Nmap scanning cheatsheet for beginners

nmap scanning cheatsheet

This nmap scanning cheatsheet is a comprehensive guide for absolute beginners . At the end of the blog some useful tricks are given for practical usage don’t forget to take away some brilliant commands .

Target Specification

nmap a single IP
nmap specific IPs
nmap a range
nmap scanme.nmap.orgScan a domain
nmap using CIDR notation
-iLnmap -iL targets.txtScan targets from a file
-iRnmap -iR 100Scan 100 random hosts
–excludenmap –exclude listed hosts

Scan Techniques

-sSnmap -sSTCP SYN port scan (Default)
-sTnmap -sTTCP connect port scan
(Default without root privilege)
-sUnmap -sUUDP port scan
-sAnmap -sATCP ACK port scan
-sWnmap -sWTCP Window port scan
-sMnmap -sMTCP Maimon port scan

Host Discovery

-sLnmap -sLNo Scan. List targets only
-snnmap -snDisable port scanning. Host discovery only.
-Pnnmap -PnDisable host discovery. Port scan only.
-PSnmap -PS22-25,80TCP SYN discovery on port x. Port 80 by default
-PAnmap -PA22-25,80TCP ACK discovery on port x. Port 80 by default
-PUnmap -PU53UDP discovery on port x. Port 40125 by default
-PRnmap -PRARP discovery on local network
-nnmap -nNever do DNS resolution

Port Specification

-pnmap -p 21Port scan for port x
-pnmap -p 21-100Port range
-pnmap -p U:53,T:21-25,80Port scan multiple TCP and UDP ports
-p-nmap -p-Port scan all ports 
-pnmap -p http,httpsPort scan from service name 
-Fnmap -FFast port scan (100 ports) 
–top-portsnmap –top-ports 2000Port scan the top x ports
-p-nmap -p-Leaving off initial port in range 
makes the scan start at port range 1-65535
-p0-nmap -p0-Leaving off end port in range makes the scan go through to port 65535

Service and Version Detection

-sVnmap -sVAttempts to determine the version of the service running on port
-sV –version-intensitynmap -sV –version-intensity 8Intensity level 0 to 9. Higher number increases possibility of correctness
-sV –version-lightnmap -sV –version-lightEnable light mode. Lower possibility of correctness. Faster
-sV –version-allnmap -sV –version-allEnable intensity level 9. Higher possibility of correctness. Slower 
-Anmap -AEnables OS detection, version detection, script scanning, and traceroute 

OS Detection

-Onmap -ORemote OS detection using TCP/IP 
stack fingerprinting
-O –osscan-limitnmap -O –osscan-limitIf at least one open and one closed 
TCP port are not found it will not try 
OS detection against host
-O –osscan-guessnmap -O –osscan-guessMakes Nmap guess more aggressively
-O –max-os-triesnmap -O –max-os-tries 1Set the maximum number x of OS 
detection tries against a target 
-Anmap -AEnables OS detection, version detection, script scanning, and traceroute

Timing and Performance

-T0nmap -T0Paranoid (0) Intrusion Detection 
System evasion
-T1nmap -T1Sneaky (1) Intrusion Detection System 
-T2nmap -T2Polite (2) slows down the scan to use 
less bandwidth and use less target 
machine resources
-T3nmap -T3Normal (3) which is default speed 
-T4nmap -T4Aggressive (4) speeds scans; assumes 
you are on a reasonably fast and 
reliable network 
-T5nmap -T5Insane (5) speeds scan; assumes you 
are on an extraordinarily fast network

Advance timing usage

SwitchExample inputDescription
–host-timeout <time> 1s; 4m; 2hGive up on target after this long
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> 1s; 4m; 2hSpecifies probe round trip time
–min-hostgroup/max-hostgroup <size<size> 50; 1024Parallel host scan group 
–min-parallelism/max-parallelism <numprobes> 10; 1Probe parallelization 
–scan-delay/–max-scan-delay <time> 20ms; 2s; 4m; 5hAdjust delay between probes 
–max-retries <tries> 3Specify the maximum number 
of port scan probe retransmissions
–min-rate <number> 100Send packets no slower than <numberr> per second
–max-rate <number> 100Send packets no faster than <number> per second

NSE Scripts

-sCnmap -sCScan with default NSE scripts. Considered useful for discovery and safe
–script defaultnmap –script defaultScan with default NSE scripts. Considered useful for discovery and safe
–scriptnmap –script=bannerScan with a single script. Example banner
–scriptnmap –script=http*Scan with a wildcard. Example http 
–scriptnmap –script=http,bannerScan with two scripts. Example http and banner 
–scriptnmap –script “not intrusive”Scan default, but remove intrusive scripts
–script-argsnmap –script snmp-sysdescr –script-args snmpcommunity=admin script with arguments

