577, Gold Plaza, Punjab Jewellers, M.G. Road, Opp. Treasure Island Mall

Nmap Cheat Sheet

Network Mapper (Nmap) also known as the God of Port Scanners used for network discovery and the basis for most security enumeration during the initial stages of a Penetration Testing. Nmap has a multitude of options and when you first start playing with this excellent tool it can be a bit daunting. In this cheat sheet you will find a series of practical example commands for running Nmap and getting the most of this powerful tool. Below is Nmap Cheat Sheet and Helpful Tips and Techniques.

Keep in mind that this cheat sheet merely touches the surface of the available options. The Nmap Documentation portal is your reference for digging deeper into the options available.

Nmap in a nutshell

  • Target Specification
  • Host Discovery
  • Port Specification
  • Service Discovery / Version Detection
  • Operating System Version Detection
  • Firewall / IDS Evasion and Spoofing
  • Time and Performance based Scan
  • Output of Scan
  • Vulnerability / Exploit Detection, using Nmap Scripts (NSE)
Target Specification

Scan a single IP

nmap 192.168.1.1

Scan specific IPs

nmap 192.168.1.1 192.168.1.5

Scan a Range

nmap 192.168.1.1-254

Scan a Domain / Host

nmap nmap scanme.nmap.org

Scan Targets from a File

namp -iL targets.txt

Exclude the Listed Host from the Target Range

nmap --exclude 192.168.1.5 192.168.1.1-10
Host Discovery

To List given targets only, no Scan

nmap -sL 192.168.1.1-3

To Disable Port Scanning, Host Discovery only

nmap -sn 192.168.1.1/24

To Disable Host Discovery. Port scan only

nmap -Pn 192.168.1.1-5

TCP SYN discovery on given port

nmap -PS 80,21 192.168.1.1

TCP ACK discovery on given port

nmap -PA 80,21 192.168.1.1

UDP discovery on given port

nmap -PU 53 192.168.1.1
Port Specification

Scan a given Port (i.e 21 here)

nmap -p 21 192.168.1.1

Scan the given Port Range

nmap -p 21-100 192.168.1.1

Scan the multiple TCP and UDP ports

nmap -p U:53,T:21-25,80 192.168.1.1

Scan all 65535 ports

nmap -p- 192.168.1.1

Scans the given Service Name

nmap -p http,https 192.168.1.1

Scans the Top 100 ports

nmap -F 192.168.1.1
Service Discovery / Version Detection

Detect Version of the Running Services

nmap -sV 192.168.1.1

To set intensity range between 0 to 9. Higher number increases possibility of correctness

nmap -sV --version-intensity 5 192.168.1.1

To enable the light mode(intensity =2). It is faster but have less possibility of correctness

nmap  -sV --version-light 192.168.1.1

To enables the intense mode(intensity =9). It is slower but have more possibility of correctness

nmap -sV --version-all 192.168.1.1
Operating System Version Detection

Detect the Operating system

nmap -sV 192.168.1.1

Aggressive mode i.e OS, Service Version, Trace route.

nmap -A 192.168.1.1
Firewall / IDS Evasion and Spoofing

Use tiny fragmented IP packets. Its harder for packet filters

nmap -f 192.168.1.1

Used to set our own offset size

nmap --mtu 32 192.168.1.1

Use the Spoofed IP to scan

nmap -D decoy-ip1,decoy-ip2, your-own-ip remote-host-ip

Scans target.com from example.com (Domain Name Spoofing)

nmap -S example.com target.com

Uses the given port as a source

nmap -g 53 192.168.1.1

Appends random data to sent packets

nmap --data-length 200 192.168.1.1
Time and Performance based Scan

Slow scan

nmap -T0 192.168.1.1

Sneaky scan

nmap -T1 192.168.1.1

Timely scan

nmap -T2 192.168.1.1

Default scan

nmap -T3 192.168.1.1

Aggressive scan

nmap -T4 192.168.1.1

Very Aggressive scan

nmap -T5 192.168.1.1
Output of Scan

To scan in the Verbose mode (-vv for greater effect)

nmap -v 192.168.1.1

Save the scan results to the scan.file

nmap 192.168.1.1 -oN scan.file

Save the results in xml.file

nmap 192.168.1.1 -oX xml.file

Save the results in grep.file

nmap 192.168.1.1 -oG grep.file

Saves the Output in the three major formats at once

nmap 192.168.1.1 -oA result

To scan in the debug mode (-dd for greater effect)

nmap 192.168.1.1 -d

To see all the packets sent and received

nmap 192.168.1.1 -T4 --packet-trace
Vulnerability / Exploit Detection, using Nmap Scripts (NSE)

Scan with default NSE Scripts

nmap 192.168.1.1 -sC

Scan with given NSE Script ( Example: nmap.nse )

nmap 192.168.1.1 --script=nmap.nse

Use script with arguments

nmap 192.168.1.1 –script=nmap.nse --script-args user=admin

 

Leave a comment

WhatsApp us