Nmap Cheatsheet
ITComplete guide to Nmap commands for penetration testing, network security and vulnerability assessment. All parameters with practical examples.
Disclaimer
Only use Nmap on networks and systems you have explicit authorization to scan. Unauthorized scanning is illegal and may result in legal consequences.
Useful Command Combinations
Full Scan
Comprehensive scan with service and OS detection
nmap -sS -sV -O -A -p- target
Stealth Scan
Discreet scan to avoid detection
nmap -sS -T2 -f -D RND:10 target
Vulnerability Scan
Check for known vulnerabilities
nmap -sV --script vuln target
Web Server Scan
Complete web server analysis
nmap -sV -p 80,443,8080 --script "http-*" target
Network Discovery
Discover active hosts on network
nmap -sn -PE -PA21,22,80,443 192.168.1.0/24
Quick Scan
Fast scan of common ports
nmap -T4 -F --open target
Basic Scans
nmap target
Basic scan (1000 common ports)
nmap 192.168.1.1
nmap -p
Scan specific ports
nmap -p 80,443,8080 192.168.1.1
nmap -p-
Scan all 65535 ports
nmap -p- 192.168.1.1
nmap -F
Fast scan (100 ports)
nmap -F 192.168.1.1
nmap -top-ports
Scan N most common ports
nmap --top-ports 20 192.168.1.1
nmap -p 1-1000
Scan port range
nmap -p 1-1000 192.168.1.1
Host Discovery
nmap -sn
Ping scan (no port scan)
nmap -sn 192.168.1.0/24
nmap -Pn
Skip host discovery
nmap -Pn 192.168.1.1
nmap -PS
TCP SYN ping
nmap -PS22,80,443 192.168.1.1
nmap -PA
TCP ACK ping
nmap -PA80,443 192.168.1.1
nmap -PU
UDP ping
nmap -PU53 192.168.1.1
nmap -PE
ICMP echo ping
nmap -PE 192.168.1.0/24
nmap -PR
ARP ping (local network only)
nmap -PR 192.168.1.0/24
nmap -n
Disable DNS resolution
nmap -n 192.168.1.0/24
Scan Types
nmap -sS
TCP SYN scan (stealth)
nmap -sS 192.168.1.1
nmap -sT
TCP connect scan
nmap -sT 192.168.1.1
nmap -sU
UDP scan
nmap -sU 192.168.1.1
nmap -sA
TCP ACK scan
nmap -sA 192.168.1.1
nmap -sW
TCP Window scan
nmap -sW 192.168.1.1
nmap -sN
TCP Null scan
nmap -sN 192.168.1.1
nmap -sF
TCP FIN scan
nmap -sF 192.168.1.1
nmap -sX
TCP Xmas scan
nmap -sX 192.168.1.1
nmap -sI
Idle/zombie scan
nmap -sI zombie_host target
Service & Version Detection
nmap -sV
Detect service versions
nmap -sV 192.168.1.1
nmap -sV --version-intensity
Detection intensity (0-9)
nmap -sV --version-intensity 5 192.168.1.1
nmap -sV --version-light
Light detection
nmap -sV --version-light 192.168.1.1
nmap -sV --version-all
Try all probes
nmap -sV --version-all 192.168.1.1
nmap -A
Aggressive scan (OS, version, scripts, traceroute)
nmap -A 192.168.1.1
OS Detection
nmap -O
Detect operating system
nmap -O 192.168.1.1
nmap -O --osscan-limit
Limit to promising hosts
nmap -O --osscan-limit 192.168.1.0/24
nmap -O --osscan-guess
Aggressive OS guess
nmap -O --osscan-guess 192.168.1.1
nmap -O --max-os-tries
Max OS detection attempts
nmap -O --max-os-tries 2 192.168.1.1
Timing & Performance
nmap -T0
Paranoid (very slow, IDS evasion)
nmap -T0 192.168.1.1
nmap -T1
Sneaky (slow, IDS evasion)
nmap -T1 192.168.1.1
nmap -T2
Polite (slowed down)
nmap -T2 192.168.1.1
nmap -T3
Normal (default)
nmap -T3 192.168.1.1
nmap -T4
Aggressive (fast)
nmap -T4 192.168.1.1
nmap -T5
Insane (very fast)
nmap -T5 192.168.1.1
nmap --min-rate
Minimum packets/sec
