Your cart is currently empty!
Nmap CheatSheet (Full Advanced List)
| Category | Command | Description |
|---|---|---|
| Target Specification | nmap <IP_address> | Scan a single target IP address. |
nmap <IP_range> | Scan a range of IPs (e.g., 192.168.1.1-50). | |
nmap -iL <file_with_IPs> | Scan multiple targets from a file containing IP addresses. | |
nmap <subnet>/24 | Scan an entire subnet (e.g., 192.168.1.0/24). | |
nmap -6 <IPv6_address> | Scan an IPv6 address. | |
nmap -p <port_range> <IP_address> | Scan specific port(s) or range of ports (e.g., -p 22,80,443). | |
nmap -p- <IP_address> | Scan all 65535 ports on a target. | |
nmap -p 1-65535 <IP_address> | Scan ports 1 through 65535. | |
nmap --exclude <IP_range> | Exclude a range of IP addresses from the scan. | |
nmap -iR 100 <target> | Scan 100 random IP addresses (useful for large networks). | |
| Scan Types | nmap -sS <IP_address> | SYN Scan (stealth scan, faster, doesn’t complete TCP handshake). |
nmap -sT <IP_address> | TCP Connect Scan (regular scan, completes the TCP handshake). | |
nmap -sU <IP_address> | UDP Scan (scans UDP ports). | |
nmap -sA <IP_address> | ACK Scan (used for firewall mapping, stealthy). | |
nmap -sW <IP_address> | Window Scan (for firewalled systems). | |
nmap -sF <IP_address> | FIN Scan (attempts to evade detection by sending FIN packets). | |
nmap -sX <IP_address> | Xmas Scan (sets flags to Xmas tree, can evade some IDS systems). | |
nmap -sN <IP_address> | Null Scan (no flags, used for evasion, can bypass some firewall detection). | |
nmap -sY <IP_address> | SCTP INIT Scan (SCTP protocol). | |
nmap -O <IP_address> | Operating System detection. | |
nmap -O --osscan-guess <IP_address> | Guess operating system if detection is uncertain. | |
nmap -sP <IP_range> | Ping Scan (host discovery only, no port scanning). | |
nmap -sn <IP_address> | Host discovery without port scanning (faster). | |
| Service Detection | nmap -sV <IP_address> | Service Version Detection (detect version of services on open ports). |
nmap -sV --version-all <IP_address> | Detect all service versions (including non-standard ones). | |
nmap -sV --version-trace <IP_address> | Trace the version detection process. | |
nmap --script <script_name> <IP_address> | Run a specific script against the target (e.g., http-vuln-cve2006-3392). | |
nmap --script <script1>,<script2> <IP_address> | Run multiple scripts at once (e.g., --script http-vuln-cve2006-3392,ftp-anon). | |
nmap --script vuln <IP_address> | Run all vulnerability scanning scripts. | |
nmap --script http-enum <IP_address> | Run a specific script to enumerate HTTP services. | |
nmap --script ssl-cert <IP_address> | Script for SSL certificate information. | |
| Output Formats | nmap -oX <output_file.xml> <IP_address> | XML output format (machine-readable). |
nmap -oG <output_file.gnmap> <IP_address> | Grepable output format (for easier parsing with grep or other tools). | |
nmap -oH <output_file.html> <IP_address> | HTML output format (report-friendly). | |
nmap -oN <output_file.txt> <IP_address> | Normal output format (default plain text). | |
nmap --append-output -oA <filename_prefix> <IP_address> | Output in all three formats: XML, grepable, and normal. | |
| Timing and Performance | nmap -T<0-5> <IP_address> | Set scan timing (T0 = slow, T5 = fast). T4 is commonly used for a balance of speed and stealth. |
nmap -T4 <IP_address> | Use timing template T4 (optimizes scan for faster results). | |
nmap --min-rate <rate> <IP_address> | Set a minimum packet rate (packets per second). | |
nmap --max-rate <rate> <IP_address> | Set a maximum packet rate (packets per second). | |
nmap --host-timeout <time> <IP_address> | Set a timeout for host scans (e.g., --host-timeout 30m). | |
nmap --scan-delay <time> <IP_address> | Delay between each probe (e.g., --scan-delay 1s to wait 1 second between probes). | |
| Firewall Evasion & Stealth | nmap -D RND:10 <IP_address> | Use decoys (RND:10 means 10 random decoy IP addresses). |
nmap -f <IP_address> | Fragment packets to evade detection by firewalls or IDS. | |
nmap --source-port 53 <IP_address> | Use a specific source port (e.g., port 53 for DNS). | |
nmap --data-length <length> <IP_address> | Modify data length of packets to avoid detection (e.g., --data-length 1000). | |
nmap -g <port_number> <IP_address> | Use a specific source port (e.g., -g 80 for port 80). | |
nmap --mtu <size> <IP_address> | Specify the Maximum Transmission Unit (MTU) to use for scanning. | |
| Scanning Multiple Hosts | nmap 192.168.1.1-50 | Scan a range of hosts (e.g., 192.168.1.1-50). |
nmap 192.168.1.0/24 | Scan an entire subnet (e.g., 192.168.1.0/24). | |
nmap -iL <file_with_IPs> | Scan IPs from a file. | |
nmap -iR 100 <target> | Scan 100 random IPs. | |
| Advanced Service Detection | nmap -sV --version-all <IP_address> | Detect all versions of services on open ports. |
nmap -sV --version-trace <IP_address> | Trace the version scanning process. | |
| Host Discovery | nmap -PE <IP_address> | Use ICMP Echo Request for host discovery. |
nmap -PP <IP_address> | Use ICMP Timestamp Request for host discovery. | |
nmap -PM <IP_address> | Use ICMP Netmask Request for host discovery. | |
nmap -PO <IP_address> | Use IP Protocol Scan for host discovery. | |
nmap -PS <port_number> <IP_address> | Scan a target with TCP SYN packets to check for open ports. | |
nmap -PA <port_number> <IP_address> | TCP ACK ping scan for host discovery. | |
| Other Options | nmap --reason <IP_address> | Provide the reason for each port being marked as open/closed/filtered. |
nmap -v <IP_address> | Verbose output (more details). | |
nmap -d <IP_address> | Debugging output (for troubleshooting and diagnostics). | |
| `nmap -v <IP | Only show open ports in scan results. |
Note: There may be some changes in the command list as per the latest update of Nmap. Please check it
Reference : https://nmap.org/docs.html
Leave a Reply
You must be logged in to post a comment.