nmap
Available on DuckDuckGo!
This cheat sheet was contributed to DuckDuckGo as an instant answer. Simply search for nmap cheat sheet to reach it. You can also click on the info icon (top right) to see my name as a contributor.
Basic scanning
nmap [target]→ Scan a single targetnmap [target1, target2, etc]→ Scan multiple targetsnmap -iL [list.txt]→ Scan a list of targetsnmap [range of IP addresses]→ Scan a range of hostsnmap [ip address/cdir]→ Scan an entire subnetnmap -iR [number]→ Scan random hostsnmap [targets] --exclude [targets]→ Exclude targets from a scannmap [targets] --excludefile [list.txt]→ Exclude targets using a listnmap -A [target]→ Perform an aggressive scannmap -6 [target]→ Scan an IPv6 target
Discovery options
nmap -sn [target]→ Perform a ping-only scannmap -Pn [target]→ Don't pingnmap -PS [target]→ TCP SYN pingnmap -PA [target]→ TCP ACK pingnmap -PU [target]→ UDP pingnmap -PY [target]→ SCTP INIT pingnmap -PE [target]→ ICMP echo pingnmap -PP [target]→ ICMP timestamp pingnmap -PM [target]→ ICMP address mask pingnmap -PO [target]→ IP protocol pingnmap -PR [target]→ ARP pingnmap --traceroute [target]→ Traceroutenmap -R [target]→ Force reverse DNS resolutionnmap -n [target]→ Disable reverse DNS resolutionnmap --system-dns [target]→ Alternative DNS lookupnmap --dns-servers [servers] [target]→ Manually specify DNS server(s)nmap -sL [targets]→ Create a host list
Advanced scanning
nmap -sS [target]→ TCP SYN scannmap -sT [target]→ TCP connect scannmap -sU [target]→ UDP scannmap -sN [target]→ TCP NULL scannmap -sF [target]→ TCP FIN scannmap -sA [target]→ Xmas scannmap -sA [target]→ TCP ACK scannmap --scanflags [flags] [target]→ Custom TCP scannmap -sO [target]→ IP protocol scannmap --send-eth [target]→ Send raw ethernet packetsnmap --send-ip [target]→ Send IP packets
Port scanning
nmap -F [target]→ Perform a fast scannmap -p [port(s)] [target]→ Scan specific portsnmap -p [port name(s)] [target]→ Scan ports by namenmap -sU -sT -p U:[ports],T:[ports] [target]→ Scan ports by protocolnmap -p 1-65535 [target]→ Scan all portsnmap --top-ports [number] [target]→ Scan top portsnmap -r [target]→ Perform a sequential port scannmap -O --osscan-guess [target]→ Attempt to guess an unknown OSnmap -sV [target]→ Service version detectionnmap -sV --version-trace [target]→ Troubleshooting version scansnmap -sR [target]→ Perform a RPC scan
Timing options
nmap -T[0-5] [target]→ Timing templatesnmap --ttl [time] [target]→ Set the packet TTLnmap --min-parallelism [number] [target]→ Minimum number of parallel operationsnmap --max-parallelism [number] [target]→ Maximum number of parallel operationsnmap --min-hostgroup [number] [targets]→ Minimum host group sizenmap --max-hostgroup [number] [targets]→ Maximum host group sizenmap --initial-rtt-timeout [time] [target]→ Maximum RTT timeoutnmap --max-rtt-timeout [TTL] [target]→ Initial RTT timeoutnmap --max-retries [number] [target]→ Maximum number of retriesnmap --host-timeout [time] [target]→ Host timeoutnmap --scan-delay [time] [target]→ Minimum scan delaynmap --max-scan-delay [time] [target]→ Maximum scan delaynmap --min-rate [number] [target]→ Minimum packet ratenmap --max-rate [number] [target]→ Maximum packet ratenmap --defeat-rst-ratelimit [target]→ Defeat reset rate limits
Firewall evasion
nmap -f [target]→ Fragment packetsnmap --mtu [MTU] [target]→ Specify a specific MTUnmap -D RND:[number] [target]→ Use a decoynmap -sI [zombie] [target]→ Idle zombie scannmap --source-port [port] [target]→ Manually specify a source portnmap --data-length [size] [target]→ Append random datanmap --randomize-hosts [target]→ Randomize target scan ordernmap --spoof-mac [MAC\|0\|vendor] [target]→ Spoof MAC addressnmap --badsum [target]→ Send bad checksums
Output options
nmap -oN [scan.txt] [target]→ Save output to a text filenmap -oX [scan.xml] [target]→ Save output to a XML filenmap -oG [scan.txt] [target]→ Grepable outputnmap -oA [path/filename] [target]→ Output all supported file typesnmap --stats-every [time] [target]→ Periodically display statisticsnmap -oS [scan.txt] [target]→ 1337 output
Ndiff
Utility for comparing scan results.
ndiff [scan1.xml] [scan2.xml]→ Compare two scan resultsndiff -v [scan1.xml] [scan2.xml]→ Verbose modendiff --xml [scan1.xml] [scan2.xml]→ XML output mode
Unless specified otherwise, this work is licensed under a Creative Commons BY-NC-SA 4.0.