Useful NSE Script Examples

nmap -Pn –script=http-sitemap-generator scanme.nmap.orghttp site map generator
nmap -n -Pn -p 80 –open -sV -vvv –script banner,http-title -iR 1000Fast search for random web servers
nmap -Pn –script=dns-brute domain.comBrute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV –script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv SMB scripts to run 
nmap –script whois* domain.comWhois query 
nmap -p80 –script http-unsafe-output-escaping scanme.nmap.orgDetect cross site scripting vulnerabilities
nmap -p80 –script http-sql-injection scanme.nmap.orgCheck for SQL injections

Firewall / IDS Evasion and Spoofing

-fnmap -fRequested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
–mtunmap –mtu 32Set your own offset size
-Dnmap -D,,,
Send scans from spoofed IPs
-Dnmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ipAbove example explained 
-Snmap -S www.microsoft.com www.facebook.comScan Facebook from Microsoft (-e eth0 -Pn may be required) 
-gnmap -g 53 given source port number
–proxiesnmap –proxies, connections through HTTP/SOCKS4 proxies
–data-lengthnmap –data-length 200 random data to sent packets

Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D,,,

Nmap Output options

-oNnmap -oN normal.fileNormal output to the file normal.file
-oXnmap -oX xml.fileXML output to the file xml.file
-oGnmap -oG grep.fileGrepable output to the file grep.file
-oAnmap -oA resultsOutput in the three major formats at once 
-oG –nmap -oG –Grepable output to screen. -oN -, -oX – also usable 
–append-outputnmap -oN file.file –append-outputAppend a scan to a previous scan file
-vnmap -vIncrease the verbosity level (use -vv or more for greater effect)
-dnmap -dIncrease debugging level (use -dd or more for greater effect)
–reasonnmap –reasonDisplay the reason a port is in a particular state, same output as -vv
–opennmap –openOnly show open (or possibly open) ports
–packet-tracenmap -T4 –packet-traceShow all packets sent and received
–iflistnmap –iflistShows the host interfaces and routes
–resumenmap –resume results.fileResume a scan

Helpful Nmap Output examples

nmap -p80 -sV -oG – –open | grep openScan for web servers and grep to show which IPs are running web servers
nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d ” ” -f5 > live-hosts.txtGenerate a list of the IPs of live hosts
nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txtAppend IP to the list of live hosts
ndiff scanl.xml scan2.xmlCompare output from nmap using the ndif 
xsltproc nmap.xml -o nmap.htmlConvert nmap xml files to html files 
grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | lessReverse sorted list of how often ports turn up

Miscellaneous Options

-6nmap -6 2607:f0d0:1002:51::4Enable IPv6 scanning
-hnmap -hnmap help screen

Other Useful Nmap Commands

nmap -iR 10 -PS22-25,80,113,1050,35000 -v -snDiscovery only on ports x, no port scan
nmap -PR -sn -vvArp discovery only on local network, no port scan
nmap -iR 10 -sn -tracerouteTraceroute to random targets, no port scan
nmap -sL –dns-server the Internal DNS for hosts, list targets only
nmap -Pn -n -sV -vv –max-retries 1 <ip> -oA /output
ip=; sudo nmap –top-ports 100 -oA scantop100 $ip && sudo nmap -sC -sV -p grep -oP "^[0-9]*" scantop100.nmap | tr "\n" "," | sed 's/.$//' -oA scantop100 $ip;

Nmap scanning cheatsheet – Key Points to remember

  • Always skip host discovery and treat my ranges as online (-Pn) – I mean you are grown up now and you know what you are doing
  • Also never do DNS resolution (-n) because ain’t nobody got time for that
  • Switch between SYN Scans (-sS) and Connect Scans (-sT) depending on how the server reacts. Sometimes there’s a connection limit, so a SYN Scan takes forever since the connections won’t be closed
  • Do a service scan (-sV), because this takes almost no time
  • Do a full script scan (-sC), but depending on the network it makes sense to be “not intrusive” (--script="smb* and not intrusive"). And if you are very impatient then set a low script timeout (--script-timeout 5m)
  • Don’t forget to do a UDP Scan (-sU) – I usually do this in combination with a few top ports (--top-ports) and a script scan including timeout (-sC --script-timeout 5m)
  • For single boxes (or small networks) I usually do a full port scan (-p-), but for slow boxes or large networks only do a subset (--top-ports=100).
  • To speed things up try going up with aggressively (-T4) or increase parallelism (--min-parallelism 100)
  • If you are busy then try to set timeouts (--host-timeout 1h and --script-timeout 5m) or increase the host group for large networks (--min-hostgroup 64)

Leave a Reply

Your email address will not be published. Required fields are marked *