scan) nmap -sS
UDP scan nmap -sU -p 137,139
No ping scan nmap -Pn
Host Discovery (no ports) nmap -sn
Version Scan nmap -sV
OS Detection nmap -o

OS and Service Discovery

OS and Services nmap -A
Standard service discovery nmap -sV
Aggressive service discovery nmap -sV –version-intensity 5
Light banner grabbing nmap -sV –version-intensity 0

Aggregate Timing

Paranoid: Very slow nmap -t0
Sneaky: Quite slow nmap -t1
Polite: Slows down nmap -t2
Normal: Default nmap -t3
Aggressive: Fast and reliable nmap -t4
Insane: Very aggressive nmap -t5

Output Formats

Standard Nmap output nmap -oN output.txt
XML format nmap -oX output.txt
Greppable format nmap -oG output.txt
All formats output nmap -oA output.txt

NSE Scripts

Default scripts nmap -sV -sC
Script help nmap –script-help=ssl-heartbleed
NSE script scan nmap -sV –script=ssl-heartbleed -p 443
Scan with scripts sets nmap -sV –script=smb*
column1 nmap –script-help=scriptname

HTTP Service Discovery

Get page title nmap –script=http-title
Get HTTP header nmap –script=http-headers
Find web apps nmap –script=http-enum

Fine-Grained Timing

Parallel host scan group sizes –min-hostgroup/max-hostgroup <size>
Probe parallelization –min-parallelism/max-parallelism <numprobes>
Specifies probe round trip time –min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>
Caps number of port scan probe
–max-retries <tries>
Give up on target after time –host-timeout <time>
Adjust delay between probes –scan-delay/–max-scan-delay <time>
Send packets no slower –min-rate <number>
column1 –max-rate <number>