nmap CheatSheet

Base Syntax

nmap [ScanType] [Options] {targets}

Scan Type

-sn Probe only (host discovery, not port scan)

-sS SYN Scan

-sT TCP Connect Scan

-sU UDP Scan

-sV Version Scan

-O OS Detection

--scanflags Set custom list of TCP using URGACKPSHRSTSYNFIN in any order

Probing Options

-Pn Don't probe (assume all hosts are up)

-PB Default probe (TCP 80, 445 & ICMP)

-PS Check whether targets are up by probing TCP ports

-PE Use ICMP Echo Request

-PP Use ICMP Timestamp Request

-PM Use ICMP Netmask Request

Fine-Grained Timing Options

--min-hostgroup/max-hostgroup Parallel host scan group sizes

--min-parallelism/max-parallelism <numprobes>

Probe parallelization

--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>

Specifies probe round trip time.

--max-retries <tries>

Caps number of port scan probe retransmissions.

--host-timeout <time>

Give up on target after this long

--scan-delay/--max-scan-delay <time>

Adjust delay between probes

--min-rate <number>

Send packets no slower than per second

--max-rate <number>

Send packets no faster than per second

Aggregate Timing Options

-T0 Paranoid:Very slow, used for IDS evasion

-T1 Sneaky:Quite slow, used for IDS evasion

-T2 Polite:Slows down to consume less bandwidth, runs ~10 times slower than default

-T3 Normal:Default, a dynamic timing model based on target responsiveness

-T4 Aggressive:Assumes a fast and reliable network and may overwhelm targets

-T5 Insane:Very aggressive; will likely overwhelm targets or miss open ports

Target Specification

IPv4 address: 192.168.1.1

IP v6 address: AABB:CCDD::FF%eth0

Host name: www.target.tgt

IP address range: 192.168.0-255.0-255

CIDR block: 192.168.0.0/16

Use file with lists of targets: -iL

Target ports

No port range specified scans 1,000 most popular ports

-F Scan 100 most popular ports

-p- Port range

-p,,... Port List

-pU:53,U:110,T20-445 Mix TCP and UDP

-r Scan linearly (do not randomize ports)

--top-ports Scan n most popular ports

-p-65535 Leaving off initial port in range makes Nmap scan start at port 1

-p0- Leaving off end port in range makes Nmap scan through port 65535

-p- Scan ports 1-65535

Output Formats

-oN Standard Nmap output

-oG Greppable format

-oX XML format

-oA

Generate Nmap, Greppable, and XML output files using basename for files

Misc Options

-n Disable reverse IP address lookups

-6 Use IPv6 only

-A Use several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute

--reason Display reason Nmap thinks port is open, closed, or filtered

Scripting Engine

-sC Run default scripts

--script=||...

Run individual or groups of scripts

--script-args=

Use the list of script arguments

--script-updatedb

Update script database

Script Catagories

Nmap's script categories include, but are not limited to, the following:

Notable scripts

A full list of Nmap Scripting Engine scripts is available at http://nmap.org/nsedoc/

Some particularly useful scripts include:

dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server.

$ nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=<domain> -p53 <hosts>

http-robots.txt: Harvests robots.txt files from discovered web servers.

$ nmap --script http-robots.txt <hosts>

smb-brute: Attempts to determine valid username and password combinations via automated guessing.

$ nmap --script smb-brute.nse -p445 <hosts>

smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs.

$ nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>

scan network:

nmap -sn

scan TCP ports (SYN Ping):

namp -PS

scan UDP ports:

nmap -sU ; add -P0 to skip ping

Identify versions of services running on host:

nmap -sV ; add -p to specify port

check TCP and UDP ports:

nmap -sSUV U:UDP ports T:TCP ports e.x. namp -sSUV -p U:53,11,137 T:21-25,80,139,8080 10.0.51.52

Identify OS of host:

nmap -PS -O

Run script:

namp -p --script=