Nmap Cheatsheet


Full commands examples

# Ping scan
nmap -sP

# Quick scan
nmap -T4 -F -vvv

# Quick scan plus (more info but more aggressive)
nmap -sV -T4 -O -F –version-light -vvv

# TCP Syn and UDP Scan (requires root)
nmap -sS -sU -PN -p T:80,T:445,U:161

# Soft nmap
nmap -v -Pn -n -T4 -sT -sV --version-intensity=5 --reason

# Full nmap
nmap -v -Pn -n -T4 -sT -p- --reason

# Dedicated nmap
nmap -v -Pn -n -T4 -sV --version-intensity=5 -sT -p T:ports_found --reason <IP>

Target specification

nmap google.com
nmap --exclude192.168.1.1
nmap -iL targets.txt

Scan techniques

# TCP SYN port scan (default, root needed)
nmap -sS

# TCP CONNECT port scan (default without root privilege)
# Require full connection so it is slower 
nmap -sT

# UDP port scan
nmap -sU

nmap -sA
nmap -sW
nmap -sN

# Ping scan
nmap -sP

Host discovery

# No scan, only list targets (get hostnames)
nmap -sL

# Disable port scanning, only host discovery
nmap -sn

# Disable host discovery, only port scanning, can be usefull if firewall deny PING
nmap -Pn

# Disable DNS resolution
nmap -n

Services, ports and OS (fingerprinting

nmap -p 20
nmap -p 20-100
nmap -p U:53,T:25-100
nmap -p http,https

# All ports
nmap -p-

# Fast port scan (100 more common ports)
nmap -F

# Top X ports
nmap --top-ports 2000

# Try to get service version
nmap -sV

# 0-9
nmap -sV --version-intensity 3

# Light mode but faster
nmap -sV --version-light

# Equivalent to version-intensity 9. Harder
nmap -sV --version-all

# Aggressive mode (OS Detection, version, script, traceroute)
nmap -A

# OS Detection using TCP/IP
nmap -O 

# Disable OS dection if at least one open and one closed port are not found
nmap -O --osscan-limit

# OS Scan guess more aggressive
nmap -O --osscan-guess

# Set the maximum number x of OS detection tries against a target 
nmap -O --max-os-tries 2

NSE Scripts

# Default script scanning, considered safe
nmap -sC
nmap --script default

nmap --script=xxx
nmap --script=xxx --script-args xx=xx

# Scan default, but remove intrusive scripts
nmap --script “not intrusive"


# Scan speed
# T0-T1 : Slow (useful for Intrusion Detection Systems evasion)
# T2-T3 : Normal
# T4-T5 : Agressive (Need a realiable and strong network)
nmap -T0

nmap --host-timeout 10s

# Delay between probes
nmap --scan-delay 1s
nmap --max-scan-delay 2s

nmap --max-retries 3

# No faster or no slower than 100 packets/second
nmap --min-rate 100
nmap --max-rate 100

# If you need to scan a large network in a short period of time
# You can set up a timeout value for connection attemps
nmap  --host-timeout <msec>

Evading IDS

# Tiny fragmented packets
nmap -f

# Set your own offset size
nmap -mtu 32

# Scan from spoofed IP
nmap -D

# Scan Facebook from Microsoft
nmap -S www.microsoft.com www.facebook.com

# Use a specific source port
nmap -g 53

# Proxy
nmap --proxies http://X.X.X.X:8080

# Append random data to sent packets
nmap --data-length 200


# Save result (oN=normal oX=xml oG=grepable oA=all)
nmap -oN scanResult.file

# Verbosity level (one v or more) and debugging level
nmap -vvvvvv
nmap -ddd

# Reason for the port state (equivalent to -vv)
nmap --reason

# Show only open ports
nmap --open

# Show all packets sent and received
nmap --packets-trace

# Show the host interface and routes
nmap --iflist

# Resume a scan
nmap --resume scan.file
nmap -vvvvvv
nmap -vvvvvv