577, Gold Plaza, Punjab Jewellers, M.G. Road, Opp. Treasure Island Mall

Nmap Cheat Sheet

Network Mapper (Nmap) also known as the God of Port Scanners used for network discovery and the basis for most security enumeration during the initial stages of a Penetration Testing. Nmap has a multitude of options and when you first start playing with this excellent tool it can be a bit daunting. In this cheat sheet you will find a series of practical example commands for running Nmap and getting the most of this powerful tool. Below is Nmap Cheat Sheet and Helpful Tips and Techniques.

Keep in mind that this cheat sheet merely touches the surface of the available options. The Nmap Documentation portal is your reference for digging deeper into the options available.

Nmap in a nutshell

  • Target Specification
  • Host Discovery
  • Port Specification
  • Service Discovery / Version Detection
  • Operating System Version Detection
  • Firewall / IDS Evasion and Spoofing
  • Time and Performance based Scan
  • Output of Scan
  • Vulnerability / Exploit Detection, using Nmap Scripts (NSE)
Target Specification

Scan a single IP


Scan specific IPs


Scan a Range


Scan a Domain / Host

nmap nmap scanme.nmap.org

Scan Targets from a File

namp -iL targets.txt

Exclude the Listed Host from the Target Range

nmap --exclude
Host Discovery

To List given targets only, no Scan

nmap -sL

To Disable Port Scanning, Host Discovery only

nmap -sn

To Disable Host Discovery. Port scan only

nmap -Pn

TCP SYN discovery on given port

nmap -PS 80,21

TCP ACK discovery on given port

nmap -PA 80,21

UDP discovery on given port

nmap -PU 53
Port Specification

Scan a given Port (i.e 21 here)

nmap -p 21

Scan the given Port Range

nmap -p 21-100

Scan the multiple TCP and UDP ports

nmap -p U:53,T:21-25,80

Scan all 65535 ports

nmap -p-

Scans the given Service Name

nmap -p http,https

Scans the Top 100 ports

nmap -F
Service Discovery / Version Detection

Detect Version of the Running Services

nmap -sV

To set intensity range between 0 to 9. Higher number increases possibility of correctness

nmap -sV --version-intensity 5

To enable the light mode(intensity =2). It is faster but have less possibility of correctness

nmap  -sV --version-light

To enables the intense mode(intensity =9). It is slower but have more possibility of correctness

nmap -sV --version-all
Operating System Version Detection

Detect the Operating system

nmap -sV

Aggressive mode i.e OS, Service Version, Trace route.

nmap -A
Firewall / IDS Evasion and Spoofing

Use tiny fragmented IP packets. Its harder for packet filters

nmap -f

Used to set our own offset size

nmap --mtu 32

Use the Spoofed IP to scan

nmap -D decoy-ip1,decoy-ip2, your-own-ip remote-host-ip

Scans target.com from example.com (Domain Name Spoofing)

nmap -S example.com target.com

Uses the given port as a source

nmap -g 53

Appends random data to sent packets

nmap --data-length 200
Time and Performance based Scan

Slow scan

nmap -T0

Sneaky scan

nmap -T1

Timely scan

nmap -T2

Default scan

nmap -T3

Aggressive scan

nmap -T4

Very Aggressive scan

nmap -T5
Output of Scan

To scan in the Verbose mode (-vv for greater effect)

nmap -v

Save the scan results to the scan.file

nmap -oN scan.file

Save the results in xml.file

nmap -oX xml.file

Save the results in grep.file

nmap -oG grep.file

Saves the Output in the three major formats at once

nmap -oA result

To scan in the debug mode (-dd for greater effect)

nmap -d

To see all the packets sent and received

nmap -T4 --packet-trace
Vulnerability / Exploit Detection, using Nmap Scripts (NSE)

Scan with default NSE Scripts

nmap -sC

Scan with given NSE Script ( Example: nmap.nse )

nmap --script=nmap.nse

Use script with arguments

nmap –script=nmap.nse --script-args user=admin


Leave a comment

WhatsApp us