Nmap Cheat Sheet

Target Specification

-iL  (inputfilename: Input from list of hosts/networks) 
-iR (num hosts: Choose random targets) 
–exclude  (host1[,host2][,host3],… : Exclude hosts/networks) 
–excludefile  (exclude_file: Exclude list from file) 

Host Discovery 

-sL List Scan – simply list targets to scan 
-sn Ping Scan – disable port scan 
-Pn Treat all hosts as online — skip host discovery 
-PS/PA/PU/PY[portlist] TCP SYN/ACK, UDP or SCTP discovery to given ports 
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes 
-PO[protocol list] IP Protocol Ping 
-n/-R Never do DNS resolution/Always resolve [default: sometimes] 

Nmap Scripts  

Nmap Scripts location: /usr/share/nmap/scripts  
Scripts are written in Lua and can be edited using vim 
–script=http* -Will run all scripts that start with HTTP against the target address 
-sC  will run default scripts against an IP this uses most commonly used scripts from the script library 
–script=”Lua scripts” “Lua scripts” is a comma separated list of directories, script-files or script-categories 
–script-args=n1=v1,[n2=v2,…] provide arguments to scripts 
-script-args-file=filename provide NSE script args in a file 
–script-trace Show all data sent and received 
–script-updatedb Update script database 
–script-help=”Lua scripts” Show help about scripts 

Timing and Performance 

-T 0-5 Set timing template – higher is faster (less accurate) 

Parallel host scan group sizes 
–min-hostgroup SIZE  
–max-hostgroup SIZE 

Probe parallelization 
–min-parallelism NUMPROBES  
–max-parallelism NUMPROBES

Specifies probe round trip time 
–min-rtt-timeout TIME 
–max-rtt-timeout TIME 
–initial-rtt-timeout TIME 

–max-retries TRIES Caps number of port scan probe retransmissions 
–host-timeout TIME Give up on target after this long 

Adjust delay between probes 
–scan-delay TIME  
–max-scan-delay TIME 

–min-rate NUMBER Send packets no slower than NUMBER per second 
–max-rate NUMBER Send packets no faster than NUMBER per second 

Port Specification

-p Specify ports, e.g. -p80,443 or -p1-65535 
-p U:PORT Scan UDP ports with Nmap, e.g. -p U:53
-F Fast mode, scans fewer ports than the default scan 
-r Scan ports consecutively – don’t randomize 
–top-ports “number” Scan “number” most common ports 
–port-ratio “ratio” Scan ports more common than “ratio” 

Service Version Detection 

-sV Probe open ports to determine service/version info 
–version-intensity “level” Set from 0 (light) to 9 (try all probes)
–version-light Limit to most likely probes (intensity 2) 
 –version-all Try every single probe (intensity 9) 
–version-trace Show detailed version scan activity (for debugging) 

Firewall /IDS Evasion and Spoofing 

-D decoy1,decoy2,ME used for cloaking a scan with decoy addresses usage -D,,Me 
-f; –mtu VALUE Fragment packets (optionally w/given MTU) 
-S IP-ADDRESS Spoof source address 
-e IFACE Use specified interface

Use given port number 
–source-port PORTNUM

–proxies url1,[url2],… Relay connections through HTTP / SOCKS4 proxies 
–data-length NUM  Append random data to sent packets 
–ip-options OPTIONSSend packets with specified ip options 
–ttl VALUE Set IP time to live field 
–spoof-mac ADDR/PREFIX/VENDORSpoof NMAP MAC address 
–badsum Send packets with a bogus TCP/UDP/SCTP checksum 

OS Detection 

-O Enable OS Detection
–osscan-limit  Limit OS detection to promising targets 
–osscan-limit  Limit OS detection to promising targets 

Scan Techniques

-sS  TCP SYN scan (stealth scan also default mode in root) 
-sT Connect scan 
-sA ACK scan 
-sW Window scan 
-sM Maimon scan 
-sU UDP Scan 
-sN TCP Null scan 
sF FIN scan 
-sX Xmas scan 
–scanflags Customize TCP scan flags 
-sI zombie host[:probeport]  Idle scan
-sY SCTP INIT scan 
-sO IP protocol scan 
 -b “FTP relay host”FTP bounce scan  

Nmap Output Options 

-oN Output Normal 
-oX Output to XML 
-oS Script Kiddie / 1337 speak… sigh 
-oG Output greppable – easy to grep nmap output 
-oA BASENAME Output in the three major formats at once 
-v Increase verbosity level use -vv or more for greater effect 
-d Increase debugging level use -dd or more for greater effect 
–reason Display the reason a port is in a particular state 
–open Only show open or possibly open ports 
–packet-trace Show all packets sent / received 
–iflist Print host interfaces and routes for debugging 
–log-errors Log errors/warnings to the normal-format output file 
–append-output Append to rather than clobber specified output files 
–resume FILENAME Resume an aborted scan 
–stylesheet PATH/URL XSL stylesheet to transform XML output to HTML 
–webxml Reference stylesheet from Nmap.Org for more portable XML 
–no-stylesheet Prevent associating of XSL stylesheet w/XML outpu

Scroll Up