Nmap Cheat Sheet - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Appendix A - Nmap Cheat Sheet

Download and print this cheat sheet online at NmapCookbook.com

Basic Scanning Techniques

Scan a Single Target
nmap [target]

Scan Multiple Targets
nmap [target1, target2, etc]

Scan a Range of Hosts
nmap [range of ip addresses]

Scan a List of Targets
nmap -iL [list.txt]

Scan an Entire Subnet
nmap [ip address/cidr]

Excluding Targets from a Scan
nmap [targets] --exclude [targets]

Excluding Targets Using a List
nmap [targets] --excludefile [list.txt]

Scan Random Hosts
nmap -iR [number]

Perform an Aggressive Scan
nmap -A [target]

Scan an IPv6 Target
nmap -6 [target]

Periodically Display Statistics
nmap --stats-every [time] [target]

Discovery Options

Perform a Ping Only Scan
nmap -sn [target]

Don’t Ping
nmap -Pn [target]

TCP SYN Ping
nmap -PS [target]

TCP ACK Ping
nmap -PA [target]

UDP Ping
nmap -PU [target]

ICMP Echo Ping
nmap -PE [target]

ICMP Timestamp Ping
nmap -PP [target]

ICMP Address Mask Ping
nmap -PM [target]

IP Protocol Ping
nmap -PO [target]

ARP Ping
nmap -PR [target]

Traceroute
nmap --traceroute [target]

Force Reverse DNS Resolution
nmap -R [target]

Disable Reverse DNS Resolution
nmap -n [target]

Alternative DNS Lookup
nmap --system-dns [target]

Manually Specify DNS Server(s)
nmap --dns-servers [servers] [target]

Create a Host List
nmap -sL [targets]

Advanced Scanning Functions

TCP SYN Scan
nmap -sS [target]

TCP Connect Scan
nmap -sT [target]

UDP Scan
nmap -sU [target]

TCP NULL Scan
nmap -sN [target]

TCP FIN Scan
nmap -sF [target]

Xmas Scan
nmap -sX [target]

TCP ACK Scan
nmap -sA [target]

Custom TCP Scan
nmap --scanflags [flags] [target]

IP Protocol Scan
nmap -sO [target]

Port Scanning Options

Perform a Fast Scan
nmap -F [target]

Scan Specific Ports
nmap -p [port(s)] [target]

Scan Ports by Name
nmap -p [port name(s)] [target]

Scan Ports by Protocol
nmap -sU -sT -p U:[ports],T:[ports] [target]

Scan All Ports
nmap -p "*" [target]

Scan Top Ports
nmap --top-ports [number] [target]

Perform a Sequential Port Scan
nmap -r [target]

Only Display Open Ports
nmap --open [target]

Version Detection

Operating System Detection


nmap -O [target]

Submit TCP/IP Fingerprints
nmap.org/submit/

Attempt to Guess an Unknown OS
nmap -O --osscan-guess [target]

Service Version Detection
nmap -sV [target]

Troubleshooting Version Scans
nmap -sV --version-trace [target]

Timing Options

Timing Templates
nmap -T[0-5] [target]

Set the Packet TTL
nmap --ttl [time] [target]

Minimum # of Parallel Operations
nmap --min-parallelism [number] [target]

Maximum # of Parallel Operations
nmap --max-parallelism [number] [target]

Minimum Host Group Size
nmap --min-hostgroup [number] [targets]

Maximum Host Group Size
nmap --max-hostgroup [number] [targets]

Maximum RTT Timeout
nmap --initial-rtt-timeout [time] [target]

Initial RTT Timeout
nmap --max-rtt-timeout [TTL] [target]

Maximum Retries
nmap --max-retries [number] [target]

Host Timeout
nmap --host-timeout [time] [target]

Minimum Scan Delay
nmap --scan-delay [time] [target]

Maximum Scan Delay
nmap --max-scan-delay [time] [target]

Minimum Packet Rate
nmap --min-rate [number] [target]

Maximum Packet Rate
nmap --max-rate [number] [target]

Defeat Reset Rate Limits
nmap --defeat-rst-ratelimit [target]

Firewall Evasion Techniques

Fragment Packets
nmap -f [target]

Specify a Specific MTU
nmap --mtu [MTU] [target]

Use a Decoy
nmap -D RND:[number] [target]

Idle Zombie Scan
nmap -sI [zombie] [target]

Manually Specify a Source Port
nmap --source-port [port] [target]

Append Random Data
nmap --data-length [size] [target]

Randomize Target Scan Order
nmap --randomize-hosts [target]

Spoof MAC Address
nmap --spoof-mac [MAC|0|vendor] [target]

Send Bad Checksums
nmap --badsum [target]

Output Options

Save Output to a Text File
nmap -oN [scan.txt] [target]

Save Output to a XML File
nmap -oX [scan.xml] [target]

Grepable Output
nmap -oG [scan.txt] [targets]

Output All Supported File Types
nmap -oA [path/filename] [target]

133t Output
nmap -oS [scan.txt] [target]

Troubleshooting and Debugging

Getting Help
nmap -h

Display Nmap Version
nmap -V

Verbose Output
nmap -v [target]

Debugging
nmap -d [target]

Display Port State Reason
nmap --reason [target]

Trace Packets
nmap --packet-trace [target]

Display Host Networking
nmap --iflist

Specify a Network Interface
nmap -e [interface] [target]

Nmap Scripting Engine

Execute Individual Scripts
nmap --script [script.nse] [target]

Execute Multiple Scripts
nmap --script [expression] [target]

Script Categories
all, auth, default, discovery, external, intrusive, malware, safe, vuln

Execute Scripts by Category
nmap --script [category] [target]

Execute Multiple Script Categories
nmap --script [category1,category2,etc]

Troubleshoot Scripts
nmap --script [script] --script-trace [target]

Update the Script Database
nmap --script-updatedb

Ndiff

Comparison Using Ndiff
ndiff [scan1.xml] [scan2.xml]

Ndiff Verbose Mode
ndiff -v [scan1.xml] [scan2.xml]

XML Output Mode
ndiff --xml [scan1.xml] [scan2.xml]

Nping

Ping a Target
nping [target]

Ping Multiple Targets
nping [target1 target 2 etc.]

Hide sent packets
nping -H [target]

Hide All Packets
nping -q [target]

Specify a Ping Count
nping -c [count ] [target]

Specify a Ping Rate
nping --rate [rate] [target]

Specify a Ping Delay
nping --delay [delay] [target]

Generate a Payload
nping --data-length [length] [target]

Ping Using TCP
nping --tcp [target]

Ping Using UDP
nping --udp [target]

Ping a Specific Port
nping -p [port] --tcp|--udp [target]

Perform an ARP ping
nping --arp [target]

Display Nping Help
nping -h

Display Nping Version
nping -V

Set Debug Level (1 to 6)
nping -d[level] [target]

Set verbosity level (-4 to 4)
nping -v[level] [target]

Use the Specified Network Interface
nping -e [interface] [target]

Spoof the Specified Source Port
nping -g [port] [target]

Use the Specified TCP Flags
nping --flags [flags] [target]

Ping the Specified IPv6 Address
nping -6 [target]

Setup an Echo Server
nping --echo-server [passphrase]

Ping an Echo Server
nping --echo-client [passphrase] [target]

Ncat

Connect to an Address/port
ncat [address] [port]

Use SSL
ncat --ssl [address] [port]

Listen for Incoming Connections
ncat --listen [port]