__ _______________________ _________._________________________ / \ / \_ _____/\______ \/ _____/| \__ ___/\_ _____/ \ \/\/ /| __)_ | | _/\_____ \ | | | | | __)_ \ / | \ | | \/ \| | | | | \ \__/\ / /_______ / |______ /_______ /|___| |____| /_______ / \/ \/ \/ \/ \/

nmap Cheatsheet

← Back to cheatsheets

← Home

nmap (Network Mapper) is a network scanning and discovery tool. Used for security auditing, network inventory, and finding open ports and services.

Basic Scans

  • nmap <target> - Basic TCP port scan
  • nmap -sP <target> - Ping scan (host discovery only)
  • nmap -sn <target> - Ping scan without port scan
  • nmap -p <port> <target> - Scan specific port
  • nmap -p- <target> - Scan all ports (1-65535)
  • nmap -p 80,443,8080 <target> - Scan specific ports
  • nmap -p 1-1000 <target> - Scan port range

Scan Types

  • nmap -sS <target> - TCP SYN scan (stealth scan)
  • nmap -sT <target> - TCP connect scan (default)
  • nmap -sU <target> - UDP scan
  • nmap -sA <target> - TCP ACK scan
  • nmap -sN <target> - TCP NULL scan
  • nmap -sF <target> - TCP FIN scan
  • nmap -sX <target> - TCP Xmas scan
  • nmap -sW <target> - TCP Window scan
  • nmap -sM <target> - TCP Maimon scan

Timing and Performance

  • nmap -T0 <target> - Paranoid (slowest, most stealth)
  • nmap -T1 <target> - Sneaky
  • nmap -T2 <target> - Polite
  • nmap -T3 <target> - Normal (default)
  • nmap -T4 <target> - Aggressive
  • nmap -T5 <target> - Insane (fastest)
  • nmap --min-rate <rate> <target> - Minimum packet rate
  • nmap --max-rate <rate> <target> - Maximum packet rate

Host Discovery

  • nmap -sn <target> - Ping scan (no port scan)
  • nmap -Pn <target> - Skip host discovery (assume host is up)
  • nmap -PS <port> <target> - TCP SYN ping
  • nmap -PA <port> <target> - TCP ACK ping
  • nmap -PU <port> <target> - UDP ping
  • nmap -PE <target> - ICMP echo ping
  • nmap -PP <target> - ICMP timestamp ping
  • nmap -PR <target> - ARP ping (local network)

Service and Version Detection

  • nmap -sV <target> - Version detection
  • nmap -sV --version-intensity <0-9> <target> - Version intensity
  • nmap -sC <target> - Default scripts (safe)
  • nmap --script <script> <target> - Run specific script
  • nmap --script-updatedb - Update script database
  • nmap --script-help <script> - Script help

Operating System Detection

  • nmap -O <target> - OS detection
  • nmap -O --osscan-guess <target> - Aggressive OS detection
  • nmap -A <target> - Aggressive scan (OS, version, script, traceroute)

Output Options

  • nmap -oN <file> <target> - Normal output to file
  • nmap -oX <file> <target> - XML output to file
  • nmap -oS <file> <target> - Script kiddie output
  • nmap -oG <file> <target> - Grepable output
  • nmap -oA <basename> <target> - All formats (normal, XML, grepable)
  • nmap -v <target> - Verbose output
  • nmap -vv <target> - Very verbose output
  • nmap -d <target> - Debug output
  • nmap -dd <target> - More debug output

Common Scan Scripts

  • nmap --script vuln <target> - Vulnerability scripts
  • nmap --script auth <target> - Authentication scripts
  • nmap --script brute <target> - Brute force scripts
  • nmap --script discovery <target> - Discovery scripts
  • nmap --script dos <target> - Denial of service scripts
  • nmap --script exploit <target> - Exploit scripts
  • nmap --script safe <target> - Safe scripts (default)
  • nmap --script http-enum <target> - HTTP enumeration
  • nmap --script ssh-brute <target> - SSH brute force

Useful Scan Examples

Quick Scan

nmap -sn 192.168.1.0/24

Ping scan of local network.

Comprehensive Scan

nmap -sS -sV -O -A -p- <target>

Stealth scan with version detection, OS detection, and all ports.

Fast Scan

nmap -F -T4 <target>

Fast scan of top 100 ports.

Stealth Scan

nmap -sS -T2 <target>

Slower SYN scan to avoid detection.

Service Detection

nmap -sV -p 80,443,8080 <target>

Version detection on common web ports.

Target Specification

  • nmap 192.168.1.1 - Single IP
  • nmap 192.168.1.1-100 - IP range
  • nmap 192.168.1.0/24 - CIDR notation
  • nmap -iL <file> - Target list from file
  • nmap example.com - Hostname
  • nmap 192.168.1.1 192.168.1.2 - Multiple targets

Firewall Evasion

  • nmap -f <target> - Fragment packets
  • nmap -D <decoy1,decoy2> <target> - Use decoy hosts
  • nmap -S <source_ip> <target> - Spoof source IP
  • nmap -e <interface> <target> - Use specific interface
  • nmap -g <port> <target> - Use source port
  • nmap --proxies <proxy> <target> - Use proxy
  • nmap --data-length <num> <target> - Add random data

Configuration

Config File Location

  • `~/.nmaprc` - User configuration file
  • `/etc/nmap/nmap.conf` - System configuration file

Example Configuration

# Default scan type
-oA /tmp/nmap-scan
# Default port list
--top-ports 1000

Tips

  • Use -sS (SYN scan) for stealth when possible (requires root)
  • Use -T4 for faster scans on trusted networks
  • Use -sV to identify services and versions
  • Use --script for automated vulnerability checks
  • Use -oA to save results in multiple formats
  • Always use nmap responsibly and only on networks you own/have permission
  • Use -sn for quick host discovery without port scanning
  • Use -p to target specific ports (saves time)
  • Use CIDR notation for network scanning: 192.168.1.0/24
  • Save output with -oA for later analysis
  • Combine scan options: -sS -sV -O for comprehensive scan
  • Use --script-help to learn about available scripts
  • Be aware of scan timing (T0-T5) to avoid detection or overload
  • Use -Pn when hosts block ping

← Back to cheatsheets

← Home