Thursday, March 22, 2018

Nmap Cheat Sheet

Thanks to Yuval (tisf) Nativ for concatenating a bunch of other cheat sheets to produce the basis of this one. I intend to add to this as time, research and experimentation allows. For more info on any of these, the best reference is the original, by the creator of Nmap (Fyodor) - the reference guide (chapter 15 of his book, which I own and so should you!) is here.

Testing of these commands can be done against a target in your local network (e.g., against your localhost (i.e. or against a legitimate testing target such as Be careful about using these commands to scan live domains that are not testing targets!

Basic Scanning

Scan a single target nmap [target]
Scan multiple targets nmap [target1,target2,...]
Scan a list of targets nmap -iL [list.txt]
Scan a range of hosts nmap [range of IP addresses]
Scan an entire subnet nmap [IP address/cdir]
Scan random hosts nmap -iR [number]
Excluding targets from a scan nmap [targets] --exclude [targets]
Excluding targets using a list nmap [targets] --excludefile [list.txt]
Perform an aggressive scan nmap -A [target]
Scan an IPv6 target nmap -6 [target]
Scan specific ports nmap -p [port1,port2,...] [target]
Scan a limited range of ports nmap -F [target]

Discovery Options

Perform a ping scan only nmap -sn [target] or nmap -sP [target]
Don’t ping nmap -PN [target]
TCP SYN Ping nmap -PS [target]
TCP ACK ping nmap -PA [target]
UDP ping nmap -PU [target]
SCTP Init Ping nmap -PY [target]
ICMP echo ping nmap -PE [target]
ICMP Timestamp ping nmap -PP [target]
ICMP address mask ping nmap -PM [target]
IP protocol ping nmap -PO [target]
ARP ping nmap -PR [target]
Traceroute nmap --traceroute [target]
Force reverse DNS resolution nmap -R [target]
Disable reverse DNS resolution nmap -n [target]
Alternative DNS lookup nmap --system-dns [target]
Manually specify DNS servers nmap --dns-servers [servers] [target]
Create a host list nmap -sL [targets]

Advanced Scanning

SYN Scan nmap -sS [target]
TCP connect() Scan (also called a Full Open scan) nmap -sT [target]
FIN Scan nmap -sF [target]
Xmas Scan (sets URG, FIN, PSH flags) nmap -sX [target]
Null Scan nmap -sN [target]
Version Detection nmap -sV [target]
UDP Scan nmap -sU [target]
IP Protocol Scan nmap -sO [target]
ACK Scan nmap -sA [target]
Window Scan nmap -sW [target]
RPC Scan nmap -sR [target]
Idle Scan nmap -sI [zombie] [target]
FTP Bounce Attack nmap -b [zombie] [target]
Scan with specified flags set nmap --scanflags [flags] [targets]

Firewall Evasion

Fragment packets nmap -f [target]
Specify a specific MTU nmap --mtu [MTU] [target]
Use a decoy nmap -D RND:[number] [target]
Idle zombie scan nmap -sI [zombie] [target]
Manually specify a source port nmap --source-port [port] [target]
Append random data nmap --data-length [size] [target]
Randomize target scan order nmap --randomize-hosts [targets]
Spoof MAC Address [zero = random] nmap --spoof-mac [MAC|0|vendor] [target]
Send bad checksums nmap --badsum [target]

Version Detection

Operating system detection nmap -O [target]
Attempt to guess an unknown nmap -O --osscan-guess [target]
Service version detection nmap -sV [target]
Troubleshooting version scans nmap -sV --version-trace [target]
Perform a RPC scan nmap -sR [target]

Output Options

Verbose Output nmap -v [target]
Save output to a text file nmap -oN [scan.txt] [target]
Save output to a xml file nmap -oX [scan.xml] [target]
Grepable output nmap -oG [scan.txt] [target]
Output all supported file types nmap -oA [path/filename] [target]
Periodically display statistics nmap --stats-every [time] [target]
133t output nmap -oS [scan.txt] [target]


Simple Help nmap -h
Advanced Help man nmap
Nmap Version Info nmap -V
Debugging nmap -d[number] [target]
Reason nmap --reason [target]
Interfaces and Routes nmap --iflist


Comparison using Ndiff ndiff [scan1.xml] [scan2.xml]
Ndiff verbose mode ndiff -v [scan1.xml] [scan2.xml]
XML output mode ndiff --xml [scan1.xm] [scan2.xml]

Nmap Scripting Engine (NSE)

Execute individual scripts nmap --script [script.nse] [target]
Execute multiple scripts nmap --script [expression] [target]
Execute scripts by category nmap --script [category] [target]
Execute multiple scripts categories nmap --script [category1,category2,...]
Troubleshoot scripts nmap --script [script] --script-trace [target]
Update the script database nmap --script-updatedb
Script categories:
  • all
  • auth
  • default
  • discovery
  • external
  • intrusive
  • malware
  • safe
  • vuln

“If I had eight hours to chop down a tree, I'd spend the first six of them sharpening my axe.”

Abraham Lincoln

Copyright 2018 by Exweeto Terms Of Use Privacy Statement