nmap --min-rate 1000 192.168.1.1
nmap --max-rate
Maximum packets/sec
nmap --max-rate 100 192.168.1.1
Nmap Scripting Engine (NSE)
nmap -sC
Default scripts
nmap -sC 192.168.1.1
nmap --script
Run specific script
nmap --script vuln 192.168.1.1
nmap --script-args
Pass arguments to scripts
nmap --script http-brute --script-args userdb=users.txt 192.168.1.1
--script=default,safe
Multiple categories
nmap --script=default,safe 192.168.1.1
--script "http-*"
Scripts with wildcard
nmap --script "http-*" 192.168.1.1
--script-updatedb
Update script database
nmap --script-updatedb
NSE Script Categories
--script=auth
Authentication scripts
nmap --script=auth 192.168.1.1
--script=broadcast
Discover hosts via broadcast
nmap --script=broadcast
--script=brute
Brute force attacks
nmap --script=brute 192.168.1.1
--script=discovery
Additional information
nmap --script=discovery 192.168.1.1
--script=exploit
Exploit attempts
nmap --script=exploit 192.168.1.1
--script=vuln
Check vulnerabilities
nmap --script=vuln 192.168.1.1
--script=safe
Safe/non-intrusive scripts
nmap --script=safe 192.168.1.1
--script=malware
Detect malware/backdoors
nmap --script=malware 192.168.1.1
Useful NSE Scripts
http-enum
Enumerate web directories
nmap --script http-enum 192.168.1.1
http-vuln-*
HTTP vulnerabilities
nmap --script http-vuln-cve2017-5638 192.168.1.1
smb-enum-shares
Enumerate SMB shares
nmap --script smb-enum-shares 192.168.1.1
smb-vuln-*
SMB vulnerabilities
nmap --script smb-vuln-ms17-010 192.168.1.1
ftp-anon
Check anonymous FTP
nmap --script ftp-anon 192.168.1.1
ssh-brute
SSH brute force
nmap --script ssh-brute 192.168.1.1
dns-zone-transfer
Attempt DNS zone transfer
nmap --script dns-zone-transfer -p 53 ns.target.com
ssl-heartbleed
Check Heartbleed
nmap --script ssl-heartbleed 192.168.1.1
Firewall/IDS Evasion
nmap -f
Fragment packets
nmap -f 192.168.1.1
nmap --mtu
Set custom MTU
nmap --mtu 24 192.168.1.1
nmap -D
Use decoys
nmap -D RND:10 192.168.1.1
nmap -S
Spoof source IP
nmap -S 192.168.1.100 192.168.1.1
nmap -g
Use specific source port
nmap -g 53 192.168.1.1
nmap --data-length
Append random data
nmap --data-length 25 192.168.1.1
nmap --randomize-hosts
Randomize host order
nmap --randomize-hosts 192.168.1.0/24
nmap --spoof-mac
Spoof MAC address
nmap --spoof-mac 0 192.168.1.1
Output & Reporting
nmap -oN
Normal output
nmap -oN scan.txt 192.168.1.1
nmap -oX
XML output
nmap -oX scan.xml 192.168.1.1
nmap -oG
Grepable output
nmap -oG scan.gnmap 192.168.1.1
nmap -oA
All formats
nmap -oA scan 192.168.1.1
nmap -v
Verbose
nmap -v 192.168.1.1
nmap -vv
Very verbose
nmap -vv 192.168.1.1
nmap -d
Debug output
nmap -d 192.168.1.1
nmap --reason
Show port state reason
nmap --reason 192.168.1.1
nmap --open
Show only open ports
nmap --open 192.168.1.1
Target Specification
nmap IP
Single IP
nmap 192.168.1.1
nmap hostname
Hostname
nmap example.com
nmap CIDR
CIDR notation
nmap 192.168.1.0/24
nmap range
IP range
nmap 192.168.1.1-100
nmap -iL
List from file
nmap -iL targets.txt
nmap --exclude
Exclude hosts
nmap 192.168.1.0/24 --exclude 192.168.1.1
nmap --excludefile
Exclude hosts from file
nmap 192.168.1.0/24 --excludefile exclude.txt
No commands found for your search.