Nmap scanning cheatsheet for beginners

nmap scanning cheatsheet
All BlogOSCP Study material

This nmap scanning cheatsheet is a comprehensive guide for absolute beginners . At the end of the blog some useful tricks are given for practical usage don’t forget to take away some brilliant commands .


Target Specification

SwitchExampleDescription
nmap 192.168.1.1Scan a single IP
nmap 192.168.1.1 192.168.2.1Scan specific IPs
nmap 192.168.1.1-254Scan a range
nmap scanme.nmap.orgScan a domain
nmap 192.168.1.0/24Scan using CIDR notation
-iLnmap -iL targets.txtScan targets from a file
-iRnmap -iR 100Scan 100 random hosts
–excludenmap –exclude 192.168.1.1Exclude listed hosts

Scan Techniques

SwitchExampleDescription
-sSnmap 192.168.1.1 -sSTCP SYN port scan (Default)
-sTnmap 192.168.1.1 -sTTCP connect port scan
(Default without root privilege)
-sUnmap 192.168.1.1 -sUUDP port scan
-sAnmap 192.168.1.1 -sATCP ACK port scan
-sWnmap 192.168.1.1 -sWTCP Window port scan
-sMnmap 192.168.1.1 -sMTCP Maimon port scan

Host Discovery

SwitchExampleDescription
-sLnmap 192.168.1.1-3 -sLNo Scan. List targets only
-snnmap 192.168.1.1/24 -snDisable port scanning. Host discovery only.
-Pnnmap 192.168.1.1-5 -PnDisable host discovery. Port scan only.
-PSnmap 192.168.1.1-5 -PS22-25,80TCP SYN discovery on port x. Port 80 by default
-PAnmap 192.168.1.1-5 -PA22-25,80TCP ACK discovery on port x. Port 80 by default
-PUnmap 192.168.1.1-5 -PU53UDP discovery on port x. Port 40125 by default
-PRnmap 192.168.1.1-1/24 -PRARP discovery on local network
-nnmap 192.168.1.1 -nNever do DNS resolution

Port Specification

SwitchExampleDescription
-pnmap 192.168.1.1 -p 21Port scan for port x
-pnmap 192.168.1.1 -p 21-100Port range
-pnmap 192.168.1.1 -p U:53,T:21-25,80Port scan multiple TCP and UDP ports
-p-nmap 192.168.1.1 -p-Port scan all ports 
-pnmap 192.168.1.1 -p http,httpsPort scan from service name 
-Fnmap 192.168.1.1 -FFast port scan (100 ports) 
–top-portsnmap 192.168.1.1 –top-ports 2000Port scan the top x ports
-p-nmap 192.168.1.1 -p-Leaving off initial port in range 
makes the scan start at port range 1-65535
-p0-nmap 192.168.1.1 -p0-Leaving off end port in range makes the scan go through to port 65535

Service and Version Detection

SwitchExampleDescription
-sVnmap 192.168.1.1 -sVAttempts to determine the version of the service running on port
-sV –version-intensitynmap 192.168.1.1 -sV –version-intensity 8Intensity level 0 to 9. Higher number increases possibility of correctness
-sV –version-lightnmap 192.168.1.1 -sV –version-lightEnable light mode. Lower possibility of correctness. Faster
-sV –version-allnmap 192.168.1.1 -sV –version-allEnable intensity level 9. Higher possibility of correctness. Slower 
-Anmap 192.168.1.1 -AEnables OS detection, version detection, script scanning, and traceroute 

OS Detection

SwitchExampleDescription
-Onmap 192.168.1.1 -ORemote OS detection using TCP/IP 
stack fingerprinting
-O –osscan-limitnmap 192.168.1.1 -O –osscan-limitIf at least one open and one closed 
TCP port are not found it will not try 
OS detection against host
-O –osscan-guessnmap 192.168.1.1 -O –osscan-guessMakes Nmap guess more aggressively
-O –max-os-triesnmap 192.168.1.1 -O –max-os-tries 1Set the maximum number x of OS 
detection tries against a target 
-Anmap 192.168.1.1 -AEnables OS detection, version detection, script scanning, and traceroute

