Nmap Cheatsheet

Nmap command cheatsheet covering port scanning, host discovery, service detection, OS detection, NSE scripts, firewall evasion, and output options organized by category

Related Categories:NetworkSecurity

77 commands

nmap <host>

Scan a single host

nmap 192.168.1.1

nmap <host1> <host2>

Scan multiple hosts

nmap 192.168.1.1 192.168.1.2

nmap <range>

Scan an IP range

nmap 192.168.1.1-254

nmap <CIDR>

Scan a subnet

nmap 192.168.1.0/24

nmap -iL <file>

Read targets from file

nmap -iL targets.txt

nmap --exclude <host>

Exclude a host

nmap 192.168.1.0/24 --exclude 192.168.1.1

nmap --excludefile <file>

Exclude from file

nmap 192.168.1.0/24 --excludefile exclude.txt

nmap -iR <num>

Scan N random hosts

nmap -iR 10

nmap -sn

Ping scan, no port scan

nmap -sn 192.168.1.0/24

nmap -Pn

Skip host discovery

nmap -Pn 192.168.1.1

nmap -PS<ports>

TCP SYN discovery

nmap -PS22,80,443 192.168.1.1

nmap -PA<ports>

TCP ACK discovery

nmap -PA80,443 192.168.1.1

nmap -PU<port>

UDP discovery

nmap -PU53 192.168.1.1

nmap -PR

ARP scan (local network)

nmap -PR 192.168.1.0/24

nmap -PE

ICMP echo discovery

nmap -PE 192.168.1.0/24

nmap -n

No reverse DNS resolution

nmap -n 192.168.1.1

nmap --traceroute

Perform traceroute

nmap --traceroute 192.168.1.1

nmap -sS

TCP SYN scan (stealth)

nmap -sS 192.168.1.1

nmap -sT

TCP connect scan

nmap -sT 192.168.1.1

nmap -sU

UDP scan

nmap -sU 192.168.1.1

nmap -sA

TCP ACK scan (firewall detection)

nmap -sA 192.168.1.1

nmap -sN

TCP NULL scan

nmap -sN 192.168.1.1

nmap -sF

TCP FIN scan

nmap -sF 192.168.1.1

nmap -sX

TCP Xmas scan

nmap -sX 192.168.1.1

nmap -sW

TCP window scan

nmap -sW 192.168.1.1

nmap -sO

IP protocol scan

nmap -sO 192.168.1.1

nmap -p <ports>

Scan specific ports

nmap -p 22,80,443 192.168.1.1

nmap -p <range>

Scan port range

nmap -p 1-1024 192.168.1.1

nmap -p-

Scan all 65535 ports

nmap -p- 192.168.1.1

nmap --top-ports <n>

Scan top N ports

nmap --top-ports 100 192.168.1.1

nmap -F

Fast scan (top 100)

nmap -F 192.168.1.1

nmap -sU -p <ports>

Scan specific UDP ports

nmap -sU -p 53,161,500 192.168.1.1

nmap -sS -sU -p T:,U:

Combined TCP and UDP scan

nmap -sS -sU -p T:80,443,U:53,161 192.168.1.1

nmap -p <service-name>

Specify ports by service name

nmap -p http,https 192.168.1.1

nmap -sV

Service version detection

nmap -sV 192.168.1.1

nmap -O

OS detection

nmap -O 192.168.1.1

nmap -A

Aggressive scan (OS, version, scripts, traceroute)

nmap -A 192.168.1.1

nmap -sV --version-intensity <n>

Set version detection intensity

nmap -sV --version-intensity 5 192.168.1.1

nmap -sV --version-light

Light version detection

nmap -sV --version-light 192.168.1.1

nmap -sV --version-all

Try all probes for version detection

nmap -sV --version-all 192.168.1.1

nmap -O --osscan-guess

Aggressive OS guessing

nmap -O --osscan-guess 192.168.1.1

nmap -O --osscan-limit

Limit OS detection to promising targets

nmap -O --osscan-limit 192.168.1.1

nmap --script=default

Run default scripts

nmap --script=default 192.168.1.1

nmap --script=vuln

Run vulnerability scripts

nmap --script=vuln 192.168.1.1

nmap --script=safe

Run safe scripts

nmap --script=safe 192.168.1.1

nmap --script=auth

Run authentication scripts

nmap --script=auth 192.168.1.1

nmap --script=http-enum

HTTP directory enumeration

nmap --script=http-enum 192.168.1.1

nmap --script=ssl-cert

Get SSL certificate info

nmap --script=ssl-cert -p 443 192.168.1.1

nmap --script=ssl-enum-ciphers

Enumerate SSL ciphers

nmap --script=ssl-enum-ciphers -p 443 192.168.1.1

nmap --script=smb-vuln*

Check SMB vulnerabilities

nmap --script=smb-vuln* -p 445 192.168.1.1

nmap --script=dns-brute

DNS brute force

nmap --script=dns-brute example.com

nmap --script=banner

Banner grabbing

nmap --script=banner -p 21,22,25,80 192.168.1.1

nmap -T0

Paranoid timing (IDS evasion)

nmap -T0 192.168.1.1

nmap -T1

Sneaky timing

nmap -T1 192.168.1.1

nmap -T2

Polite timing (less bandwidth)

nmap -T2 192.168.1.1

nmap -T3

Normal timing (default)

nmap -T3 192.168.1.1

nmap -T4

Aggressive timing

nmap -T4 192.168.1.1

nmap -T5

Insane timing (may miss ports)

nmap -T5 192.168.1.1

nmap --min-rate <n>

Set minimum packet rate

nmap --min-rate 1000 192.168.1.1

nmap --max-retries <n>

Limit max retries

nmap --max-retries 2 192.168.1.1

nmap -f

Fragment packets

nmap -f 192.168.1.1

nmap --mtu <size>

Specify MTU size

nmap --mtu 24 192.168.1.1

nmap -D RND:<n>

Decoy scan

nmap -D RND:5 192.168.1.1

nmap -S <ip>

Spoof source IP

nmap -S 192.168.1.100 192.168.1.1

nmap -g <port>

Specify source port

nmap -g 53 192.168.1.1

nmap --data-length <n>

Append random data to packets

nmap --data-length 25 192.168.1.1

nmap --randomize-hosts

Randomize target host order

nmap --randomize-hosts 192.168.1.0/24

nmap --spoof-mac <mac>

Spoof MAC address

nmap --spoof-mac 0 192.168.1.1

nmap -oN <file>

Save normal output

nmap -oN scan.txt 192.168.1.1

nmap -oX <file>

Save XML output

nmap -oX scan.xml 192.168.1.1

nmap -oG <file>

Save grepable output

nmap -oG scan.gnmap 192.168.1.1

nmap -oA <basename>

Save in all formats

nmap -oA scan 192.168.1.1

nmap -v

Verbose output

nmap -v 192.168.1.1

nmap -vv

Very verbose output

nmap -vv 192.168.1.1

nmap -d

Debug output

nmap -d 192.168.1.1

nmap --reason

Show port state reason

nmap --reason 192.168.1.1

nmap --packet-trace

Show all packets sent/received

nmap --packet-trace 192.168.1.1