nmap CheatSheet

Base Syntax

nmap [ScanType] [Options] {targets}

Scan Type

-sn Probe only (host discovery, not port scan)

-sS SYN Scan

-sT TCP Connect Scan

-sU UDP Scan

-sV Version Scan

-O OS Detection

--scanflags Set custom list of TCP using URGACKPSHRSTSYNFIN in any order

Probing Options

-Pn Don't probe (assume all hosts are up)

-PB Default probe (TCP 80, 445 & ICMP)

-PS Check whether targets are up by probing TCP ports

-PE Use ICMP Echo Request

-PP Use ICMP Timestamp Request

-PM Use ICMP Netmask Request

Fine-Grained Timing Options

--min-hostgroup/max-hostgroup Parallel host scan group sizes

--min-parallelism/max-parallelism <numprobes>

Probe parallelization

--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>

Specifies probe round trip time.

--max-retries <tries>

Caps number of port scan probe retransmissions.

--host-timeout <time>

Give up on target after this long

--scan-delay/--max-scan-delay <time>

Adjust delay between probes

--min-rate <number>

Send packets no slower than per second

--max-rate <number>

Send packets no faster than per second

Aggregate Timing Options

-T0 Paranoid:Very slow, used for IDS evasion

-T1 Sneaky:Quite slow, used for IDS evasion

-T2 Polite:Slows down to consume less bandwidth, runs ~10 times slower than default

-T3 Normal:Default, a dynamic timing model based on target responsiveness

-T4 Aggressive:Assumes a fast and reliable network and may overwhelm targets

-T5 Insane:Very aggressive; will likely overwhelm targets or miss open ports

Target Specification

IPv4 address:

IP v6 address: AABB:CCDD::FF%eth0

Host name: www.target.tgt

IP address range: 192.168.0-255.0-255

CIDR block:

Use file with lists of targets: -iL

Target ports

No port range specified scans 1,000 most popular ports

-F Scan 100 most popular ports

-p- Port range

-p,,... Port List

-pU:53,U:110,T20-445 Mix TCP and UDP

-r Scan linearly (do not randomize ports)

--top-ports Scan n most popular ports

-p-65535 Leaving off initial port in range makes Nmap scan start at port 1

-p0- Leaving off end port in range makes Nmap scan through port 65535

-p- Scan ports 1-65535

Output Formats

-oN Standard Nmap output

-oG Greppable format

-oX XML format


Generate Nmap, Greppable, and XML output files using basename for files

Misc Options

-n Disable reverse IP address lookups

-6 Use IPv6 only

-A Use several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute

--reason Display reason Nmap thinks port is open, closed, or filtered

Scripting Engine

-sC Run default scripts


Run individual or groups of scripts


Use the list of script arguments


Update script database

Script Catagories

Nmap's script categories include, but are not limited to, the following:

Notable scripts

A full list of Nmap Scripting Engine scripts is available at http://nmap.org/nsedoc/

Some particularly useful scripts include:

dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server.

$ nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=<domain> -p53 <hosts>

http-robots.txt: Harvests robots.txt files from discovered web servers.

$ nmap --script http-robots.txt <hosts>

smb-brute: Attempts to determine valid username and password combinations via automated guessing.

$ nmap --script smb-brute.nse -p445 <hosts>

smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs.

$ nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>

scan network:

nmap -sn

scan TCP ports (SYN Ping):

namp -PS

scan UDP ports:

nmap -sU ; add -P0 to skip ping

Identify versions of services running on host:

nmap -sV ; add -p to specify port

check TCP and UDP ports:

nmap -sSUV U:UDP ports T:TCP ports e.x. namp -sSUV -p U:53,11,137 T:21-25,80,139,8080

Identify OS of host:

nmap -PS -O

Run script:

namp -p --script=