Timing and Performance

SwitchExampleDescription
-T0nmap 192.168.1.1 -T0Paranoid (0) Intrusion Detection 
System evasion
-T1nmap 192.168.1.1 -T1Sneaky (1) Intrusion Detection System 
evasion
-T2nmap 192.168.1.1 -T2Polite (2) slows down the scan to use 
less bandwidth and use less target 
machine resources
-T3nmap 192.168.1.1 -T3Normal (3) which is default speed 
-T4nmap 192.168.1.1 -T4Aggressive (4) speeds scans; assumes 
you are on a reasonably fast and 
reliable network 
-T5nmap 192.168.1.1 -T5Insane (5) speeds scan; assumes you 
are on an extraordinarily fast network

Advance timing usage

SwitchExample inputDescription
–host-timeout <time> 1s; 4m; 2hGive up on target after this long
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> 1s; 4m; 2hSpecifies probe round trip time
–min-hostgroup/max-hostgroup <size<size> 50; 1024Parallel host scan group 
sizes
–min-parallelism/max-parallelism <numprobes> 10; 1Probe parallelization 
–scan-delay/–max-scan-delay <time> 20ms; 2s; 4m; 5hAdjust delay between probes 
–max-retries <tries> 3Specify the maximum number 
of port scan probe retransmissions
–min-rate <number> 100Send packets no slower than <numberr> per second
–max-rate <number> 100Send packets no faster than <number> per second

NSE Scripts

SwitchExampleDescription
-sCnmap 192.168.1.1 -sCScan with default NSE scripts. Considered useful for discovery and safe
–script defaultnmap 192.168.1.1 –script defaultScan with default NSE scripts. Considered useful for discovery and safe
–scriptnmap 192.168.1.1 –script=bannerScan with a single script. Example banner
–scriptnmap 192.168.1.1 –script=http*Scan with a wildcard. Example http 
–scriptnmap 192.168.1.1 –script=http,bannerScan with two scripts. Example http and banner 
–scriptnmap 192.168.1.1 –script “not intrusive”Scan default, but remove intrusive scripts
–script-argsnmap –script snmp-sysdescr –script-args snmpcommunity=admin 192.168.1.1NSE script with arguments

Useful NSE Script Examples

CommandDescription
nmap -Pn –script=http-sitemap-generator scanme.nmap.orghttp site map generator
nmap -n -Pn -p 80 –open -sV -vvv –script banner,http-title -iR 1000Fast search for random web servers
nmap -Pn –script=dns-brute domain.comBrute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV –script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1Safe SMB scripts to run 
nmap –script whois* domain.comWhois query 
nmap -p80 –script http-unsafe-output-escaping scanme.nmap.orgDetect cross site scripting vulnerabilities
nmap -p80 –script http-sql-injection scanme.nmap.orgCheck for SQL injections

Firewall / IDS Evasion and Spoofing

SwitchExampleDescription
-fnmap 192.168.1.1 -fRequested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
–mtunmap 192.168.1.1 –mtu 32Set your own offset size
-Dnmap -D 192.168.1.101,192.168.1.102,
192.168.1.103,192.168.1.23 192.168.1.1
Send scans from spoofed IPs
-Dnmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ipAbove example explained 
-Snmap -S www.microsoft.com www.facebook.comScan Facebook from Microsoft (-e eth0 -Pn may be required) 
-gnmap -g 53 192.168.1.1Use given source port number
–proxiesnmap –proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1Relay connections through HTTP/SOCKS4 proxies
–data-lengthnmap –data-length 200 192.168.1.1Appends random data to sent packets

Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1

Nmap Output options

SwitchExampleDescription
-oNnmap 192.168.1.1 -oN normal.fileNormal output to the file normal.file
-oXnmap 192.168.1.1 -oX xml.fileXML output to the file xml.file
-oGnmap 192.168.1.1 -oG grep.fileGrepable output to the file grep.file
-oAnmap 192.168.1.1 -oA resultsOutput in the three major formats at once 
-oG –nmap 192.168.1.1 -oG –Grepable output to screen. -oN -, -oX – also usable 
–append-outputnmap 192.168.1.1 -oN file.file –append-outputAppend a scan to a previous scan file
-vnmap 192.168.1.1 -vIncrease the verbosity level (use -vv or more for greater effect)
-dnmap 192.168.1.1 -dIncrease debugging level (use -dd or more for greater effect)
–reasonnmap 192.168.1.1 –reasonDisplay the reason a port is in a particular state, same output as -vv
–opennmap 192.168.1.1 –openOnly show open (or possibly open) ports
–packet-tracenmap 192.168.1.1 -T4 –packet-traceShow all packets sent and received
–iflistnmap –iflistShows the host interfaces and routes
–resumenmap –resume results.fileResume a scan

Helpful Nmap Output examples

CommandDescription
nmap -p80 -sV -oG – –open 192.168.1.1/24 | grep openScan for web servers and grep to show which IPs are running web servers
nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d ” ” -f5 > live-hosts.txtGenerate a list of the IPs of live hosts
nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txtAppend IP to the list of live hosts
ndiff scanl.xml scan2.xmlCompare output from nmap using the ndif 
xsltproc nmap.xml -o nmap.htmlConvert nmap xml files to html files 
grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | lessReverse sorted list of how often ports turn up

Miscellaneous Options

SwitchExampleDescription
-6nmap -6 2607:f0d0:1002:51::4Enable IPv6 scanning
-hnmap -hnmap help screen

Other Useful Nmap Commands

CommandDescription
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -snDiscovery only on ports x, no port scan
nmap 192.168.1.1-1/24 -PR -sn -vvArp discovery only on local network, no port scan
nmap -iR 10 -sn -tracerouteTraceroute to random targets, no port scan
nmap 192.168.1.1-50 -sL –dns-server 192.168.1.1Query the Internal DNS for hosts, list targets only
nmap -Pn -n -sV -vv –max-retries 1 <ip> -oA /output
ip=10.10.10.27; sudo nmap –top-ports 100 -oA scantop100 $ip && sudo nmap -sC -sV -p grep -oP "^[0-9]*" scantop100.nmap | tr "\n" "," | sed 's/.$//' -oA scantop100 $ip;

Nmap scanning cheatsheet – Key Points to remember

  • Always skip host discovery and treat my ranges as online (-Pn) – I mean you are grown up now and you know what you are doing
  • Also never do DNS resolution (-n) because ain’t nobody got time for that
  • Switch between SYN Scans (-sS) and Connect Scans (-sT) depending on how the server reacts. Sometimes there’s a connection limit, so a SYN Scan takes forever since the connections won’t be closed
  • Do a service scan (-sV), because this takes almost no time
  • Do a full script scan (-sC), but depending on the network it makes sense to be “not intrusive” (--script="smb* and not intrusive"). And if you are very impatient then set a low script timeout (--script-timeout 5m)
  • Don’t forget to do a UDP Scan (-sU) – I usually do this in combination with a few top ports (--top-ports) and a script scan including timeout (-sC --script-timeout 5m)
  • For single boxes (or small networks) I usually do a full port scan (-p-), but for slow boxes or large networks only do a subset (--top-ports=100).
  • To speed things up try going up with aggressively (-T4) or increase parallelism (--min-parallelism 100)
  • If you are busy then try to set timeouts (--host-timeout 1h and --script-timeout 5m) or increase the host group for large networks (--min-hostgroup 64)

Leave a Reply

Your email address will not be published. Required fields are marked *